Cheatsheet

Common fetches

Match source IP address

acl is_malicious src 192.168.10.32 acl is_local_net src 192.168.32.0/24 # match IP range

Match request path

acl is_api path -i -m beg /api # match paths starting with /api acl is_image -i -m end .jpg .png .gif # match paths ending with .jpg .png and .gif extensions acl is_health -i path_str /health # exact match path /health acl is_dotfile path_sub /. # match paths containing /.

Match request param

acl has_param url_param(user_id) -m found

Match request header

acl is_google_domain req.hdr(host) -i -m end google.com # Domain name ends with google.com; e.g. www.google.com, mail.google.com

Check if connection uses ssl

Reject request if made over a non-ssl connection

http-request deny unless ssl_fc

Redirect to a different address

http-request redirect https://google.local%[capture.req.uri] if is_google_domain

Redirect to a different scheme

http-request redirect scheme https if !{ ssl_fc }

Redirect by adding prefix to original url e.g redirect to /v2/{original url}

http-request redirect prefix /v2 unless { path_beg /v2 }

Use custom HTTP code with HTTP redirects. If not specified, default is 302

Code 301 throght 308 can be used

Redirect to https with HTTP code 301

http-request redirect scheme code 301 https if !{ ssl_fc }

Select backend based on map file and request path

use_backend be_%[path,map_beg(/etc/haprofxy/backend_map.acl, default)] # or use be_default if no mapping if found

Change request path

http-request set-path /v2%[path] if !{ path_beg -i /v2 }

set-query can also be used to change query params

set-uri can be used to set entire path and query

Cache response for select requests

acl is_assets path_beg -i /assets # ACL for asset files http-reqeest cache-use assets if is_assets http-response cache-store assets if is_assets

Deny request with custom HTTP code. Default code is 403

http-request deny deny_status 500 if is_malicious

Drop request based on HTTP protocol

http-request deny if HTTP_1.0