rdp-cookie(<name>)
The RDP cookie <name> (or "mstshash" if omitted) will be
looked up and hashed for each incoming TCP request. Just as
- with the equivalent ACL 'req_rdp_cookie()' function, the name
+ with the equivalent ACL 'req.rdp_cookie()' function, the name
is not case-sensitive. This mechanism is useful as a degraded
persistence mode, as it makes it possible to always send the
same user (or the same session ID) to the same server. If the
Note that for this to work, the frontend must ensure that an
RDP cookie is already present in the request buffer. For this
you must use 'tcp-request content accept' rule combined with
- a 'req_rdp_cookie_cnt' ACL.
+ a 'req.rdp_cookie_cnt' ACL.
This algorithm is static by default, which means that
changing a server's weight on the fly will have no effect,
but this can be changed using "hash-type".
- See also the rdp_cookie pattern fetch function.
-
<arguments> is an optional list of arguments which may be needed by some
algorithms. Right now, only "url_param" and "uri" support an
optional argument.
server srv1 1.1.1.1:3389
server srv2 1.1.1.2:3389
- See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
- the rdp_cookie pattern fetch function.
+ See also : "balance rdp-cookie", "tcp-request" and the "req.rdp_cookie" ACL.
rate-limit sessions <rate>
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
- acl clienthello req_ssl_hello_type 1
- acl serverhello rep_ssl_hello_type 2
+ acl clienthello req.ssl_hello_type 1
+ acl serverhello rep.ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
# at offset 44.
# Match and learn on request if client hello.
- stick on payload_lv(43,1) if clienthello
+ stick on req.payload_lv(43,1) if clienthello
# Learn on response if server hello.
- stick store-response payload_lv(43,1) if serverhello
+ stick store-response resp.payload_lv(43,1) if serverhello
server s1 192.168.1.1:443
server s2 192.168.1.1:443
Example:
# reject SMTP connection if client speaks first
tcp-request inspect-delay 30s
- acl content_present req_len gt 0
+ acl content_present req.len gt 0
tcp-request content reject if content_present
# Forward HTTPS connection only if client speaks
tcp-request inspect-delay 30s
- acl content_present req_len gt 0
+ acl content_present req.len gt 0
tcp-request content accept if content_present
tcp-request content reject
For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP
request, it is possible to do :
- acl jsess_present cook(JSESSIONID) -m found
+ acl jsess_present req.cook(JSESSIONID) -m found
In order to apply a regular expression on the 500 first bytes of data in the
buffer, one would use the following acl :
- acl script_tag payload(0,500) -m reg -i <script>
+ acl script_tag req.payload(0,500) -m reg -i <script>
On systems where the regex library is much slower when using "-i", it is
possible to convert the sample to lowercase before matching, like this :
- acl script_tag payload(0,500),lower -m reg <script>
+ acl script_tag req.payload(0,500),lower -m reg <script>
All ACL-specific criteria imply a default matching method. Most often, these
criteria are composed by concatenating the name of the original sample fetch
For instance, the following ACL matches any negative Content-Length header :
- acl negative-length hdr_val(content-length) lt 0
+ acl negative-length req.hdr_val(content-length) lt 0
This one matches SSL versions between 3.0 and 3.1 (inclusive) :
- acl sslv3 req_ssl_ver 3:3.1
+ acl sslv3 req.ssl_ver 3:3.1
7.1.3. Matching strings
Example :
# match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a)
- acl hello payload(0,6) -m bin 48656c6c6f0a
+ acl hello req.payload(0,6) -m bin 48656c6c6f0a
7.1.6. Matching IPv4 and IPv6 addresses
requests with a content-length greater than 0, and finally every request which
is not either GET/HEAD/POST/OPTIONS !
- acl missing_cl hdr_cnt(Content-length) eq 0
+ acl missing_cl req.hdr_cnt(Content-length) eq 0
http-request deny if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
http-request deny if METH_GET HTTP_CONTENT
http-request deny unless METH_GET or METH_POST or METH_OPTIONS
The following rule :
- acl missing_cl hdr_cnt(Content-length) eq 0
+ acl missing_cl req.hdr_cnt(Content-length) eq 0
http-request deny if METH_POST missing_cl
Can also be written that way :
- http-request deny if METH_POST { hdr_cnt(Content-length) eq 0 }
+ http-request deny if METH_POST { req.hdr_cnt(Content-length) eq 0 }
It is generally not recommended to use this construct because it's a lot easier
to leave errors in the configuration when written that way. However, for very
http-request add-header Via 1.1\ %[env(HOSTNAME)]
# reject cookie-less requests when the STOP environment variable is set
- http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found }
+ http-request deny if !{ req.cook(SESSIONID) -m found } { env(STOP) -m found }
fe_conn([<frontend>]) : integer
Returns the number of currently established connections on the frontend,
with ACLs in order to check for the presence of some content in a buffer at
any location.
- ACL alternatives :
- payload(<offset>,<length>) : hex binary match
+ ACL derivatives :
+ req.payload(<offset>,<length>) : hex binary match
req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
This extracts a binary block whose size is specified at <offset1> for <length>
the request buffer. The <offset2> parameter also supports relative offsets if
prepended with a '+' or '-' sign.
- ACL alternatives :
- payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
+ ACL derivatives :
+ req.payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
Example : please consult the example from the "stick store-response" keyword.
rdp-cookie".
ACL derivatives :
- req_rdp_cookie([<name>]) : exact string match
+ req.rdp_cookie([<name>]) : exact string match
Example :
listen tse-farm
server srv1 1.1.1.2:3389
See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the
- "req_rdp_cookie" ACL.
+ "req.rdp_cookie" ACL.
req.rdp_cookie_cnt([name]) : integer
rdp_cookie_cnt([name]) : integer (deprecated)
used in ACL.
ACL derivatives :
- req_rdp_cookie_cnt([<name>]) : integer match
+ req.rdp_cookie_cnt([<name>]) : integer match
req.ssl_alpn : string
Returns a string containing the values of the Application-Layer Protocol
Examples :
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
- tcp-request content accept if { req_ssl_hello_type 1 }
+ tcp-request content accept if { req.ssl_hello_type 1 }
use_backend bk_acme if { req.ssl_alpn acme-tls/1 }
default_backend bk_default
Examples :
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
- tcp-request content accept if { req_ssl_hello_type 1 }
+ tcp-request content accept if { req.ssl_hello_type 1 }
use_backend bk_allow if { req.ssl_sni -f allowed_sites }
default_backend bk_sorry_page
fetch is mostly used in ACL.
ACL derivatives :
- req_ssl_ver : decimal match
+ req.ssl_ver : decimal match
res.len : integer
Returns an integer value corresponding to the number of bytes present in the
presence. Use the res.cook() variant for response cookies sent by the server.
ACL derivatives :
- cook([<name>]) : exact string match
- cook_beg([<name>]) : prefix match
- cook_dir([<name>]) : subdir match
- cook_dom([<name>]) : domain match
- cook_end([<name>]) : suffix match
- cook_len([<name>]) : length match
- cook_reg([<name>]) : regex match
- cook_sub([<name>]) : substring match
+ req.cook([<name>]) : exact string match
+ req.cook_beg([<name>]) : prefix match
+ req.cook_dir([<name>]) : subdir match
+ req.cook_dom([<name>]) : domain match
+ req.cook_end([<name>]) : suffix match
+ req.cook_len([<name>]) : length match
+ req.cook_reg([<name>]) : regex match
+ req.cook_sub([<name>]) : substring match
req.cook_cnt([<name>]) : integer
cook_cnt([<name>]) : integer (deprecated)
check for versions 1.0 and 1.1.
ACL derivatives :
- req_ver : exact string match
+ req.ver : exact string match
res.body : binary
This returns the HTTP response's available body as a block of data. Unlike
It may be used in tcp-check based expect rules.
ACL derivatives :
- scook([<name>] : exact string match
+ res.scook([<name>] : exact string match
res.cook_cnt([<name>]) : integer
scook_cnt([<name>]) : integer (deprecated)
It may be used in tcp-check based expect rules.
ACL derivatives :
- shdr([<name>[,<occ>]]) : exact string match
- shdr_beg([<name>[,<occ>]]) : prefix match
- shdr_dir([<name>[,<occ>]]) : subdir match
- shdr_dom([<name>[,<occ>]]) : domain match
- shdr_end([<name>[,<occ>]]) : suffix match
- shdr_len([<name>[,<occ>]]) : length match
- shdr_reg([<name>[,<occ>]]) : regex match
- shdr_sub([<name>[,<occ>]]) : substring match
+ res.hdr([<name>[,<occ>]]) : exact string match
+ res.hdr_beg([<name>[,<occ>]]) : prefix match
+ res.hdr_dir([<name>[,<occ>]]) : subdir match
+ res.hdr_dom([<name>[,<occ>]]) : domain match
+ res.hdr_end([<name>[,<occ>]]) : suffix match
+ res.hdr_len([<name>[,<occ>]]) : length match
+ res.hdr_reg([<name>[,<occ>]]) : regex match
+ res.hdr_sub([<name>[,<occ>]]) : substring match
res.hdr_cnt([<name>]) : integer
shdr_cnt([<name>]) : integer (deprecated)
It may be used in tcp-check based expect rules.
ACL derivatives :
- resp_ver : exact string match
+ resp.ver : exact string match
set-cookie([<name>]) : string (deprecated)
This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
projects / thirdparty / haproxy.git / commitdiff
