Question: HAProxy frontend rule matching order


HAProxy frontend rule matching order

Answers 1
Added at 2017-11-07 19:11

I have a haproxy configuration as follows. (haproxy 1.7) We want to catch all OPTIONS request and respond directly to them instead of routing the requests to backends (which have basic auth enabled).

This was working fine when we developed it but now it seems to not be matching the rules in order (not sure what we have/haven't done which has caused this):

  log local1
  tune.ssl.default-dh-param 2048
  lua-load /etc/haproxy/cors.lua
  stats socket /var/run/haproxy.sock mode 400

  # Default certificate and key directories
  ca-base /etc/ssl/private
  crt-base /etc/ssl/private

# User lists used to enforce HTTP Basic Authentication
userlist ul_100123-2ovt9rsu
  user app1 password $6$lCjf6VnWhI$kcjmpWdV.odeYf4psUhcVKs49ZtPk3MDhg5wtLNUx658A3EWdDHJQqs9xCD1d.7zG05M2nwOxdkC6o/MSpifv0
userlist ul_100123-9uvsclqr
  user app1 password $6$DlcLoDMMu$wDm3O0W1eiQuk8gI.GmpzI1.jbBf.UYQ.KM73nHa1tGZJNfzkDpVnLUhh7v7C9yPHB1oo0cRrFnfOdeyAf/eU1     

# Front-end for public services which have SSL termination at the router.

frontend term
   bind *:443 accept-proxy ssl no-sslv3 crt router/fred-external.pem crt router/fred-external.ace.pem crt router
  reqadd X-Forwarded-Proto:\ https
  rspidel ^(Server|X-Powered-By):
  option forwardfor
  mode http
  http-request use-service lua.cors-response if METH_OPTIONS { req.hdr(origin) -m found }
  acl host_match_100123-2ovt9rsu ssl_fc_sni -i
  use_backend b_term_100123-2ovt9rsu if host_match_100123-2ovt9rsu
  • If I curl -X OPTIONS to it matches the 2nd rule and forwards me to the b_term_100123-2ovt9rsu backend which then fails as I haven't provided auth creds.
  • If I curl -X OPTIONS to it matches the first http-request and responds with the cors response as expected.

Why does the not match the first http-request rule and then return the cors-response?

In the logs we can see

Nov  7 18:24:09 localhost haproxy[37302]: [07/Nov/2017:18:24:09.807] term~ b_term_100123-2ovt9rsu/<lua.cors-response> -1/-1/-1/-1/73 401 249 - - PR-- 0/0/0/0/3 0/0 "OPTIONS / HTTP/1.1"

when the request gets forwarded to the backend

Answers to

HAProxy frontend rule matching order

nr: #1 dodano: 2017-11-08 07:11

http-request gets executed before use_backend, the config looks good to me, have you set origin header when you curl ?

Source Show
◀ Wstecz