Block specific URL in HAProxy / url-encoding
17,999
As it happens, HAProxy has a converter to decode the field, making sure that your ACL will always match a given string.
url_dec
Takes an url-encoded string provided as input and returns the decoded version as output. The input and the output are of type string.
You'd use it like this.
frontend example
acl restricted_page path_beg,url_dec -i /admin.php
http-request deny if restricted_page
Related videos on Youtube
15 : 31
What is URL Encoding? - URL Encode/Decode Explained - Web Development Tutorial
06 : 02
The Essentials of an HAProxy Configuration File
00 : 45
URL Encoding - Web Development
01 : 38
DevOps & SysAdmins: Block specific URL in HAProxy / url-encoding
02 : 34
HAProxy configuration for blocking IPs for sub URLs
03 : 56
XSS double url encoded filter evasion
Author by
Admin
Updated on September 18, 2022Comments
-
Admin over 1 year
I'm trying to restrict access to a specific URL. It should not allowed to access /admin.php.
frontend example acl restricted_page path_beg -i /admin\.php http-request deny if restricted_pageThis works fine, HAProxy is blocking access to this URL. But when I enter http://example.org/ad%6Din.php (%6D = hexcode for "m"), HAProxy is not restricting access.
What is the best way to do this?
- Is there a option in HAProxy or do I need to specify a regluar expression matching "admin.php" as plaintext and/or url-encoded?
- Are there any other ways to bypass the restriction?
Thanks!
-
Chupaka about 2 yearsFor me, only this syntax worked (HAProxy Version: 1.8.8):acl restricted_page path,url_dec -m beg -i /admin.php