Define allowed HTTP methods on HAProxy load balancer using simple Access Control Lists.
HAProxy version.
$ haproxy -v HA-Proxy version 1.7.5-2 2017/05/17 Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>
Default HAProxy configuration.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
Create ACL rule inside frontend section to define allowed HTTP methods.
acl valid_http_method method GET HEAD OPTIONS http-request deny if ! valid_http_method
Sample frontend and backend using the specified ACL rule.
frontend web
bind :80
#bind :443 ssl crt /etc/ssl/cert/
option httplog
log /dev/log local0 debug
option forwardfor except 127.0.0.1
option forwardfor header X-Real-IP
acl valid_http_method method GET HEAD OPTIONS
http-request deny if ! valid_http_method
#redirect scheme https code 301 if !{ ssl_fc }
acl is-draw hdr_dom(host) -i draw.example.org
use_backend web-draw-production if is-draw
backend web-draw-production
mode http
server draw 10.0.10.15:80
deny action will stop the evaluation of the rules, immediately reject the request and return HTTP 403 error code. You can use silent-drop to try silently drop connection on the HAProxy, it won’t notify client, so stateful devices placed between the client and HAProxy load balancer will also keep this connection established.
You can also use predefined ACLs match specific HTTP methods.
ACL name Equivalent to Usage ---------------+-----------------------------+--------------------------------- METH_CONNECT method CONNECT match HTTP CONNECT method METH_GET method GET HEAD match HTTP GET or HEAD method METH_HEAD method HEAD match HTTP HEAD method METH_OPTIONS method OPTIONS match HTTP OPTIONS method METH_POST method POST match HTTP POST method METH_TRACE method TRACE match HTTP TRACE method ---------------+-----------------------------+---------------------------------
Read current documentation to get the whole list of predefined ACLs.
