How to Use Wildcard Host Matching in HAProxy ACL Configuration


2 views

When configuring HAProxy's ACL (Access Control List) for host validation, many administrators need to match all subdomains under a parent domain. While basic exact matches work well for explicit domains, wildcard patterns require special handling.

Common attempts that fail include:

acl valid_domains hdr(Host) -i *.mysite.com
acl valid_domains hdr(Host) -i [a-z]+.mysite.com

HAProxy doesn't support regex wildcards directly in the hdr() matcher like some other systems do.

Here are three effective approaches:

1. Using the reg() Match Method

acl valid_domains hdr_reg(Host) -i ^([a-z0-9-]+\.)?mysite\.com$
redirect location http://mysite.com/invalid_domain if !valid_domains

This regex matches:

  • mysite.com (no subdomain)
  • any-subdomain.mysite.com
  • multi-level.subdomain.mysite.com

2. Multiple ACLs with Shared Suffix

acl valid_domains hdr_end(Host) -i .mysite.com
acl exact_match hdr(Host) -i mysite.com
redirect location http://mysite.com/invalid_domain if !valid_domains !exact_match

The hdr_end() checks the suffix while the exact match catches the root domain.

3. Combining Patterns with OR Logic

acl root_domain hdr(Host) -i mysite.com
acl subdomains hdr_dom(Host) -i mysite.com
use_backend example_backend if root_domain || subdomains
  • Always escape dots (\.) in regex patterns
  • Consider adding ^ and $ anchors to prevent partial matches
  • Test with edge cases like:
    • fake-mysite.com
    • mysite.com.fake
    • sub.mysite.com

While regex matching (hdr_reg) is the most flexible solution, it's slightly more CPU-intensive than exact matching. For high-traffic systems:

# More performant alternative for known subdomains
acl valid_domains hdr(Host) -i mysite.com images.mysite.com store.mysite.com api.mysite.com

HAProxy's ACL system doesn't natively support traditional wildcard patterns like *.domain.com or regular expressions in the way you might expect from other systems. Here's a more technical approach to solve this common configuration challenge.

For subdomain matching, you need to use regex matching with the -m reg flag:

acl valid_domains hdr_reg(host) -i ^([a-z0-9-]+\.)?mysite\.com$
redirect location http://mysite.com/invalid_domain if !valid_domains

This pattern matches:

  • ^ - Start of string
  • ([a-z0-9-]+\.)? - Optional subdomain part (alphanumeric and hyphens)
  • mysite\.com - Your main domain (escaped dot)
  • $ - End of string

If you prefer not to use regex, you could:

acl valid_domains hdr_end(host) -i .mysite.com

Or for more complex scenarios:

acl valid_domains hdr_dom(host) -i mysite.com
acl valid_subdomains hdr_beg(host) -i .mysite.com
use_backend subdomain_server if valid_subdomains
use_backend main_server if valid_domains

Remember that regex matching is more CPU-intensive than simple string matching. For high-traffic environments, consider:

acl valid_domains hdr(host) -i mysite.com
acl valid_subdomains hdr_end(host) -i .mysite.com
tcp-request content reject if !valid_domains !valid_subdomains