One, haproxy ACL description
Ii. Haproxy and static separation
One, haproxy ACL description
1.1.ACL function
Access control lists (ACLs) are used to provide a flexible solution for content switching, and decisions are typically made based on the content, response, or any environment state extracted from the request.
That is, the ACL can parse the content of the request and do the appropriate action
1.2.ACL syntax
ACLS <aclname> <criterion> [flags] [operator] [<value>]
<aclname>:acl name, custom, recommend to do see name only meaning.
<criterion>: Test criteria, information description of the test.
[Flags]:
-I: Ignores case during all subsequent pattern matches.
-F: Load mode from file.
-M: Using a specific pattern matching method
-N: Disable DNS parsing
-M: Loads the file that is pointing to-f like a map file.
-U: A unique identifier for a forced ACL
-: Force end flag. Useful when a string looks like a flag.
Matching Criteria:
-and (with)
-or (OR)
- ! Non -
For example:
ACL missing_cl hdr_cnt (content-length) EQ 0 block If Http_url_star! meth_options | | Meth_post MISSING_CL block If Meth_get http_content block unless Meth_get or meth_post or meth_options
1.3. Okay, no more nonsense, look at the example
acl valid_method method get head #定义一个名为valid_ aclhttp-request deny if ! valid_method #请求拒绝如果是非上面的方法acl clear for method detection request dst_port 80 #定义名为clear目标端口为80的aclacl secure dst_port 8080 #定义名为secure目标为8080的aclacl login_ page url_beg /login #定义名为login_page且url以/login beginning of the aclacl logout url_beg /logout #定义名为logout且url以 aclacl uid_given at the beginning of/logout url_reg /login?userid=[^&]+ #定义名为uid_given, url regular match Acl cookie_set hdr _sub (Cookie) SEEN=1 #定义名为cookie_set, matching Cook's substring redirect prefix https:// mysite.com set-cookie seen=1 if !cookie_set #跳转前半部分如, http://mysite.com/login/us? Jump http://mysite.com/is the beginning of HTTPS, the second half is unchanged, if the cookie is not set, set to the ACL defined by thecookieredirect prefix https://mysite.com if login_page !secure #如果请求的登录页, and the target port is not 8080, skip the first half to https:// Mysite.comredirect prefix http://mysite.com drop-query if login_page !uid_given #如果登录业没有给定id, discard the request redirect location http://mysite.com/ if !login_page secure #如果不是登录页的请求目标端口为8080则, jump to http:/ /mysite.com/ redirect location / clear-cookie userid= if logout #登录的域为 "/" to clear cookie information acl being_scanned be_sess_rate gt 100 #定义名为being_scanned的acl if back-end reply creation rate is greater than 100redirect location /denied.html if being_scanned #如果满足上面的条件, forward the request to/denied.html
1.4. Parameters to prevent a large number of requests
Be_sess_rate: Returns the integer value (the number of new sessions per second) that corresponds to the session creation rate for the backend. This is used with ACLs to switch to the standby backend when expensive or brittle session rates are too high or limit service abuse (for example, block attracting online dictionaries). It is also useful to add this element to the log using the Log-format pseudo-directive.
Fe_sess_rate: Returns the integer value corresponding to the session creation rate of the front end (number of new sessions per second). This is used in conjunction with ACLs to limit the incoming session rate to an acceptable range to prevent misuse of services at the earliest time, such as when combined with other layer 4th ACLs to force the client to wait for the bit rate to drop below the limit. It is also useful to add this element to the log using the Log-format pseudo-directive. See also the "Rate-limit sessions" directive used by the front end.
1.5. Test examples
To modify a configuration file:
# vim /etc/haproxy/haproxy.cfg....backend webserver balance roundrobin cookie WEBSVR insert nocache acl login_page url_beg /login acl logout &NBSP;&NBSP;URL_BEG&NBSP;/LOGOUT&NBSP;&NBSP;&NBSP;&NBSP;ACL&NBSP;TEST_PAGE&NBSP;&NBSP;URL_REG&NBSP;^/TEST[0-9] .html$ redirect prefix https://zldckl.com if login_page redirect location / clear-cookie USERID= if logout http-request deny if test_page server web1 192.168.199.126:80 weight 1 maxconn 500 maxqueue 300 cookie cklser1 check server web2 192.168.199.194:80 Weight 1 maxconn 500 maxqueue 300 cookie cklser2 check server web3 192.168.199.180:80 weight 1 maxconn 500 maxqueue 300 cookie Cklser3 check
Reload Service:
Systemctl Restart Haproxy.service
to test the login page adjust to HTTPS:
650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/8C/8B/wKiom1hvT-fj47TsAAAXK5cqfO8340.png-wh_500x0-wm_ 3-wmp_4-s_3414225126.png "style=" Float:none; "title=" C2.png "alt=" Wkiom1hvt-fj47tsaaaxk5cqfo8340.png-wh_50 "/>
Jump to HTTPS
650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/8C/88/wKioL1hvT-fShq-ZAAAPRzzij4I344.png-wh_500x0-wm_ 3-wmp_4-s_3874835928.png "style=" Float:none; "title=" C11.png "alt=" Wkiol1hvt-fshq-zaaaprzzij4i344.png-wh_50 "/>
The test exits also to the homepage:
650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/8C/88/wKioL1hvUBCSt4U6AAAk-wb4RqQ621.png-wh_500x0-wm_ 3-wmp_4-s_2445529453.png "style=" Float:none; "title=" C3.png "alt=" Wkiol1hvubcst4u6aaak-wb4rqq621.png-wh_50 "/>
Jump to Homepage:
650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/8C/8B/wKiom1hvUBjRnwjBAAA2tD9iXY0343.png-wh_500x0-wm_ 3-wmp_4-s_1631052966.png "style=" Float:none; "title=" C1.png "alt=" Wkiom1hvubjrnwjbaaa2td9ixy0343.png-wh_50 "/>
Test the regular page reject:
650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/8C/8B/wKiom1hvUGjgOKSNAAASR93h0Jg686.png-wh_500x0-wm_ 3-wmp_4-s_2393402402.png "style=" Float:none; "title=" C6.png "alt=" Wkiom1hvugjgoksnaaasr93h0jg686.png-wh_50 "/>
Refused:
650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/8C/88/wKioL1hvUGjwjtReAAAhW_6EMs4300.png-wh_500x0-wm_ 3-wmp_4-s_1661070030.png "style=" Float:none; "title=" C7.png "alt=" Wkiol1hvugjwjtreaaahw_6ems4300.png-wh_50 "/>
This article is from the "take a deep Breath again" blog, make sure to keep this source http://ckl893.blog.51cto.com/8827818/1889756
Haproxy ACL and static and dynamic separation