Haproxy: reject traffic by user agent from file

http-headers access-control-list blocking haproxy useragent

This question is old, but in case someone else runs into this problem:

Your problem comes from the fact that tcp-request content runs before HAProxy has had time to receive/read any layer 7 data.

How to fix this?

Easy: add a tcp-request inspect-delay:

listen http 0.0.0.0:80
    tcp-request inspect delay 15s

    acl abuser hdr_sub(user-agent) -f /etc/haproxy/abuser.lst
    tcp-request content reject if abuser
    mode http
    server www1 127.0.0.1:8080 maxconn 10000

Here's the important bit about this from the HAProxy documentation:

Note that when performing content inspection, haproxy will evaluate the whole rules for every new chunk which gets in, taking into account the fact that those data are partial. If no rule matches before the aforementioned delay, a last check is performed upon expiration, this time considering that the contents are definitive. If no delay is set, haproxy will not wait at all and will immediately apply a verdict based on the available information. Obviously this is unlikely to be very useful and might even be racy, so such setups are not recommended.

Related

How do I use SSL with Amazon S3 CNAME masked buckets?
How to fix Image Swapping Issue in iOS 8 with keep-alive + HTTP Pipe-lining?
AWS DynamoDB Cost efficiency
Job control: How to kill a sudo job using the job id
How to include multiple spf domains with different mechanisms in a single spf TXT Record [duplicate]
Detecting Kubernetes OOMKilled Events in GKE Logs
Does Nginx compress files for every request? (with gzip_on)
DRBD Proxy / WAN experiences
Stop external USB keyboard repeating key presses on Vista
ext3 fsck time versus partition size
RSA or DSA: What's the definitive answer when generating SSH key pairs? [duplicate]
Books or Webpages on the Windows Philosophy