Thanks Willy, Baptiste - those approaches both sound promising as a way to simplify our configurations. Will investigate these options further. Much appreciated!
-----Original Message-----
From: Willy Tarreau [mailto:w@1wt.eu]
Sent: 22 September 2015 17:32
To: Fitzpatrick, Adrian
Cc: 'haproxy@formilux.org'
Subject: Re: Sharing ACL between frontend
Hi Adrian,
On Tue, Sep 22, 2015 at 02:56:22PM +0000, Fitzpatrick, Adrian wrote:
> Hi,
>
> I'm wondering is there a way to define an ACL so that it can be referenced from multiple front-ends? Or, to ask the question another way - why can't ACL's be defined in defaults?
>
> My scenario is that I am using HAProxy for Layer 7 content switching
> based on URL, and I have about 5 front-ends and about 100 back-ends.
> Based on the URL, each front-end selects which backend should process
> the request - "use_backend if ....". So I've got 100 ACLs, one each
> for the URL pattern corresponding to the traffic destined for the
> particular backend. The 5 front-ends separate incoming requests by
> location and user type, and different front-ends have access to different sub-sets of the back-ends.
> Currently I have to repeat the definition of the ACLs across each of
> these 5 front-ends. Is there a way to define my ACLs in one place and
> reference them across each of the 5 front-ends? E.g. I would have
> thought I could just define all the ACLs in defaults, but this doesn't appear to be possible?
No it's not possible to declare a list in defaults, and ACLs are lists.
The reason behind this is that anything declared in defaults may be overriden in the next sections. That's not really possible anymore with ACLs as it would either completely replace the ACL or concatenate to it.
By the way, do you *really* need to delare your 100 ACLs ? If you only have 100 ACLs for 100 backends, I guess they're all pretty similar and probably match on the host header only. Then you can use anonymous ACLs to simplify your config :
replace :
acl host_site1 req.hdr(host) -i site1.com
acl host_site2 req.hdr(host) -i site2.com
use_backend bk_site1 if host_site1
use_backend bk_site2 if host_site2
with :
use_backend bk_site1 if { req.hdr(host) -i site1.com }
use_backend bk_site2 if { req.hdr(host) -i site2.com }
And if your backends are properly named, you can even use a dynamic use_backend rule which turns the host name into a backend name. Eg:
use_backend bk_%[req.hdr(host),lower]
If it's not as easy to turn a site name into a backend name, you can use a map converting a site to a backend name, that also guarantees that no other backend than those declared will be used :
use_backend bk_%[req.hdr(host),lower,map(bksite.map)]
And then your file bksite.map contains for example :
www.site1.com bk_site1
site1.com bk_site1
www.site2.com bk_site2
etc...
Hoping this helps,
Willy
*********************************************************************
Please note that Revenue cannot guarantee that any personal and sensitive data, sent in plain text via standard email, is fully secure. Customers who choose to use this channel are deemed to have accepted any risk involved. The alternative communication methods offered by Revenue include standard post and the option to register for our (encrypted) MyEnquiries service on our website www.revenue.ie.
*********************************************************************
-----Original Message-----
From: Willy Tarreau [mailto:w@1wt.eu]
Sent: 22 September 2015 17:32
To: Fitzpatrick, Adrian
Cc: 'haproxy@formilux.org'
Subject: Re: Sharing ACL between frontend
Hi Adrian,
On Tue, Sep 22, 2015 at 02:56:22PM +0000, Fitzpatrick, Adrian wrote:
> Hi,
>
> I'm wondering is there a way to define an ACL so that it can be referenced from multiple front-ends? Or, to ask the question another way - why can't ACL's be defined in defaults?
>
> My scenario is that I am using HAProxy for Layer 7 content switching
> based on URL, and I have about 5 front-ends and about 100 back-ends.
> Based on the URL, each front-end selects which backend should process
> the request - "use_backend if ....". So I've got 100 ACLs, one each
> for the URL pattern corresponding to the traffic destined for the
> particular backend. The 5 front-ends separate incoming requests by
> location and user type, and different front-ends have access to different sub-sets of the back-ends.
> Currently I have to repeat the definition of the ACLs across each of
> these 5 front-ends. Is there a way to define my ACLs in one place and
> reference them across each of the 5 front-ends? E.g. I would have
> thought I could just define all the ACLs in defaults, but this doesn't appear to be possible?
No it's not possible to declare a list in defaults, and ACLs are lists.
The reason behind this is that anything declared in defaults may be overriden in the next sections. That's not really possible anymore with ACLs as it would either completely replace the ACL or concatenate to it.
By the way, do you *really* need to delare your 100 ACLs ? If you only have 100 ACLs for 100 backends, I guess they're all pretty similar and probably match on the host header only. Then you can use anonymous ACLs to simplify your config :
replace :
acl host_site1 req.hdr(host) -i site1.com
acl host_site2 req.hdr(host) -i site2.com
use_backend bk_site1 if host_site1
use_backend bk_site2 if host_site2
with :
use_backend bk_site1 if { req.hdr(host) -i site1.com }
use_backend bk_site2 if { req.hdr(host) -i site2.com }
And if your backends are properly named, you can even use a dynamic use_backend rule which turns the host name into a backend name. Eg:
use_backend bk_%[req.hdr(host),lower]
If it's not as easy to turn a site name into a backend name, you can use a map converting a site to a backend name, that also guarantees that no other backend than those declared will be used :
use_backend bk_%[req.hdr(host),lower,map(bksite.map)]
And then your file bksite.map contains for example :
www.site1.com bk_site1
site1.com bk_site1
www.site2.com bk_site2
etc...
Hoping this helps,
Willy
*********************************************************************
Please note that Revenue cannot guarantee that any personal and sensitive data, sent in plain text via standard email, is fully secure. Customers who choose to use this channel are deemed to have accepted any risk involved. The alternative communication methods offered by Revenue include standard post and the option to register for our (encrypted) MyEnquiries service on our website www.revenue.ie.
*********************************************************************