英文:
haproxy acl hdr seems inoperant
问题
Using haproxy,我试图添加一个Content-Security-Policy头部,除了Safari客户端不处理这个头部。
我尝试使用一个acl与*req.hdr(User-Agent)*来检测iPhone客户端。
我无法使其工作:似乎它无法运行,尽管我可以在日志文件中记录User-Agent头部。
# uname -a
Linux arnaud 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64 GNU/Linux
# haproxy --version
HA-Proxy version 1.8.19-1+deb10u3 2020/08/01
Copyright 2000-2019 Willy Tarreau <willy@haproxy.org>
我尝试了以下配置:
frontend fe_prod
bind :10083
mode http
capture request header User-Agent len 256
acl iosUA req.fhdr(User-Agent) -m sub iPhone
http-response add-header Content-Security-Policy "frame-ancestors 'self' file://* filesystem:;" unless iosUA
use_backend be_dev
backend be_dev
mode http
server dev 127.0.0.1:83
在haproxy.log文件中,我可以看到:
May 17 10:28:46 arnaud haproxy[29442]: 127.0.0.1:52016 [17/May/2023:10:28:46.077] fe_prod be_dev/dev 0/0/0/2/2 304 183 - - ---- 6/6/0/1/0 0/0 {Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148 Safari/604.1} "GET /login HTTP/1.1"
但是HTTP响应始终包括Content-Security-Policy头部,即使对于这个User-Agent。我已经花了一整天来处理不同的配置,但找不到我漏掉的地方。
英文:
Using haproxy, I try to add a Content-Security-Policy header except for Safari client that do not handle this header.
I try to use an acl with req.hdr(User-Agent) to detect a iPhone client.
I can't make it work : it seems to be inoperant thought I can log the User-Agent header in log file.
# uname -a
Linux arnaud 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64 GNU/Linux
# haproxy --version
HA-Proxy version 1.8.19-1+deb10u3 2020/08/01
Copyright 2000-2019 Willy Tarreau <willy@haproxy.org>
I try the following configuration :
frontend fe_prod
bind :10083
mode http
capture request header User-Agent len 256
acl iosUA req.fhdr(User-Agent) -m sub iPhone
http-response add-header Content-Security-Policy "frame-ancestors 'self' file://* filesystem:;" unless iosUA
use_backend be_dev
backend be_dev
mode http
server dev 127.0.0.1:83
In the haproxy.log file, I can see :
May 17 10:28:46 arnaud haproxy[29442]: 127.0.0.1:52016 [17/May/2023:10:28:46.077] fe_prod be_dev/dev 0/0/0/2/2 304 183 - - ---- 6/6/0/1/0 0/0 {Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148 Safari/604.1} "GET /login HTTP/1.1"
But the HTTP response always include the Content-Security-Policy header, even for this User-Agent.
I already spent one full day dealing with different configurations, but cannot find what I missed.
答案1
得分: 1
我在Server Fault上找到了答案。
我引用了来自@Michael-sqlbot在2018年10月15日发表的评论的解释:
> 这个答案是正确的,但进一步的回答是,ACL在HAProxy中不是这样工作的。ACL只有在测试时才会被评估,所以在这种情况下,它们只有在响应处理期间才会被测试...而未经修饰的hdr()提取在那时是响应头...但如果你将它修饰为req.hdr(),这并不会改变预期的行为,因为请求标头的缓冲区在那时已经被释放掉了,所以请求提取没有什么可以搜索的。事务变量会从请求保持到响应。
英文:
I found the answer on Server Fault.
I quote the explanation from a comment by @Michael-sqlbot on Oct 15, 2018:
> This answer is correct, but the further answer is no, ACLs do not work that way in HAProxy. ACLs are only evaluated at the point when they are tested, so in this case they would not be tested until during response processing... and the unqualified hdr() fetch assumes response header at that point... but if you qualify it as req.hdr() that does not change the expected behavior because the buffer holding request headers has already been released by then, so request fetches have nothing to search. The txn variables persist from request to response.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论