Haproxy ACL and static and dynamic separation

Source: Internet
Author: User
Tags haproxy

One, haproxy ACL description

Ii. Haproxy and static separation


One, haproxy ACL description

1.1.ACL function

Access control lists (ACLs) are used to provide a flexible solution for content switching, and decisions are typically made based on the content, response, or any environment state extracted from the request.

That is, the ACL can parse the content of the request and do the appropriate action


1.2.ACL syntax

ACLS <aclname> <criterion> [flags] [operator] [<value>]

<aclname>:acl name, custom, recommend to do see name only meaning.


<criterion>: Test criteria, information description of the test.

[Flags]:

-I: Ignores case during all subsequent pattern matches.

-F: Load mode from file.

-M: Using a specific pattern matching method

-N: Disable DNS parsing

-M: Loads the file that is pointing to-f like a map file.

-U: A unique identifier for a forced ACL

-: Force end flag. Useful when a string looks like a flag.


Matching Criteria:

-and (with)

-or (OR)

- ! Non -

For example:

ACL missing_cl hdr_cnt (content-length) EQ 0 block If Http_url_star! meth_options | | Meth_post MISSING_CL block If Meth_get http_content block unless Meth_get or meth_post or meth_options

1.3. Okay, no more nonsense, look at the example

acl valid_method method get head    #定义一个名为valid_ aclhttp-request deny if ! valid_method  #请求拒绝如果是非上面的方法acl  clear for method detection request       dst_port  80    #定义名为clear目标端口为80的aclacl   secure     dst_port  8080   #定义名为secure目标为8080的aclacl  login_ page url_beg   /login  #定义名为login_page且url以/login beginning of the aclacl logout      url_beg   /logout  #定义名为logout且url以 aclacl uid_given  at the beginning of/logout  url_reg   /login?userid=[^&]+  #定义名为uid_given, url regular match Acl cookie_set hdr _sub (Cookie)  SEEN=1  #定义名为cookie_set, matching Cook's substring redirect prefix   https:// mysite.com set-cookie seen=1 if !cookie_set  #跳转前半部分如, http://mysite.com/login/us?   Jump http://mysite.com/is the beginning of HTTPS, the second half is unchanged, if the cookie is not set, set to the ACL defined by thecookieredirect prefix   https://mysite.com            if login_page !secure   #如果请求的登录页, and the target port is not 8080, skip the first half to https:// Mysite.comredirect prefix   http://mysite.com drop-query if login_page  !uid_given  #如果登录业没有给定id, discard the request redirect location http://mysite.com/            if !login_page secure  #如果不是登录页的请求目标端口为8080则, jump to http:/ /mysite.com/  redirect location / clear-cookie userid=        if logout  #登录的域为 "/" to clear cookie information acl being_scanned be_sess_rate gt  100  #定义名为being_scanned的acl if back-end reply creation rate is greater than 100redirect location /denied.html if  being_scanned  #如果满足上面的条件, forward the request to/denied.html

1.4. Parameters to prevent a large number of requests

Be_sess_rate: Returns the integer value (the number of new sessions per second) that corresponds to the session creation rate for the backend. This is used with ACLs to switch to the standby backend when expensive or brittle session rates are too high or limit service abuse (for example, block attracting online dictionaries). It is also useful to add this element to the log using the Log-format pseudo-directive.


Fe_sess_rate: Returns the integer value corresponding to the session creation rate of the front end (number of new sessions per second). This is used in conjunction with ACLs to limit the incoming session rate to an acceptable range to prevent misuse of services at the earliest time, such as when combined with other layer 4th ACLs to force the client to wait for the bit rate to drop below the limit. It is also useful to add this element to the log using the Log-format pseudo-directive. See also the "Rate-limit sessions" directive used by the front end.

1.5. Test examples

To modify a configuration file:

# vim /etc/haproxy/haproxy.cfg....backend webserver    balance     roundrobin    cookie WEBSVR insert nocache     acl login_page url_beg /login    acl logout    &NBSP;&NBSP;URL_BEG&NBSP;/LOGOUT&NBSP;&NBSP;&NBSP;&NBSP;ACL&NBSP;TEST_PAGE&NBSP;&NBSP;URL_REG&NBSP;^/TEST[0-9] .html$    redirect prefix https://zldckl.com if login_page     redirect location / clear-cookie USERID=  if logout        http-request deny if test_page    server   web1 192.168.199.126:80 weight 1 maxconn 500 maxqueue 300  cookie cklser1 check    server  web2 192.168.199.194:80  Weight 1 maxconn 500 maxqueue 300 cookie cklser2 check    server   web3 192.168.199.180:80 weight 1 maxconn 500 maxqueue 300 cookie  Cklser3 check

Reload Service:

Systemctl Restart Haproxy.service

to test the login page adjust to HTTPS:

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/8C/8B/wKiom1hvT-fj47TsAAAXK5cqfO8340.png-wh_500x0-wm_ 3-wmp_4-s_3414225126.png "style=" Float:none; "title=" C2.png "alt=" Wkiom1hvt-fj47tsaaaxk5cqfo8340.png-wh_50 "/>

Jump to HTTPS

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/8C/88/wKioL1hvT-fShq-ZAAAPRzzij4I344.png-wh_500x0-wm_ 3-wmp_4-s_3874835928.png "style=" Float:none; "title=" C11.png "alt=" Wkiol1hvt-fshq-zaaaprzzij4i344.png-wh_50 "/>

The test exits also to the homepage:

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/8C/88/wKioL1hvUBCSt4U6AAAk-wb4RqQ621.png-wh_500x0-wm_ 3-wmp_4-s_2445529453.png "style=" Float:none; "title=" C3.png "alt=" Wkiol1hvubcst4u6aaak-wb4rqq621.png-wh_50 "/>

Jump to Homepage:

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/8C/8B/wKiom1hvUBjRnwjBAAA2tD9iXY0343.png-wh_500x0-wm_ 3-wmp_4-s_1631052966.png "style=" Float:none; "title=" C1.png "alt=" Wkiom1hvubjrnwjbaaa2td9ixy0343.png-wh_50 "/>

Test the regular page reject:

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/8C/8B/wKiom1hvUGjgOKSNAAASR93h0Jg686.png-wh_500x0-wm_ 3-wmp_4-s_2393402402.png "style=" Float:none; "title=" C6.png "alt=" Wkiom1hvugjgoksnaaasr93h0jg686.png-wh_50 "/>

Refused:

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/8C/88/wKioL1hvUGjwjtReAAAhW_6EMs4300.png-wh_500x0-wm_ 3-wmp_4-s_1661070030.png "style=" Float:none; "title=" C7.png "alt=" Wkiol1hvugjwjtreaaahw_6ems4300.png-wh_50 "/>



This article is from the "take a deep Breath again" blog, make sure to keep this source http://ckl893.blog.51cto.com/8827818/1889756

Haproxy ACL and static and dynamic separation

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.