Reputation: 61
haproxy tcp-request content reject unless Layer 7
I'm trying to configure HAProxy to reject HTTP requests on Layer 4 unless the URL path requests use starts with a configured prefix.
It works fine on Layer 7 but I cannot get it work on Layer 4.
I've tried quite a few of combinations and couldn't anything to work. Please find below the smallest example of what I would expect to work:
- Run in HTTP mode
- Build an ACL basing on a prefix of path
- Reject on Layer 4 if that prefix doesn't exist
The thing is, requests are always rejected, no matter the prefix.
The way I understand the documentation, if no ACL matches, the default course of action is to allow the request.
Hence it would seem that:
- Either I'm mistaken on the default behaviour
- The ACL always matches regardless of the prefix
But I'm not really sure, could you please help me out with it?
Thank you!
************************************************************
defaults
timeout connect 3000
timeout client 3000
timeout server 3000
backend bck_static1
mode http
server server1 example.com:80 check inter 2s rise 2 fall 2
frontend front_static1
mode http
default_backend bck_static1
acl required_prefix path_beg /hello
tcp-request content reject unless required_prefix
option forwardfor
option httpclose
bind 0.0.0.0:22334
************************************************************
HA-Proxy version 1.4.24 2013/06/17
HA-Proxy version 1.5.12 2015/05/02
************************************************************
$ haproxy -d -V -f haproxy1.conf
Available polling systems :
sepoll : pref=400, test result OK
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 4 (3 usable), will use sepoll.
Using sepoll() as the polling mechanism.
00000000:front_static1.accept(0004)=0005 from [127.0.0.1:53110]
00000000:front_static1.clicls[0005:ffff]
00000000:front_static1.closed[0005:ffff]
00000001:front_static1.accept(0004)=0005 from [127.0.0.1:53112]
00000001:front_static1.clicls[0005:ffff]
00000001:front_static1.closed[0005:ffff]
^C
$
************************************************************
$ curl -v 127.0.0.1:22334/abc
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 22334 (#0)
> GET /abc HTTP/1.1
> User-Agent: curl/7.35.0
> Host: 127.0.0.1:22334
> Accept: */*
>
* Empty reply from server
* Connection #0 to host 127.0.0.1 left intact
curl: (52) Empty reply from server
************************************************************
$ curl -v localhost:22334/hello
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 22334 (#0)
> GET /hello HTTP/1.1
> User-Agent: curl/7.35.0
> Host: localhost:22334
> Accept: */*
>
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server
$
************************************************************
Upvotes: 3
Views: 4706
Answers (1)
Reputation: 61
FYI - it was answered on the HAProxy's mailing list.
http://comments.gmane.org/gmane.comp.web.haproxy/21962
One needs to add tcp-request inspect-delay so that HAProxy has a chance to inspect the incoming request at all.
Setting tcp-request inspect-delay 10s did the trick nicely.
Upvotes: 3
Related Questions
- Layer4 "Connection refused" with haproxy
- haproxy not restricting to TLS 1.2
- HaProxy tls checking CN
- HAProxy Backend Layer7 Invalid Response
- Configuring HAProxy to reject/deny requests containing multiple HTTP headers of the same name
- Blocking HTTP methods using HAPROXY
- haproxy sending 400 Bad request on ssh connect [TCP frontend/backend]
- haproxy acl not working in https/tcp mode
- Haproxy doesnt check backend in tcp mode
- HAproxy: Accept only localhost requests