HAProxy ACL multiple OR conditions

Using Haproxy 1.5.12 running on Ubuntu 12.04

I need to restrict access to my website to requests either coming from certain IPs or having a defined parameter in the request.

So for example the following request should work only from authorized IPs:

http://www-test.example.com/page.php

And this request should be fulfilled from any IP (including allowed ones):

http://www-test.example.com/page.php?devtool=1

My ACLs are:

acl is_test hdr(host) -m sub test
acl is_allowed src -f /etc/haproxy/allowed_ips
acl is_devtool urlp(devtool) 1
acl is_devtool hdr_sub(Referer) devtool=1

and they work fine if used exclusively:

http-request deny if is_test ! is_allowed

or

http-request deny if is_test ! is_devtool

But if I combine them with an OR I'm unable to access the URL from an allowed IP (inverting the tests doesn't help):

http-request deny if is_test ! is_allowed || is_test ! is_devtool

Any idea how to do this?

Thanks


Solution 1:

The test you appear to be wanting to impose is this:

A && !(B || C)

...but that is not logically equivalent to what you've written, which is essentially this...

(A && !B) || (A && !C)

The logical equivalent of A && !(B || C) without using parentheses for precedence is actually this:

A && !B && !C

So what you're looking for should be this:

http-request deny if is_test !is_allowed !is_devtool

Or, to restate it: deny the request if --

  • it matches is_test, and
  • it doesn't match is_allowed, and
  • it doesn't match is_devtool

As long as any one of these condtions is false (isn't test, is allowed, is devtool) your rule doesn't match, and doesn't deny the request.