Hello, I have a restricted_access acl applying based on a path_beg check for specific sub-pages of websites.
This works fine for web browser requests and correctly returns a 403 error, however when using an encoded url, the check is bypassed and a 200 response is received.
HAProxy is v2.2.8
I have come across the implementation of url_dec and this does not seem to work either.
Current syntax:
acl restricted_path path_beg /testpath
http-request deny if restricted_path
I have tried:
acl restricted_path path_beg,url_dec -i /testpath
- this resulted in no pages being blocked and allowed all, both standard and encoded urls
acl restricted_path path_beg url_dec -i /testpath
- changing to space-delimited meant that standard urls were blocked again but encoded urls still pass
acl restricted_path path_beg url_dec /testpath
- no change
acl restricted_path path_beg url_dec -m /testpath
- no change
acl restricted_path path url_dec -i beg /testpath
- no change
The documentation on url_dec is very light in the manual - does anyone have a working example that would successfully block (return 403) requests as follows?
testing examples:
- curl -k “https://www.example.com/testpath/index.php”
- curl -k “https://www.example.com/testpath/index.php”
1 post - 1 participant