I have a Haproxy config that is currently in development and I am using the following code in order to find if the requesting user will accept a cookie or not as the script at the end destination requires cookies for security.
frontend connection_Handler
# This proxy requires the acceptance of cookies to work
acl cookie_set hdr_sub(cookie) YuL7oo2UG3O3=zdQ66fM0lpRd
redirect prefix / set-cookie YuL7oo2UG3O3=zdQ66fM0lpRd unless cookie_set
use_backend Cookie_Block unless cookie_set
This is the config I am using to set the cookie which works great if the user will adopt the cookie correctly. However, if the end user does not accept the cookie it generates an infinite redirect loop. The Cookie_Block backend is as follows -
backend Cookie_Block
# For this block we will hold the connection for 5 seconds then reject
# The error will display the reason as to why the connection has been denied
mode http
timeout tarpit 5s
errorfile 403 /errors/NoCookie.txt
reqitarpit .
The desired effect that I am aiming for is if the user will not accept the cookie they are tarpitted and have the error returned to them. I was sure the above code would attempt to set the cookie and then tarpit them if the cookie failed to set.. But this does not seem to be the case. Is there something I am doing wrong or an alternative method of doing this without taking the user to a page to set the cookie?
Thanks very much, Chris.
When you redirect in the frontend section your client is sent again to the site and the frontend section rechecked so it never hits backend.
I would do this check on the application side, avoiding application specific checks in haproxy for portability.
You may use this ACL to check for an existing cookie: