HAProxy ACL multiple OR conditions
Using Haproxy 1.5.12 running on Ubuntu 12.04
I need to restrict access to my website to requests either coming from certain IPs or having a defined parameter in the request.
So for example the following request should work only from authorized IPs:
http://www-test.example.com/page.php
And this request should be fulfilled from any IP (including allowed ones):
http://www-test.example.com/page.php?devtool=1
My ACLs are:
acl is_test hdr(host) -m sub test
acl is_allowed src -f /etc/haproxy/allowed_ips
acl is_devtool urlp(devtool) 1
acl is_devtool hdr_sub(Referer) devtool=1
and they work fine if used exclusively:
http-request deny if is_test ! is_allowed
or
http-request deny if is_test ! is_devtool
But if I combine them with an OR I'm unable to access the URL from an allowed IP (inverting the tests doesn't help):
http-request deny if is_test ! is_allowed || is_test ! is_devtool
Any idea how to do this?
Thanks
Solution 1:
The test you appear to be wanting to impose is this:
A && !(B || C)
...but that is not logically equivalent to what you've written, which is essentially this...
(A && !B) || (A && !C)
The logical equivalent of A && !(B || C) without using parentheses for precedence is actually this:
A && !B && !C
So what you're looking for should be this:
http-request deny if is_test !is_allowed !is_devtool
Or, to restate it: deny the request if --
- it matches
is_test, and - it doesn't match
is_allowed, and - it doesn't match
is_devtool
As long as any one of these condtions is false (isn't test, is allowed, is devtool) your rule doesn't match, and doesn't deny the request.