用于阻止子URL的IP的HAProxy配置

Question

我是HAProxy的新手。我想限制所有访问一个子URL，但不是为了从几个IP访问。我的HAProxy实现如下，它不阻塞任何IP/URL

# Listen to port 80.  Throw a 301 redirect to port 443
frontend Listen80
    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }

# List to port 443.  Redirect to appropriate backend based on URL
frontend Listen443
    bind *:443 ssl crt /etc/ssl/certs/examplesslpem %>

    acl web_url        path_beg   /abc /xyz
    acl web_url        path_beg   /efg /xy
    acl batch_url      path_beg   /h /ga
    acl network_allowed  src      example.xyz.com
    acl resticted_pages  path_beg   /abc/qaz/
    http-request allow if resticted_pages network_allowed
    use_backend BATCH        if batch_url
    use_backend SVC          if svc_url
    use_backend WEB          if web_url

    # Listen to port 8080.  Pass through to WEB backend
frontend Listen8080
    bind *:8080
    use_backend WEB

backend WEB
    mode http
    balance roundrobin
    option httpclose
    cookie SERVERIDWEB insert indirect nocache secure
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    reqrep ^([^\ ]*\ /)abc[/]?(.*)     \1\2
    server app-1 example-app1.com:8080 check cookie app1web
    server app-2 example-app2.com:8080 check cookie app2web
    server app-3 example-app3.com:8080 check cookie app3web
    server app-4 example-app4.com:8080 check cookie app4web
    server app-5 example-app5.com:8080 check cookie app5web

Answer 1

这绝对不是你想做的事。

http-request allow if resticted_pages network_allowed

默认情况下，请求是允许的。

请注意，http-request allow不是http-request deny的对立面。在这里，allow意味着不处理任何后续的http-request指令，而是允许此请求按原样进行。

看起来您想否认restricted_pages是否为真，而network_allowed是否为假，这如下所示：

http-request deny if restricted_pages !network_allowed

http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4-http-request

还请注意，这也可能不会如您所愿：

acl network_allowed  src      example.xyz.com

这将在启动时将“示例”主机名解析为IP地址。然后，ACL将表现为您在配置中使用了该IP地址。