Define allowed HTTP methods on HAProxy load balancer using simple Access Control Lists.

HAProxy version.

$ haproxy -v
HA-Proxy version 1.7.5-2 2017/05/17
Copyright 2000-2017 Willy Tarreau <>

Default HAProxy configuration.

	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	# An alternative list with additional directives can be obtained from
	ssl-default-bind-options no-sslv3

	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

Create ACL rule inside frontend section to define allowed HTTP methods.

acl valid_http_method method GET HEAD OPTIONS
http-request deny if ! valid_http_method

Sample frontend and backend using the specified ACL rule.

frontend web
  bind :80
  #bind :443 ssl crt /etc/ssl/cert/

  option httplog
  log /dev/log local0 debug

  option forwardfor except
  option forwardfor header X-Real-IP

  acl valid_http_method method GET HEAD OPTIONS
  http-request deny if ! valid_http_method

  #redirect scheme https code 301 if !{ ssl_fc }

  acl is-draw hdr_dom(host) -i
  use_backend web-draw-production if is-draw

backend web-draw-production
  mode http
  server draw

deny action will stop the evaluation of the rules, immediately reject the request and return HTTP 403 error code. You can use silent-drop to try silently drop connection on the HAProxy, it won’t notify client, so stateful devices placed between the client and HAProxy load balancer will also keep this connection established.

You can also use predefined ACLs match specific HTTP methods.

ACL name          Equivalent to                Usage
METH_CONNECT     method  CONNECT               match HTTP CONNECT method
METH_GET         method  GET HEAD              match HTTP GET or HEAD method
METH_HEAD        method  HEAD                  match HTTP HEAD method
METH_OPTIONS     method  OPTIONS               match HTTP OPTIONS method
METH_POST        method  POST                  match HTTP POST method
METH_TRACE       method  TRACE                 match HTTP TRACE method

Read current documentation to get the whole list of predefined ACLs.