Haproxy: reject traffic by user agent from file
This question is old, but in case someone else runs into this problem:
Your problem comes from the fact that tcp-request content
runs before HAProxy has had time to receive/read any layer 7 data.
How to fix this?
Easy: add a tcp-request inspect-delay:
listen http 0.0.0.0:80
tcp-request inspect delay 15s
acl abuser hdr_sub(user-agent) -f /etc/haproxy/abuser.lst
tcp-request content reject if abuser
mode http
server www1 127.0.0.1:8080 maxconn 10000
Here's the important bit about this from the HAProxy documentation:
Note that when performing content inspection, haproxy will evaluate the whole rules for every new chunk which gets in, taking into account the fact that those data are partial. If no rule matches before the aforementioned delay, a last check is performed upon expiration, this time considering that the contents are definitive. If no delay is set, haproxy will not wait at all and will immediately apply a verdict based on the available information. Obviously this is unlikely to be very useful and might even be racy, so such setups are not recommended.