Re: acl and multiple header values

From: David Birdsong <>
Date: Tue, 30 Aug 2011 15:37:45 -0700

On Tue, Jun 14, 2011 at 10:41 PM, Willy Tarreau <> wrote:
> On Tue, Jun 14, 2011 at 04:43:47PM -0700, John Fieber wrote:
>> I want to create an ACL based on X-Forwarded-For:
>>     acl whitelist hdr_ip(X-Forwarded-For) -f whitelist.txt
>>     block unless whitelist
>> Which is just grand, EXCEPT I'm only interested in (and trust) the last address in the X-Forwarded-For header.  The above acl matches any address in the header.  I've been digging for a good chunk of the day how to do that and come up empty handed.  Help?
> Since we have not yet reworked the ACLs to rely on the pattern subsystem,
> it's still not possible to make use of "hdr_ip(X-f-f,-1)" as we do on the
> "balance" or "source" keywords.

Could I get clarification on this thread? If a requests comes in with XFF looking like:

and i have an acl in my frotend
acl bad_guys_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/block_ip.txt

will bad_guys_ip be set if block_ip.txt contains: -
- both?

> One thing you could do, despite not being very good, is to remove all
> occurrences of values in the header. Basically, remove everything from
> the first char to the last comma :
>   reqirep ^(X-Forwarded-For:\ ).*,([^,]*) \1\2
> Then your ACL could match based on what is left in this header.
> Regards,
> Willy
Received on 2011/08/31 00:37

This archive was generated by hypermail 2.2.0 : 2011/08/31 00:45 CEST