haproxy: Is there a way to group acls for greater efficiency?

access-control-list haproxy
8,704

Are you running into performance problems with your current application?

If you definitely need to improve performance at the HAProxy level, then I would suggest simply using a separate HAProxy instance for each subdomain. For example, create a new HAProxy server, and point a.domain.com directly to the new server. You can also continue pointing all DNS entries to the main HAProxy server, and have the first HAProxy layer only handle subdomain matching.

Of course, if you don't really have performance problems, then maybe it's better to leave well enough alone.

Share:
8,704
kbrk
Author by

kbrk

Updated on September 17, 2022

Comments

  • kbrk
    kbrk almost 2 years

    I have some logic in a frontend that routes to different backends based on both the host and the url. Logically it looks like this:

    if hdr(host) ends with 'a.domain.com':
    if url starts with '/dir1/':
        use backend domain.com/dir1/
    elif url starts with '/dir2/':
        use backend domain.com/dir2/
    # ... else if ladder repeats on different dirs
elif hdr(host) ends with 'b.domain.com':
    # another else if ladder exactly the same as above
    # ...
# ... else if ladder repeats like this on different domains

    Is there a way to group acls to avoid having to repeatedly check the domain acl?

    Obviously there needs to be a use backend statement for each possibility, but I don't want to have to check the domain over and over because it's very inefficient.

    In other words, I want to avoid this:

    use backend domain.com/url1/ if acl-domain.com and acl-url1
use backend domain.com/url2/ if acl-domain.com and acl-url2
use backend domain.com/url3/ if acl-domain.com and acl-url3
# tons more possibilities below

    because it has to keep checking acl-domain.com.

    This is particularly an issue because I have specific rules for subdomains such as a.domain.com and b.domain.com, but I want to fall back on the most common case of *.domain.com. That means every single rule that uses a specific subdomain must be checked prior to *.domain.com which makes it even more inefficient for the common case.

    • tmslnz
      tmslnz over 13 years
      You might want to check section 7.7 of the HAProxy manual: Using ACLs to form conditions. Also, if it hurts you eyes like it did with mine, I am maintaining a more readable version at github.com/tmslnz/HAProxy_Markdown
    • ghoti
      ghoti over 9 years
      For reference, this appears to have moved to section 7.2 of the documentation for HAProxy version 1.5.9.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Haproxy ACL rule for a particular domain
Haproxy ACL for balance on URL request
Block specific URL in HAProxy / url-encoding
haproxy acl - accept only from specific IPs
Haproxy: reject traffic by user agent from file
Proxying TCP by hostname
HAProxy ACL multiple OR conditions
How do I match a wildcard host in ACL lists in HAproxy?
HAProxy seems to be load balancing instead of following ACL rules
Haproxy tuning for performance?