haproxy acl 语法解释

使用ACL过程分析

  提取- extract a data sample from a stream, table or the environment
  转换- optionally apply some format conversion to the extracted sample
  匹配- apply one or multiple pattern matching methods on this sample
  动作- perform actions only when a pattern matches the sample

The action of extracting such data is called fetching a sample（采样）.

Matching them against predefined constant data called patterns（模式）.

http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
              add-header <name> <fmt> | set-header <name> <fmt> |
              del-header <name> | set-nice <nice> | set-log-level <level> |
              replace-header <name> <match-regex> <replace-fmt> |
              replace-value <name> <match-regex> <replace-fmt> |
              set-tos <tos> | set-mark <mark> |
              add-acl(<file name>) <key fmt> |
              del-acl(<file name>) <key fmt> |
              del-map(<file name>) <key fmt> |
              set-map(<file name>) <key fmt> <value fmt>
             }
             [ { if | unless } <condition> ]

提取、转换、匹配==[ { if | unless } <condition> ]

动作==http-request {allow|deny……}

ACL语法

acl <aclname>             <criterion> [flags]                  [operator] [<value>] ...

criterion系正式用语, 指"判断某人、某事的真善美程度或价值的标准"

The criterion generally is the name of a sample fetch method。

Sample fetch methods were only used to retrieve data to match against patterns using ACLs.

The sample fetch methods are the only ones supporting a conversion.

Apply to the portion of request/response specified in <criterion> and may beadjusted with optional flags[flags]. 

Some criteria also support an operatorwhich may be specified before the set of values.

Optionally some conversion operators may be applied to the sample.

The values are of the type supported by the criterion, and are separated by spaces.

operator用逗号分隔;value用空格分隔.

Sample fetch methods return data which can be of the following types :
  - boolean
  - integer (signed or unsigned)
  - IPv4 or IPv6 address
  - string

  - data block

The following ACL flags are currently supported :

   -i : ignore case during matching of all subsequent patterns.
   -f : load patterns from a file.
   -m : use a specific pattern matching method
   -n : forbid the DNS resolutions
   -M : load the file pointed by -f like a map file.
   -u : force the unique id of the ACL
   -- : force end of flags. Useful when a string looks like one of the flags.

使用ACL形成condition

  - AND (implicit)
  - OR  (explicit with the "or" keyword or the "||" operator)
  - Negation with the exclamation mark ("!")

A condition is formed as a disjunctive form:

   [!]acl1 [!]acl2 ... [!]acln  { or [!]acl1 [!]acl2 ... [!]acln } ...

举例

   With named ACLs :

        acl site_dead nbsrv(dynamic) lt 2
        acl site_dead nbsrv(static)  lt 2
        monitor fail  if site_dead

   With anonymous ACLs :

        monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }