5

I have a poorly performing web app that will be massively scaled out to cope with the weight of the internet.

Haproxy will be used to farm out the stateless web requests to many servers. However, there's still a limit to the traffic that can come and I'd like to prioritise genuine users.

Can haproxy be configured to send traffic from a particular referrer URL to a particular box?

E.g. if the deployment's gateway is mentioned in a news article I can redirect traffic from that article to a fast static HTML site saying something on the lines of "thank you for you interest, here's some info."?

If this is possible, perhaps someone could share a relevant snippet from the configuration file.

Community
  • 1
Robin
  • 173
  • 1
  • 1
  • 7

2 Answers2

8

Yes, it can. From the documentation,

hdr_dir

hdr_dir(header)

Returns true when one of the headers contains one of the strings either isolated or delimited by slashes. This is used to perform filename or directory name matching, and may be used with Referer. See "hdr" for more information on header matching.

So you can check hdr_dir(referer) to see if it matches a particular path, and if it does, set a flag, and then send traffic to various destinations based on that flag.

acl slashdot hdr_dir(referer) -i /some/path
  use_backend cluster1 if slashdot
  use backend cluster2 if !slashdot

backend cluster1
  server servera 192.168.0.50:80

backend cluster2
  server serverb 192.168.0.51:80

Untested.

EightBitTony
  • 9,311
  • 1
  • 34
  • 46
  • 2
    *note misspelling of 'referrer' header, should be 'referer'. Can't edit due to only 2 char's to change and my rep :/ but with the misspelling the example doesn't work – Nimjox Jun 08 '18 at 02:22
  • 1
    @Nimjox referrer is the correct spelling. An edit to introduce a misspelling should probably include a short note on why the word has to be misspelled. (Optionally with a link to some more background such as https://en.wikipedia.org/wiki/HTTP_referer#Etymology) – kasperd Jun 08 '18 at 09:17
  • Thanks @Nimjox - only took someone 6.5 years! – EightBitTony Jun 08 '18 at 11:30
  • Nice source, as a practical example for this with modern chrome you have a general 'Referrer Policy' but the actual request header is titled 'Referer'. People still look at old examples :) – Nimjox Jun 08 '18 at 16:52
  • Thanks to these comments this question now has SEO for both spellings ;) – Robin Jun 10 '18 at 08:24
2

I came across this post, which talks about using a setup along these lines:

acl invalid_referer hdr_sub(referer) -i -f /etc/haproxy/banned.haproxy.conf
block if invalid_referer

It should return a 403 to the block referral traffic. You should be able to amend the config to handle the traffic differently (i.e. pass to a different backed)

Coops
  • 6,055
  • 1
  • 34
  • 54