I'm working on some changes to a frontend, one of which is moving the
port 80 bind into the same frontend as port 443.
Which of the many directives that I'm using will be evaluated in order,
and which of them will take effect first no matter where they are?
Specific questions:
Will the "blockit" ACL in the config below kill a matching connection on
port 80 before the redirect to HTTPS happens, or is "redirect scheme"
handled out of order with the rest of what I've got configured?
Are the "use_backend X if" statements evaluated in order? What I'm
trying to do would require this.
Any insight is appreciated.
Thanks,
Shawn
-----------------------------------
frontend fe-spark
description Front end that accepts production spark requests.
bind 70.102.230.78:80
bind 70.102.230.78:443 ssl crt
/etc/ssl/certs/local/spark.REDACTED.com.pem crt
/etc/ssl/certs/local/wildcard.REDACTED.com.pem crt
/etc/ssl/certs/local/spark.OTHERDOMAIN.com.pem crt
/etc/ssl/certs/local/wildcard.stg_dev0-9.REDACTED.com.pem crt
/etc/ssl/certs/local/ssl-spark.dev.REDACTED.com.pem crt
/etc/ssl/certs/local/spark.white.REDACTED.com.pem no-sslv3 alpn http/1.1
npn http/1.1
acl host_stg hdr_beg(host) -i spark.stg.REDACTED.com
acl host_dev hdr_beg(host) -i spark.dev.REDACTED.com
acl host_dev0 hdr_beg(host) -i spark.dev0.REDACTED.com
acl host_white hdr_beg(host) -i spark.white.REDACTED.com
acl mwsi_path path_beg /services
acl bot hdr_cnt(User-Agent) 0
acl bot hdr_sub(User-Agent) -i baiduspider ia_archiver
jeeves googlebot mediapartners-google msnbot slurp zyborg yandexnews
fairshare.cc yandex bingbot crawler everyonesocialbot feed\ crawler
google-http-java-client java/1.6.0_38 owlin\ bot sc\ news wikioimagesbot
xenu\ link\ sleuth yahoocachesystem
acl facebook hdr_sub(User-Agent) -i facebookexternalhit
acl socialbot hdr_sub(User-Agent) -i twitterbot
acl socialbot hdr_sub(User-Agent) -i feedfetcher-google
acl blockit hdr_sub(User-Agent) -i torrent
acl blockit path_beg -i /announc
acl blockit path_beg -i /v2.0
acl blockit path_beg -i /v2.1
acl blockit path_beg -i /v2.2
acl blockit path_beg -i /fr
acl blockit path_beg -i /tr
acl blockit path_beg -i /connect
acl blockit path_beg -i /feeds
acl blockit path_beg -i /desktop
acl blockit path_beg -i /ios
acl blockit path_beg -i /ipad
acl blockit path_beg -i /magento
acl blockit path_beg -i /method
acl blockit path_beg -i /news
acl blockit path_beg -i /cipgl
acl blockit path_beg -i /stats
acl blockit path_beg -i /mobile
acl blockit path_beg -i /network_ads
acl blockit path_reg ^/\d+
http-request deny if blockit
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
redirect prefix https://spark.REDACTED.com code 301 if {
hdr(host) -i OTHERDOMAIN.com }
redirect prefix https://spark.REDACTED.com code 301 if {
hdr(host) -i www.OTHERDOMAIN.com }
use_backend be-mwsi-stg-8444 if mwsi_path { ssl_fc_sni -i
spark.stg.REDACTED.com }
use_backend be-mwsi-stg-8444 if mwsi_path host_stg
use_backend be-mwsi-8444 if mwsi_path
use_backend be-stg-spark-443 if { ssl_fc_sni -i
spark.stg.REDACTED.com }
use_backend be-spark-dev-2443 if { ssl_fc_sni -i
spark.dev.REDACTED.com }
use_backend be-spark-dev0-443 if { ssl_fc_sni -i
spark.dev0.REDACTED.com }
use_backend be-spark-white-443 if { ssl_fc_sni -i
spark.white.REDACTED.com }
use_backend be-stg-spark-443 if host_stg
use_backend be-spark-dev-2443 if host_dev
use_backend be-spark-dev0-443 if host_dev0
use_backend be-spark-white-443 if host_white
default_backend be-spark-443
rspadd Strict-Transport-Security:\ max-age=31536000;\
includeSubDomains if { ssl_fc }
port 80 bind into the same frontend as port 443.
Which of the many directives that I'm using will be evaluated in order,
and which of them will take effect first no matter where they are?
Specific questions:
Will the "blockit" ACL in the config below kill a matching connection on
port 80 before the redirect to HTTPS happens, or is "redirect scheme"
handled out of order with the rest of what I've got configured?
Are the "use_backend X if" statements evaluated in order? What I'm
trying to do would require this.
Any insight is appreciated.
Thanks,
Shawn
-----------------------------------
frontend fe-spark
description Front end that accepts production spark requests.
bind 70.102.230.78:80
bind 70.102.230.78:443 ssl crt
/etc/ssl/certs/local/spark.REDACTED.com.pem crt
/etc/ssl/certs/local/wildcard.REDACTED.com.pem crt
/etc/ssl/certs/local/spark.OTHERDOMAIN.com.pem crt
/etc/ssl/certs/local/wildcard.stg_dev0-9.REDACTED.com.pem crt
/etc/ssl/certs/local/ssl-spark.dev.REDACTED.com.pem crt
/etc/ssl/certs/local/spark.white.REDACTED.com.pem no-sslv3 alpn http/1.1
npn http/1.1
acl host_stg hdr_beg(host) -i spark.stg.REDACTED.com
acl host_dev hdr_beg(host) -i spark.dev.REDACTED.com
acl host_dev0 hdr_beg(host) -i spark.dev0.REDACTED.com
acl host_white hdr_beg(host) -i spark.white.REDACTED.com
acl mwsi_path path_beg /services
acl bot hdr_cnt(User-Agent) 0
acl bot hdr_sub(User-Agent) -i baiduspider ia_archiver
jeeves googlebot mediapartners-google msnbot slurp zyborg yandexnews
fairshare.cc yandex bingbot crawler everyonesocialbot feed\ crawler
google-http-java-client java/1.6.0_38 owlin\ bot sc\ news wikioimagesbot
xenu\ link\ sleuth yahoocachesystem
acl facebook hdr_sub(User-Agent) -i facebookexternalhit
acl socialbot hdr_sub(User-Agent) -i twitterbot
acl socialbot hdr_sub(User-Agent) -i feedfetcher-google
acl blockit hdr_sub(User-Agent) -i torrent
acl blockit path_beg -i /announc
acl blockit path_beg -i /v2.0
acl blockit path_beg -i /v2.1
acl blockit path_beg -i /v2.2
acl blockit path_beg -i /fr
acl blockit path_beg -i /tr
acl blockit path_beg -i /connect
acl blockit path_beg -i /feeds
acl blockit path_beg -i /desktop
acl blockit path_beg -i /ios
acl blockit path_beg -i /ipad
acl blockit path_beg -i /magento
acl blockit path_beg -i /method
acl blockit path_beg -i /news
acl blockit path_beg -i /cipgl
acl blockit path_beg -i /stats
acl blockit path_beg -i /mobile
acl blockit path_beg -i /network_ads
acl blockit path_reg ^/\d+
http-request deny if blockit
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
redirect prefix https://spark.REDACTED.com code 301 if {
hdr(host) -i OTHERDOMAIN.com }
redirect prefix https://spark.REDACTED.com code 301 if {
hdr(host) -i www.OTHERDOMAIN.com }
use_backend be-mwsi-stg-8444 if mwsi_path { ssl_fc_sni -i
spark.stg.REDACTED.com }
use_backend be-mwsi-stg-8444 if mwsi_path host_stg
use_backend be-mwsi-8444 if mwsi_path
use_backend be-stg-spark-443 if { ssl_fc_sni -i
spark.stg.REDACTED.com }
use_backend be-spark-dev-2443 if { ssl_fc_sni -i
spark.dev.REDACTED.com }
use_backend be-spark-dev0-443 if { ssl_fc_sni -i
spark.dev0.REDACTED.com }
use_backend be-spark-white-443 if { ssl_fc_sni -i
spark.white.REDACTED.com }
use_backend be-stg-spark-443 if host_stg
use_backend be-spark-dev-2443 if host_dev
use_backend be-spark-dev0-443 if host_dev0
use_backend be-spark-white-443 if host_white
default_backend be-spark-443
rspadd Strict-Transport-Security:\ max-age=31536000;\
includeSubDomains if { ssl_fc }