haproxy acl hdr 似乎无法操作

huangapple go评论69阅读模式
英文:

haproxy acl hdr seems inoperant

问题

Using haproxy,我试图添加一个Content-Security-Policy头部,除了Safari客户端不处理这个头部。
我尝试使用一个acl与*req.hdr(User-Agent)*来检测iPhone客户端。
我无法使其工作:似乎它无法运行,尽管我可以在日志文件中记录User-Agent头部。

# uname -a
Linux arnaud 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64 GNU/Linux
# haproxy --version
HA-Proxy version 1.8.19-1+deb10u3 2020/08/01
Copyright 2000-2019 Willy Tarreau <willy@haproxy.org>

我尝试了以下配置:

frontend fe_prod
    bind :10083
    mode http
    capture request  header User-Agent len 256
    acl iosUA req.fhdr(User-Agent) -m sub iPhone
    http-response add-header Content-Security-Policy "frame-ancestors 'self' file://* filesystem:;" unless iosUA
    use_backend be_dev

backend be_dev
    mode http
    server dev 127.0.0.1:83

在haproxy.log文件中,我可以看到:

May 17 10:28:46 arnaud haproxy[29442]: 127.0.0.1:52016 [17/May/2023:10:28:46.077] fe_prod be_dev/dev 0/0/0/2/2 304 183 - - ---- 6/6/0/1/0 0/0 {Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148 Safari/604.1} "GET /login HTTP/1.1"

但是HTTP响应始终包括Content-Security-Policy头部,即使对于这个User-Agent。我已经花了一整天来处理不同的配置,但找不到我漏掉的地方。

英文:

Using haproxy, I try to add a Content-Security-Policy header except for Safari client that do not handle this header.
I try to use an acl with req.hdr(User-Agent) to detect a iPhone client.
I can't make it work : it seems to be inoperant thought I can log the User-Agent header in log file.

# uname -a
Linux arnaud 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64 GNU/Linux
# haproxy --version
HA-Proxy version 1.8.19-1+deb10u3 2020/08/01
Copyright 2000-2019 Willy Tarreau <willy@haproxy.org>

I try the following configuration :

frontend fe_prod
    bind :10083
    mode http
    capture request  header User-Agent len 256
    acl iosUA req.fhdr(User-Agent) -m sub iPhone
    http-response add-header Content-Security-Policy "frame-ancestors 'self' file://* filesystem:;" unless iosUA
    use_backend be_dev

backend be_dev
    mode http
    server dev 127.0.0.1:83

In the haproxy.log file, I can see :

May 17 10:28:46 arnaud haproxy[29442]: 127.0.0.1:52016 [17/May/2023:10:28:46.077] fe_prod be_dev/dev 0/0/0/2/2 304 183 - - ---- 6/6/0/1/0 0/0 {Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148 Safari/604.1} "GET /login HTTP/1.1"

But the HTTP response always include the Content-Security-Policy header, even for this User-Agent.
I already spent one full day dealing with different configurations, but cannot find what I missed.

答案1

得分: 1

我在Server Fault上找到了答案。

我引用了来自@Michael-sqlbot在2018年10月15日发表的评论的解释:

> 这个答案是正确的,但进一步的回答是,ACL在HAProxy中不是这样工作的。ACL只有在测试时才会被评估,所以在这种情况下,它们只有在响应处理期间才会被测试...而未经修饰的hdr()提取在那时是响应头...但如果你将它修饰为req.hdr(),这并不会改变预期的行为,因为请求标头的缓冲区在那时已经被释放掉了,所以请求提取没有什么可以搜索的。事务变量会从请求保持到响应。

英文:

I found the answer on Server Fault.

I quote the explanation from a comment by @Michael-sqlbot on Oct 15, 2018:

> This answer is correct, but the further answer is no, ACLs do not work that way in HAProxy. ACLs are only evaluated at the point when they are tested, so in this case they would not be tested until during response processing... and the unqualified hdr() fetch assumes response header at that point... but if you qualify it as req.hdr() that does not change the expected behavior because the buffer holding request headers has already been released by then, so request fetches have nothing to search. The txn variables persist from request to response.

huangapple
  • 本文由 发表于 2023年5月17日 17:01:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/76270313.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定