- In order to match a boolean, no value is needed and all values are ignored.
- Boolean matching is used by default for all fetch methods of type "boolean".
- When boolean matching is used, the fetched value is returned as-is, which means
- that a boolean "true" will always match and a boolean "false" will never match.
- Boolean matching may also be enforced using "-m bool" on fetch methods which
- return an integer value. Then, integer value 0 is converted to the boolean
- "false" and all other values are converted to "true".
7.1.2. Matching integers
- Integer matching applies by default to integer fetch methods. It can also be
- enforced on boolean fetches using "-m int". In this case, "false" is converted
- to the integer 0, and "true" is converted to the integer 1.
- Integer matching also supports integer ranges and operators. Note that integer
- matching only applies to positive values. A range is a value expressed with a
- lower and an upper bound separated with a colon, both of which may be omitted.
- For instance, "1024:65535" is a valid range to represent a range of
- unprivileged ports, and "1024:" would also work. "0:1023" is a valid
- representation of privileged ports, and ":1023" would also work.
- As a special case, some ACL functions support decimal numbers which are in fact
- two integers separated by a dot. This is used with some version checks for
- instance. All integer properties apply to those decimal numbers, including
- ranges and operators.
- For an easier usage, comparison operators are also supported. Note that using
- operators with ranges does not make much sense and is strongly discouraged.
- of values.
- Available operators for integer matching are :
- eq : true if the tested value equals at least one value
- ge : true if the tested value is greater than or equal to at least one value
- gt : true if the tested value is greater than at least one value
- le : true if the tested value is less than or equal to at least one value
- lt : true if the tested value is less than at least one value
- For instance, the following ACL matches any negative Content-Length header :
- acl negative-length hdr_val(content-length) lt 0
- This one matches SSL versions between 3.0 and 3.1 (inclusive) :
- acl sslv3 req_ssl_ver 3:3.1
7.1.4. Matching regular expressions (regexes)
- Just like with string matching, regex matching applies to verbatim strings as
- they are passed, with the exception of the backslash ("\") which makes it
- possible to escape some characters such as the space. If the "-i" flag is
- passed before the first regex, then the matching will be performed ignoring
- the case. In order to match the string "-i", either set it second, or pass
- the "--" flag before the first string. Same principle applies of course to
- match the string "--".
Example :
7.1.6. Matching IPv4 and IPv6 addresses
- IPv4 addresses values can be specified either as plain addresses or with a
- netmask appended, in which case the IPv4 address matches whenever it is
- within the network. Plain addresses may also be replaced with a resolvable
- host name, but this practice is generally discouraged as it makes it more
- difficult to read and debug configurations. If hostnames are used, you should
- does not depend on any random DNS match at the moment the configuration is
- parsed.
- The dotted IPv4 address notation is supported in both regular as well as the
- abbreviated form with all-0-octets omitted:
- +------------------+------------------+------------------+
- | Example 1 | Example 2 | Example 3 |
- +------------------+------------------+------------------+
- | 192.168.0.1 | 10.0.0.12 | 127.0.0.1 |
- | 192.168.1 | 10.12 | 127.1 |
- | 192.168.0.1/22 | 10.0.0.12/8 | 127.0.0.1/8 |
- | 192.168.1/22 | 10.12/8 | 127.1/8 |
- +------------------+------------------+------------------+
- Notice that this is different from RFC 4632 CIDR address notation in which
- 192.168.42/24 would be equivalent to 192.168.42.0/24.
- IPv6 may be entered in their usual form, with or without a netmask appended.
- Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
- trouble with randomly resolved IP addresses, host names are never allowed in
- IPv6 patterns.
- HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
- following situations :
- - tested address is IPv4, pattern address is IPv4, the match applies
- in IPv4 using the supplied mask if any.
- - tested address is IPv6, pattern address is IPv6, the match applies
- in IPv6 using the supplied mask if any.
- - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
- using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
- ::IPV4 or ::ffff:IPV4, otherwise it fails.
- - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
- applied in IPv6 using the supplied IPv6 mask.