7.2. Using ACLs to form conditions

  1. Some actions are only performed upon a valid condition. A condition is a
  2. combination of ACLs with operators. 3 operators are supported :
  3.  
  4.   - AND (implicit)
  5.   - OR  (explicit with the "or" keyword or the "||" operator)
  6.   - Negation with the exclamation mark ("!")
  7.  
  8. A condition is formed as a disjunctive form:
  9.  
  10.    [!]acl1 [!]acl2 ... [!]acln  { or [!]acl1 [!]acl2 ... [!]acln } ...
  11.  
  12. Such conditions are generally used after an "if" or "unless" statement,
  13. indicating when the condition will trigger the action.
  14.  
  15. For instance, to block HTTP requests to the "*" URL with methods other than
  16. "OPTIONS", as well as POST requests without content-length, and GET or HEAD
  17. requests with a content-length greater than 0, and finally every request which
  18. is not either GET/HEAD/POST/OPTIONS !
  19.  
  20.    acl missing_cl hdr_cnt(Content-length) eq 0
  21.    http-request deny if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
  22.    http-request deny if METH_GET HTTP_CONTENT
  23.    http-request deny unless METH_GET or METH_POST or METH_OPTIONS
  24.  
  25. To select a different backend for requests to static contents on the "www" site
  26. and to every request on the "img", "video", "download" and "ftp" hosts :
  27.  
  28.    acl url_static  path_beg         /static /images /img /css
  29.    acl url_static  path_end         .gif .png .jpg .css .js
  30.    acl host_www    hdr_beg(host) -i www
  31.    acl host_static hdr_beg(host) -i img. video. download. ftp.
  32.  
  33.    # now use backend "static" for all static-only hosts, and for static URLs
  34.    # of host "www". Use backend "www" for the rest.
  35.    use_backend static if host_static or host_www url_static
  36.    use_backend www    if host_www
  37.  
  38. It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
  39. expressions that are built on the fly without needing to be declared. They must
  40. be enclosed between braces, with a space before and after each brace (because
  41. the braces must be seen as independent words). Example :
  42.  
  43.    The following rule :
  44.  
  45.        acl missing_cl hdr_cnt(Content-length) eq 0
  46.        http-request deny if METH_POST missing_cl
  47.  
  48.    Can also be written that way :
  49.  
  50.        http-request deny if METH_POST { hdr_cnt(Content-length) eq 0 }
  51.  
  52. It is generally not recommended to use this construct because it's a lot easier
  53. to leave errors in the configuration when written that way. However, for very
  54. simple rules matching only one source IP address for instance, it can make more
  55. sense to use them than to declare ACLs with random names. Another example of
  56. good use is the following :
  57.  
  58.    With named ACLs :
  59.  
  60.         acl site_dead nbsrv(dynamic) lt 2
  61.         acl site_dead nbsrv(static)  lt 2
  62.         monitor fail  if site_dead
  63.  
  64.    With anonymous ACLs :
  65.  
  66.         monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
  67.  
  68. See section 4.2 for detailed help on the "http-request deny" and "use_backend"
  69. keywords.