haproxy does not add headers conditionally

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

I have the following config, it's under the frontend section for tls connection and haproxy terminates https connections:

acl domain-acl-host hdr(host) -i domain.tld
rspadd X-Foo: bar if domain-acl-host
rspadd X-Baz: baz
http-response set-header X-Bar bar if domain-acl-host
use_backend backend_name if domain-acl-host

The use_backend directive works conditionally as expected (there are multiple different domain names served, and they are chosen correctly)

But headers are not added/set to the response conditionally.

I expect 3 extra headers to be added there: X-Foo, X-Baz, and X-Bar, but only X-Baz is added:

< HTTP/1.1 302 Found
< Server: nginx
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Cache-Control: max-age=0, must-revalidate, private
< Date: Sun, 14 Oct 2018 20:25:59 GMT
< Location: https://domain.tld/somewhere/else
< X-Baz: baz

I'm sure I'm missing something trivial, but reading documentation or google did not help.

PS: it's haproxy 1.8.8

https http haproxy

share|improve this question

asked 4 hours ago

zerkms

2471414

add a comment | 

up vote
1
down vote

favorite

I have the following config, it's under the frontend section for tls connection and haproxy terminates https connections:

acl domain-acl-host hdr(host) -i domain.tld
rspadd X-Foo: bar if domain-acl-host
rspadd X-Baz: baz
http-response set-header X-Bar bar if domain-acl-host
use_backend backend_name if domain-acl-host

The use_backend directive works conditionally as expected (there are multiple different domain names served, and they are chosen correctly)

But headers are not added/set to the response conditionally.

I expect 3 extra headers to be added there: X-Foo, X-Baz, and X-Bar, but only X-Baz is added:

< HTTP/1.1 302 Found
< Server: nginx
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Cache-Control: max-age=0, must-revalidate, private
< Date: Sun, 14 Oct 2018 20:25:59 GMT
< Location: https://domain.tld/somewhere/else
< X-Baz: baz

I'm sure I'm missing something trivial, but reading documentation or google did not help.

PS: it's haproxy 1.8.8

https http haproxy

share|improve this question

asked 4 hours ago

zerkms

2471414

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

I have the following config, it's under the frontend section for tls connection and haproxy terminates https connections:

acl domain-acl-host hdr(host) -i domain.tld
rspadd X-Foo: bar if domain-acl-host
rspadd X-Baz: baz
http-response set-header X-Bar bar if domain-acl-host
use_backend backend_name if domain-acl-host

The use_backend directive works conditionally as expected (there are multiple different domain names served, and they are chosen correctly)

But headers are not added/set to the response conditionally.

I expect 3 extra headers to be added there: X-Foo, X-Baz, and X-Bar, but only X-Baz is added:

< HTTP/1.1 302 Found
< Server: nginx
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Cache-Control: max-age=0, must-revalidate, private
< Date: Sun, 14 Oct 2018 20:25:59 GMT
< Location: https://domain.tld/somewhere/else
< X-Baz: baz

I'm sure I'm missing something trivial, but reading documentation or google did not help.

PS: it's haproxy 1.8.8

https http haproxy

share|improve this question

asked 4 hours ago

zerkms

2471414

I have the following config, it's under the frontend section for tls connection and haproxy terminates https connections:

acl domain-acl-host hdr(host) -i domain.tld
rspadd X-Foo: bar if domain-acl-host
rspadd X-Baz: baz
http-response set-header X-Bar bar if domain-acl-host
use_backend backend_name if domain-acl-host

The use_backend directive works conditionally as expected (there are multiple different domain names served, and they are chosen correctly)

But headers are not added/set to the response conditionally.

I expect 3 extra headers to be added there: X-Foo, X-Baz, and X-Bar, but only X-Baz is added:

< HTTP/1.1 302 Found
< Server: nginx
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Cache-Control: max-age=0, must-revalidate, private
< Date: Sun, 14 Oct 2018 20:25:59 GMT
< Location: https://domain.tld/somewhere/else
< X-Baz: baz

I'm sure I'm missing something trivial, but reading documentation or google did not help.

PS: it's haproxy 1.8.8

https http haproxy

https http haproxy

share|improve this question

asked 4 hours ago

zerkms

2471414

share|improve this question

asked 4 hours ago

zerkms

2471414

share|improve this question

share|improve this question

asked 4 hours ago

zerkms

2471414

asked 4 hours ago

zerkms

2471414

asked 4 hours ago

zerkms

2471414

2471414

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

up vote
2
down vote



accepted

there is no host header in the response headers, your acl never matches.
use something like this:

 http-request set-var(txn.foo) req.hdr(host)
 http-response set-header bar 1 if var(txn.foo) foo.bar 

share|improve this answer

answered 4 hours ago

txn.foo

361

New contributor

txn.foo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I can confirm it works, but don't you think it's a bug? Isn't acl supposed to be set during request phase and survive til the end of transaction? It works fine with sni, while sni is only available during the tls handshake, long before request, yet it still is possible to match against it
  – zerkms
  4 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  no it's working as intended. the acl is evaluated on responses because of your use of rspadd/http-response, and on responses, the hdr fetch can't find a host header. I would think sni is a different beast because it does not change with each request or response, headers do.
  – txn.foo
  4 hours ago
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f935492%2fhaproxy-does-not-add-headers-conditionally%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote



accepted

there is no host header in the response headers, your acl never matches.
use something like this:

 http-request set-var(txn.foo) req.hdr(host)
 http-response set-header bar 1 if var(txn.foo) foo.bar 

share|improve this answer

answered 4 hours ago

txn.foo

361

New contributor

txn.foo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I can confirm it works, but don't you think it's a bug? Isn't acl supposed to be set during request phase and survive til the end of transaction? It works fine with sni, while sni is only available during the tls handshake, long before request, yet it still is possible to match against it
  – zerkms
  4 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  no it's working as intended. the acl is evaluated on responses because of your use of rspadd/http-response, and on responses, the hdr fetch can't find a host header. I would think sni is a different beast because it does not change with each request or response, headers do.
  – txn.foo
  4 hours ago
  
  

  
  
  
  

add a comment | 

up vote
2
down vote



accepted

there is no host header in the response headers, your acl never matches.
use something like this:

 http-request set-var(txn.foo) req.hdr(host)
 http-response set-header bar 1 if var(txn.foo) foo.bar 

share|improve this answer

answered 4 hours ago

txn.foo

361

New contributor

txn.foo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I can confirm it works, but don't you think it's a bug? Isn't acl supposed to be set during request phase and survive til the end of transaction? It works fine with sni, while sni is only available during the tls handshake, long before request, yet it still is possible to match against it
  – zerkms
  4 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  no it's working as intended. the acl is evaluated on responses because of your use of rspadd/http-response, and on responses, the hdr fetch can't find a host header. I would think sni is a different beast because it does not change with each request or response, headers do.
  – txn.foo
  4 hours ago
  
  

  
  
  
  

add a comment | 

up vote
2
down vote



accepted

up vote
2
down vote



accepted

there is no host header in the response headers, your acl never matches.
use something like this:

 http-request set-var(txn.foo) req.hdr(host)
 http-response set-header bar 1 if var(txn.foo) foo.bar 

share|improve this answer

answered 4 hours ago

txn.foo

361

New contributor

txn.foo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

there is no host header in the response headers, your acl never matches.
use something like this:

 http-request set-var(txn.foo) req.hdr(host)
 http-response set-header bar 1 if var(txn.foo) foo.bar 

share|improve this answer

answered 4 hours ago

txn.foo

361

New contributor

txn.foo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

share|improve this answer

answered 4 hours ago

txn.foo

361

New contributor

txn.foo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 4 hours ago

txn.foo

361

answered 4 hours ago

txn.foo

361

361

New contributor

txn.foo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

txn.foo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

txn.foo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I can confirm it works, but don't you think it's a bug? Isn't acl supposed to be set during request phase and survive til the end of transaction? It works fine with sni, while sni is only available during the tls handshake, long before request, yet it still is possible to match against it
  – zerkms
  4 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  no it's working as intended. the acl is evaluated on responses because of your use of rspadd/http-response, and on responses, the hdr fetch can't find a host header. I would think sni is a different beast because it does not change with each request or response, headers do.
  – txn.foo
  4 hours ago
  
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I can confirm it works, but don't you think it's a bug? Isn't acl supposed to be set during request phase and survive til the end of transaction? It works fine with sni, while sni is only available during the tls handshake, long before request, yet it still is possible to match against it
  – zerkms
  4 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  no it's working as intended. the acl is evaluated on responses because of your use of rspadd/http-response, and on responses, the hdr fetch can't find a host header. I would think sni is a different beast because it does not change with each request or response, headers do.
  – txn.foo
  4 hours ago
  
  

  
  
  
  

1

1

I can confirm it works, but don't you think it's a bug? Isn't acl supposed to be set during request phase and survive til the end of transaction? It works fine with sni, while sni is only available during the tls handshake, long before request, yet it still is possible to match against it
– zerkms
4 hours ago

I can confirm it works, but don't you think it's a bug? Isn't acl supposed to be set during request phase and survive til the end of transaction? It works fine with sni, while sni is only available during the tls handshake, long before request, yet it still is possible to match against it
– zerkms
4 hours ago

1

1

no it's working as intended. the acl is evaluated on responses because of your use of rspadd/http-response, and on responses, the hdr fetch can't find a host header. I would think sni is a different beast because it does not change with each request or response, headers do.
– txn.foo
4 hours ago

no it's working as intended. the acl is evaluated on responses because of your use of rspadd/http-response, and on responses, the hdr fetch can't find a host header. I would think sni is a different beast because it does not change with each request or response, headers do.
– txn.foo
4 hours ago

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f935492%2fhaproxy-does-not-add-headers-conditionally%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email