HAProxy Enterprise Documentation 2.7r1

ACL Examples

Below are some common use-case examples that can be applied with HAProxy Enterprise ACLs.

Redirect a request

To perform a redirection using http-request redirect, you will need to specify the complete URI in the location argument. For instance, if you want to redirect non-www domains to their www counterparts, you can employ the following code snippet:

frontend example
  http-request redirect location http://www.%[hdr(host)]%[capture.req.uri] unless { hdr_beg(host) -i www }

Here, our ACL hdr_beg(host) -i www will ensure that the client is redirected unless their Host HTTP header already begins with www.

The command http-request redirect scheme changes the scheme of the request while leaving the rest alone. This allows for trivial HTTP-to-HTTPS redirect lines:

frontend example
  http-request redirect scheme https if !{ ssl_fc }

Our ACL !{ ssl_fc } checks whether the request did not come in over HTTPS.

Caching with http-request cache-use

Small object caching enables the caching of resources according to ACLs. When combined with http-response cache-store, it enables you to save specific requests in the cache system. To illustrate, suppose we have a cache named icons. The following action will cache responses from paths starting with /icons/ and utilize them for subsequent requests:

frontend example
  http-request set-var(txn.path) path
  acl is_icons_path var(txn.path) -m beg /icons/
  http-request cache-use icons if is_icons_path
  http-response cache-store icons if is_icons_path

In this example:

  • The http-request cache-use icons if is_icons_path directive specifies that requests matching the is_icons_path ACL condition will be considered for cache usage. This instructs HAProxy Enterprise to check the cache for responses to these requests and serve them if available.

  • The http-response cache-store icons if is_icons_path directive indicates that responses matching the is_icons_path ACL condition should be stored in the cache. If the response is cacheable, it will be stored in the cache for future use.

Using ACLs to block requests

The http-request deny command returns a 403 response to the client and immediately terminates the request processing. This feature is commonly utilized for DDoS/Bot mitigation, as HAProxy Enterprise can efficiently handle a significant number of requests without impacting the web server.

Both deny command allow you to customize the response code by adding the deny_status flag. By using http-request deny deny_status 429, for example, HAProxy Enterprise will respond to the client with the error code 429: Too Many Requests.

In the following subsections we will provide a number of static conditions for which blocking traffic can be useful.

Deny based on HTTP protocol version

A number of attacks use HTTP 1.0 as the protocol version. Block these attacks using the built-in ACL HTTP_1.0.

frontend example
  http-request deny if HTTP_1.0

Deny based on the content of the user-agent string

We can also inspect the user-agent header and deny if it matches a specified string.

frontend example
  http-request deny if { req.hdr(user-agent) -m sub evil }

Deny based on the length of the user-agent string

Attackers may try to evade detection by utilizing a random MD5 checksum as their user-agent string. However, such attempts can be identified and promptly blocked based on the length of the checksum

frontend example
  http-request deny if { req.hdr(user-agent) -m len 32 }

Attackers can vary more with their attacks, so you can rely on the fact that legitimate user agents are longer while also being set to a minimum length. This will then block any requests which have a user-agent header shorter than 32 characters:

frontend example
  http-request deny if { req.hdr(user-agent) -m len le 32 }

Deny based on the URL path

If an attacker is abusing a specific URL, you can block based on path. For example, if your application does not use WordPress, you could block all requests that target WordPress.

frontend example
  http-request deny if { path_beg /wp-admin/ }

You can also prevent an attacker from accessing hidden files or folders, such as the .htaccess file, by denying requests where the path has the substring /..

frontend example
  http-request deny if { path -m sub /. }

Next up

Inline ACLs