bentesha · August 30, 2023 15:04
diff --git a/haproxy-cheatsheet.cnf b/haproxy-cheatsheet.cnf
 # Common fetches

 # Match source IP address
 acl is_malicious src 192.168.10.32
 acl is_local_net src 192.168.32.0/24 # match IP range

 # Match request path
 acl is_api path -i -m beg /api          # match paths starting with /api
 acl is_image -i -m end .jpg .png .gif   # match paths ending with .jpg .png and .gif extensions
 acl is_health -i path_str /health       # exact match path /health
 acl is_dotfile path_sub /.             # match paths containing /.

 # Match request param
 acl has_param url_param(user_id) -m found

 # Match request header
 acl is_google_domain req.hdr(host) -i -m end google.com # Domain name ends with google.com; e.g. www.google.com, mail.google.com

 # Check if connection uses ssl
 # Reject request if made over a non-ssl connection
 http-request deny unless ssl_fc

 # Redirect to a different address
 http-request redirect https://google.local%[capture.req.uri] if is_google_domain

 # Redirect to a different scheme
 http-request redirect scheme https if !{ ssl_fc }

 # Redirect by adding prefix to original url e.g redirect to /v2/{original url}
 http-request redirect prefix /v2 unless { path_beg /v2 }

 # Use custom HTTP code with HTTP redirects. If not specified, default is 302
 # Code 301 throght 308 can be used
 # Redirect to https with HTTP code 301
 http-request redirect scheme code 301 https if !{ ssl_fc }

 # Select backend based on map file and request path
 use_backend be_%[path,map_beg(/etc/haprofxy/backend_map.acl, default)] # or use be_default if no mapping if found

 # Change request path
 http-request set-path /v2%[path] if !{ path_beg -i /v2 }

 # set-query can also be used to change query params
 # set-uri can be used to set entire path and query

 # Cache response for select requests
 acl is_assets path_beg -i /assets # ACL for asset files
 http-reqeest cache-use assets if is_assets
 http-response cache-store assets if is_assets

 # Deny request with custom HTTP code. Default code is 403
 http-request deny deny_status 500 if is_malicious

 # Drop request based on HTTP protocol
 http-request deny if HTTP_1.0
	# Common fetches

	# Match source IP address
	acl is_malicious src 192.168.10.32
	acl is_local_net src 192.168.32.0/24 # match IP range

	# Match request path
	acl is_api path -i -m beg /api # match paths starting with /api
	acl is_image -i -m end .jpg .png .gif # match paths ending with .jpg .png and .gif extensions
	acl is_health -i path_str /health # exact match path /health
	acl is_dotfile path_sub /. # match paths containing /.

	# Match request param
	acl has_param url_param(user_id) -m found

	# Match request header
	acl is_google_domain req.hdr(host) -i -m end google.com # Domain name ends with google.com; e.g. www.google.com, mail.google.com

	# Check if connection uses ssl
	# Reject request if made over a non-ssl connection
	http-request deny unless ssl_fc

	# Redirect to a different address
	http-request redirect https://google.local%[capture.req.uri] if is_google_domain

	# Redirect to a different scheme
	http-request redirect scheme https if !{ ssl_fc }

	# Redirect by adding prefix to original url e.g redirect to /v2/{original url}
	http-request redirect prefix /v2 unless { path_beg /v2 }

	# Use custom HTTP code with HTTP redirects. If not specified, default is 302
	# Code 301 throght 308 can be used
	# Redirect to https with HTTP code 301
	http-request redirect scheme code 301 https if !{ ssl_fc }

	# Select backend based on map file and request path
	use_backend be_%[path,map_beg(/etc/haprofxy/backend_map.acl, default)] # or use be_default if no mapping if found

	# Change request path
	http-request set-path /v2%[path] if !{ path_beg -i /v2 }

	# set-query can also be used to change query params
	# set-uri can be used to set entire path and query

	# Cache response for select requests
	acl is_assets path_beg -i /assets # ACL for asset files
	http-reqeest cache-use assets if is_assets
	http-response cache-store assets if is_assets

	# Deny request with custom HTTP code. Default code is 403
	http-request deny deny_status 500 if is_malicious

	# Drop request based on HTTP protocol
	http-request deny if HTTP_1.0