In this article, we will learn how to remove Access Control Lists (or ACLs in short) using maps for selecting a backend, based on a request parameter. The advantage of using maps instead of ACLs is that sometimes it might be easier to update the mapping rather than the ACL.
Before starting, we must first understand what ACLs are.
HAProxy® supports ACLs. These can be used to test conditions and perform a given action. We can define a test condition with the ‘acl’ keyword.
acl <aclname> <criterion> [flags] [operator] [<value>] …acl blog_page path_beg /blog
In this case, the ACL is matched if the user’s request path begins with ‘/blog’.
Similarly, we have different ways to write an ACL. For example:
acl blog_detail_page path_reg ^\/blog\/:id$
>> Usage of HAProxy ACLs:
This is a simple configuration example. We will show you how we can select a backend using ACLs.
# It looks at the path, and if it matches# `/api/v1/service1` | `/api/v1/service2` | `/api/v1/service3`# checking whether acl is true or not.acl acl_service1 path -i eq /api/v1/service1acl acl_service2 path -i eq /api/v1/service2acl acl_service3 path -i eq /api/v1/service3# Make use of the backend `backend_service1` if the acl `acl_service1`# evaluates to `true`.use_backend backend_service1 if acl_service1use_backend backend_service2 if acl_service2use_backend backend_service3 if acl_service3# A static backend that will simply serve some files from a 127.0.0.1 serverbackend backend_service1server worker_service1 127.0.0.1:3300backend backend_service2server worker_service2 127.0.0.1:3100backend backend_service3server worker_service3 127.0.0.1:3200With this configuration, we can take HAProxy and start it up.
Looking at what’s going on, we can see that this job is very well suited for a map lookup.
What are Maps?
A map is a simple line-by-line key-value pair file. Each key is separated from its value using a space, and the file extension should be ‘.map’.
>> Example of HAProxy Maps:
Before showing the example of the map we need at least one map file, so below is the map file that we are using in our map example.
Whenever you restart HAProxy, it looks at this file and then puts that mapping into memory such that it can very quickly perform lookups.
This is the map file that we are using in use_backend.
^\/api\/v1\/service1$ backend_service1^\/api\/v1\/service2$ backend_service2^\/api\/v1\/service3$ backend_service3
In this example, we will remove the HAProxy ACLs with the HAProxy maps.
use_backend %[path,map_reg(/etc/haproxy/maps/services.map)]backend backend_service1server worker_service1 127.0.0.1:3300backend backend_service2server worker_service2 127.0.0.1:3100backend backend_service3server worker_service3 127.0.0.1:3200
As we can see, using the map lets us simplify our configuration.
Here I have shown you one of the use cases of HAProxy maps. It’s very common where the name of the backend is needed. Using HAProxy maps we are able to simplify the usage of ACLs in our configuration.
In this article, we show how to debug an issue using HAProxy® load balancer without logs.
Thank you for reading!
HAProxy® is a registered trademark in the United States and France, owned by HAProxy Technologies LLC and its affiliated entities. DLT Labs is a trademark of DLT Global, Inc.
Author — Satish Kumar Yadav, DLT Labs™
About the Author: Satish is a young professional currently working as a NodeJs developer in the DL Data Consent product team. He likes to play cricket in his leisure time.
Disclaimer: This article was originally published on the DLT Labs Blog page: https://www.dltlabs.com/blog/how-to-remove-haproxy-acls-using-maps-875350