Ping a Specific Port

Question

Josh Smeaton

Asked: 2013-04-06 05:07:55 +0800 CST2013-04-06 05:07:55 +0800 CST 2013-04-06 05:07:55 +0800 CST

Serve 404 from HAProxy when no acls match

772

I'm currently re-configuring HAProxy using 1.5dev-17. What I'd like to do is return a 404 error when there is no backend to use for a particular request.

Our current configuration uses the default_backend to route to our django app servers, but when there are a whole lot of probing requests (like a pen-test) that match none of the other configured backends, our django servers grind to a halt as they try to serve these invalid requests, eventually returning a 404.

I'd like to serve the 404 from HAProxy rather than delegating to the django backends. I'm currently achieving this with a hack:

frontend www
    ...
    default_backend nomatch

backend nomatch
    errorfile 503 /var/www/http/404.http

And within the 404.http file I set the 404 status code in the headers. This works, but feels very wrong. Is there a better way of achieving this with HAProxy? Or should I use a regular backend and just let that handle responding with a 404?

3 Answers

Voted

rbjorklin · Answer 1 · 2017-11-30T04:49:03+08:00

rbjorklin

2017-11-30T04:49:03+08:002017-11-30T04:49:03+08:00

If you would be okay with any of the following response codes: 200, 400, 403, 405, 408, 429, 500, 502, 503, or 504.

Then you could do something like this:

frontend www
  ...
  default_backend no-match

backend no-match
  mode http
  http-request deny deny_status 400

http-request: http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-http-request
Accepted response codes described in errorfile: http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#errorfile

13

Philip Cristiano · Answer 2 · 2013-04-22T09:05:14+08:00

Philip Cristiano

2013-04-22T09:05:14+08:002013-04-22T09:05:14+08:00

After wanting something similar this is the same thing I came up with. It felt wrong but it works very well in practice and is much cleaner than trying to blacklist particular urls. Just be sure to leave a comment so no one comes across it thinking it's incorrect.

2

cyqsimon · Answer 3 · 2021-04-26T23:21:33+08:00

cyqsimon

2021-04-26T23:21:33+08:002021-04-26T23:21:33+08:00

This is not what the OP asked for, but in case you the reader stumbled across here while using TCP mode (like I did), the corresponding directive you want to use is tcp-request content. So you would have:

frontend my-tcp
  ...
  default_backend no-match

backend no-match
  tcp-request content reject

Of course in TCP mode there's no HTTP response code. You can also use silent-drop instead of reject if you so wish.

Note that you CANNOT use tcp-request connection because it cannot be used in a backend section. If you try to put it in a frontend section instead, haproxy will warn you:

a 'tcp-request' rule placed after a 'use_backend' rule will still be processed before

... which means it's overriding all your use_backend and default_backend directives.

While you technically CAN use tcp-response content, there's no good reason to do so in this use case (as compared to using tcp-request content.

0

Serve 404 from HAProxy when no acls match

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?