HA-Proxy and ACL for http-request deny

Running ha-proxy 1.6.

Can someone please tell me why the ACL and http-request deny is not working?

I've tried mode http, mode tcp, end slash, no slash in path, a path_end, different network masks, one single ip, etc. I can't get it working. There is just no access control. I can reach the directory and files from anywhere.

global
  pidfile /var/run/haproxy.pid
  daemon

defaults
  mode tcp
  retries 5
  option redispatch
  option dontlognull
  option tcp-smart-accept
  option tcp-smart-connect


listen front-end
  bind xxx.xxx.xxx.xx1:80
  bind xxx.xxx.xxx.xx2:80
  mode http
  balance roundrobin
  option forceclose
  option http-server-close
  option forwardfor
  maxconn 2000
  timeout http-request 15s
  timeout connect 15s
  timeout server 60s
  timeout client 30s
  timeout http-keep-alive 15s
  acl network_allowed src xxx.xxx.xxx.xx5
  acl inside path_beg,url_dec -i /path/to/directory/
  http-request deny if inside !network_allowed 


  server 1 xxx.xxx.xxx.xx1:80 weight 10 SERVER1 check
  server 2 xxx.xxx.xxx.xx2:80 weight 10 SERVER2 check
  server 3 xxx.xxx.xxx.xx3:80 weight 15 SERVER3 check

Solution 1:

Try adding -m beg:

acl inside path_beg,url_dec -m beg -i /path/to/directory/

Also, what you are trying to achieve?
As I can see and verify your on my server: right now from src xxx.xxx.xxx.xx5 you have access to everything while from other addresses you'll get 403 for /path/to/directory:

curl http://example.com/path/to/directory/
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

But if you add OR to your http-request deny:

http-request deny if inside OR !network_allowed

then you will get 403 from all addresses except src xxx.xxx.xxx.xx5 and from this address you will get 403 for /path/to/directory
Which behaviour is right?