Welcome! Log In Create A New Profile

Advanced

acl re-using in another acl ?

Posted by Guillaume Demillecamps 
Forum List Message List New Topic
Guillaume Demillecamps
acl re-using in another acl ?
April 03, 2012 10:50AM
Hello all,


I am starting to hit some limitations in haproxy's configuration options !
I have decided to use this product to sit in front of a cloud
environment hosting several websites as I have used it many times for
several years and have alays found it very, very efficient.

At the moment I have over 20 hosted websites (much more might come
in). So basically, at least as much ACL's for this (and actually much,
much more). I do NOT want a default_backend. On the contrary, I need
(security reasons) to block access excepted if the user comes with the
correct http header (virtual hosting). I also have to grant access to
the site to a restricted list of IP's (developer agencies) before an
official go-live is set up for specific sites, or for some admin areas
of those websites.
So, in other words, I have one HUGE line with is a :
block unless is_website_01 || is_website02 || is_website_02 ||
is_allowed_agency_01 || is_allowed_agency_02 ...
Then follow the use_backend website_01 if is_website_01 (and
potentially also if_allowed_agency_01)

And... I have faced a limit of over 2047 chracters in one line, now !

I tried to rewrite the ACL's list in this way :
acl is_website_01 www.website01.com (already existing)
acl is_website_02 www.website02.com (already existing)
acl is_all_allowed_websites is_website_01
acl is_all_allowed_websites is_website_02
acl is_allowed_agency_01 x.x.x.x (already existing)
acl is_allowed_agency_02 y.y.y.y (already existing)
acl is_all_allowed_agencies is_allowed_agency_01
acl is_all_allowed_agencies is_allowed_agency_02
block unless is_all_allowed_websites || is_all_allowed_agencies

But apparently this approach is not possible in haproxy ?

That leaves me with the only option of re-writing all ACL's twice, then...
acl is_website_01 www.website01.com (already existing)
acl is_website_02 www.website02.com (already existing)
acl is_all_allowed_websites www.website01.com
acl is_all_allowed_websites www.website02.com
acl is_allowed_agency_01 x.x.x.x (already existing)
acl is_allowed_agency_02 y.y.y.y (already existing)
acl is_all_allowed_agencies x.x.x.x
acl is_all_allowed_agencies y.y.y.y
block unless is_all_allowed_websites || is_all_allowed_agencies

Is there no way to have the preferred option of re-using ACL's into
another ACL's possible ?

Many thanks !!


Guillaume Demillecamps
Reply Quote
David Birdsong
Re: acl re-using in another acl ?
April 03, 2012 08:20PM
On Tue, Apr 3, 2012 at 1:42 AM, Guillaume Demillecamps <
[email protected]> wrote:

> Hello all,
>
>
> I am starting to hit some limitations in haproxy's configuration options !
> I have decided to use this product to sit in front of a cloud environment
> hosting several websites as I have used it many times for several years and
> have alays found it very, very efficient.
>
> At the moment I have over 20 hosted websites (much more might come in). So
> basically, at least as much ACL's for this (and actually much, much more).
> I do NOT want a default_backend. On the contrary, I need (security reasons)
> to block access excepted if the user comes with the correct http header
> (virtual hosting). I also have to grant access to the site


forgive me if i've not comprehended your requirements correctly, but could
you simplify your config by adding a default_backend that hosts all of the
non-authorized requests? this way the default_backend is a trash bucket
that hosts all the junk that your acl's haven't found a proper backend for
based on host header or src ip.

that backend could even be another haproxy frontend which simply blocks
everything coming in.


> to a restricted list of IP's (developer agencies) before an official
> go-live is set up for specific sites, or for some admin areas of those
> websites.
> So, in other words, I have one HUGE line with is a :
> block unless is_website_01 || is_website02 || is_website_02 ||
> is_allowed_agency_01 || is_allowed_agency_02 ...
> Then follow the use_backend website_01 if is_website_01 (and potentially
> also if_allowed_agency_01)
>
> And... I have faced a limit of over 2047 chracters in one line, now !
>
> I tried to rewrite the ACL's list in this way :
> acl is_website_01 www.website01.com (already existing)
> acl is_website_02 www.website02.com (already existing)
> acl is_all_allowed_websites is_website_01
> acl is_all_allowed_websites is_website_02
> acl is_allowed_agency_01 x.x.x.x (already existing)
> acl is_allowed_agency_02 y.y.y.y (already existing)
> acl is_all_allowed_agencies is_allowed_agency_01
> acl is_all_allowed_agencies is_allowed_agency_02
> block unless is_all_allowed_websites || is_all_allowed_agencies
>
> But apparently this approach is not possible in haproxy ?
>
> That leaves me with the only option of re-writing all ACL's twice, then...
> acl is_website_01 www.website01.com (already existing)
> acl is_website_02 www.website02.com (already existing)
> acl is_all_allowed_websites www.website01.com
> acl is_all_allowed_websites www.website02.com
> acl is_allowed_agency_01 x.x.x.x (already existing)
> acl is_allowed_agency_02 y.y.y.y (already existing)
> acl is_all_allowed_agencies x.x.x.x
> acl is_all_allowed_agencies y.y.y.y
> block unless is_all_allowed_websites || is_all_allowed_agencies
>
> Is there no way to have the preferred option of re-using ACL's into
> another ACL's possible ?
>
> Many thanks !!
>
>
> Guillaume Demillecamps
>
>
Reply Quote
Newer Topic Older Topic
Sorry, only registered users may post in this forum.

Click here to login