是否可以在HAProxy ACL语句中比较两个变量？

Question

是否可以在HAProxy ACL语句中比较两个变量？例如，假设host标头和X-CORRECT-HOST标头都等于“ example.com”。

acl correct_host hdr(host) -i example.com # THIS RETURNS TRUE
acl correct_host hdr(X-CORRECT-HOST) -i example.com # THIS RETURNS TRUE

我已经尝试了一些事情并通读了文档，但是似乎什么也没用。这是我尝试全部返回false的几个示例：

acl correct_host hdr(host) -i hdr(X-CORRECT-HOST)
acl correct_host hdr(host) -m str hdr(X-CORRECT-HOST)
acl correct_host hdr(host) -i %[hdr(X-CORRECT-HOST)]
acl correct_host hdr(host) -m str %[hdr(X-CORRECT-HOST)]

Answer 1

您可以使用lua（需要在lua支持下构建haproxy）

您可以通过以下方式进行检查：

haproxy -vv|grep -i lua

像这样的东西

  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1
Built with Lua version : Lua 5.3.1

或使用lua进行构建，例如：

make TARGET=linux2628 USE_LUA=1 LUA_LIB=/opt/lua-5.3.1/lib LUA_INC=/opt/lua-5.3.1/include

然后

$ ./haproxy -v
Nuster version 2.0.0.18
Copyright (C) 2017-2018, Jiang Wenyuan, <koubunen AT gmail DOT com >

HA-Proxy version 1.8.12 2018/06/27
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

conf：

global
    debug
    lua-load compare_header_value.lua

frontend web1
    bind *:8080
    mode http

    default_backend app1

backend app1
    mode http
    http-request set-var(req.two_header_value_equal) lua.compare_header_value(hdr1,hdr2)

    http-request deny unless { var(req.two_header_value_equal) -m bool }


    server s1 127.0.0.1:8000

compare_header_value.lua

function compare_header_value(txn, h1, h2)
      local hdr = txn.http:req_get_headers()

      if hdr[h1] == nil or hdr[h2] == nil then
        return false
      end

      if hdr[h1][0] == hdr[h2][0] then
        return true
      end

      return false
end

core.register_fetches("compare_header_value", compare_header_value)

然后您可以像这样使用ACL：

    http-request deny unless { var(req.two_header_value_equal) -m bool }

测试：

1个相同的标题

curl -v http://127.0.0.1:8080/ -H "hdr1: 1" -H "hdr2: 1"
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.60.0
> Accept: */*
> hdr1: 1
> hdr2: 1
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK

2个不同的标题

curl -v http://127.0.0.1:8080/ -H "hdr1: 1" -H "hdr2: 2"
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.60.0
> Accept: */*
> hdr1: 1
> hdr2: 2
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 403 Forbidden