Using multiple conditionals in haproxy use_backend

Question

Without brackets, seems it is not possible to have haproxy select use_backend based on true and (a or b)

For example, I want to use_backend ClusterA if allowed_src and (method_a or path_b). Regardless if I invert the conditions before/after and, I am left with a way to hit the backend with a single true value instead of requiring allowed_src and one of either method_a or path_b.

*updated example such that all three ACL are distinct.

Tubeless · Accepted Answer · 2018-11-16T18:15:04.807

2

The answer Vadim wrote achieves what you asked initially. To match your updated question, you could use the following logic:

acl allowedsrc src 123.123.123.123
acl mypath path_beg /path_a
use_backend ClusterA if allowedsrc mypath || allowedsrc METH_POST

Since you didn't mention what you were trying to match with allowedsrc ACL, I'll assume you wanted to match certain IP address.

Let me break down the whole logic to plain english.

acl allowedsrc matches source IP 123.123.123.123

acl mypath matches URLs that begins with /path_a

The last line means that request will be poined to ClusterA backend if source IP address was 123.123.123.123 and if URL was beginning with /path_a or if source IP address was 123.123.123.123 and HTTP method was POST.

Instead of METH_POST, you can use different pre-defined ACLs. Check out HAProxy's documentation to see the complete list.

edited Nov 16 '18 at 18:15

answered Nov 16 '18 at 17:46

Tubeless

1,640
14
15

That only works if the path_a and path_b use path_beg. What if one was a path based acl and one was method based. – haproxy-user1997 Nov 16 '18 at 17:49
In that case, you may want to use something like: use_backend ClusterA if allowedsrc mypath || allowedsrc METH_POST Instead of METH_POST, you can match different methods (e.g. METH_GET, METH_HEAD, etc.) – Tubeless Nov 16 '18 at 18:10
I've updated my answer with additional information. Hopefully it'll help you understand the whole logic. – Tubeless Nov 16 '18 at 18:15
Thanks Tubeless. Does **and** always get evaluated before **or**? – haproxy-user1997 Nov 16 '18 at 19:27
Found that and does indeed have higher precedence than or: https://www.haproxy.com/documentation/aloha/10-0/traffic-management/lb-layer7/writing-conditions/ – haproxy-user1997 Nov 16 '18 at 19:28

score 1 · Answer 2 · answered Nov 16 '18 at 07:36

1

acl allowedsrc .......
acl mypath path_beg /path_a /path_b
use_backend ClusterA if allowedsrc mypath

answered Nov 16 '18 at 07:36

Vadim

596
3
10

1

This answer needs an explanation. – kasperd Nov 16 '18 at 15:32
If two acl are not the same (path_beg) this won't work. – haproxy-user1997 Nov 16 '18 at 16:37
@haproxy-user1997, Vadim gave you a correct answer. Since "mypath" ACL mathes either "/path_a" or "/path_b", it's effectively the same as (path_a or path_b). – Tubeless Nov 16 '18 at 17:34

Using multiple conditionals in haproxy use_backend

2 Answers2