HAProxy deny HTTP request on path_beg not matching

Question

I have a HAProxy node in front of a Keycloak node. I want to only expose the API needed to serve the users (not the Admin panel) I have the following on my haproxy.cfg frontend block

frontend haproxy-main 
    ...
    ...
    acl kc_adm path_beg,url_dec -i / /admin/ /welcome/ /metrics /health
    acl kc path_beg,url_dec -i /js/ /realms/ /resources/ /robots.txt 
    http-request allow if kc !kc_adm
    ...
    ...

But still all requests are passing through. My full config is here: https://gist.github.com/desertSniper87/146e027a60152a34445aa3a0c76638d1

My HAProxy version is HA-Proxy version 2.0.13-2ubuntu0.5 2022/03/02 running on Ubuntu 20.04.1 LTS

score 0 · Accepted Answer · answered Sep 26 '22 at 10:48

Instead of using http-request allow/deny, I used use_backend.

frontend haproxy-main
    ...
    ... 

    acl kc path_beg -i /js/ /realms/ /resources/ /robots.txt 
    default_backend no-match
    use_backend keycloak_server if kc 

backend no-match 
    mode http
    http-request deny deny_status 400

backend keycloak_server
    ...
    ...

HAProxy deny HTTP request on path_beg not matching

1 Answers1