Block specific URL in HAProxy / url-encoding

Question

I'm trying to restrict access to a specific URL. It should not allowed to access /admin.php.

frontend example
  acl restricted_page path_beg -i /admin\.php
  http-request deny if restricted_page

This works fine, HAProxy is blocking access to this URL. But when I enter http://example.org/ad%6Din.php (%6D = hexcode for "m"), HAProxy is not restricting access.

What is the best way to do this?

Is there a option in HAProxy or do I need to specify a regluar expression matching "admin.php" as plaintext and/or url-encoded?
Are there any other ways to bypass the restriction?

Thanks!

score 8 · Accepted Answer · answered Feb 08 '16 at 15:30

8

As it happens, HAProxy has a converter to decode the field, making sure that your ACL will always match a given string.

url_dec
Takes an url-encoded string provided as input and returns the decoded version as output. The input and the output are of type string.

You'd use it like this.

frontend example
  acl restricted_page path_beg,url_dec -i /admin.php
  http-request deny if restricted_page

answered Feb 08 '16 at 15:30

GregL

9,370
2
25
36

For me, only this syntax worked (HAProxy Version: 1.8.8): `acl restricted_page path,url_dec -m beg -i /admin.php` – Chupaka Apr 15 '22 at 16:01

Block specific URL in HAProxy / url-encoding

1 Answers1