Skip to content

Use named ACLs to avoid exceeding HAProxy's 64-word parser limit#460

Open
Copilot wants to merge 10 commits intomainfrom
copilot/fix-exceeding-haproxy-parser-limit
Open

Use named ACLs to avoid exceeding HAProxy's 64-word parser limit#460
Copilot wants to merge 10 commits intomainfrom
copilot/fix-exceeding-haproxy-parser-limit

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 13, 2026
edited
Loading

When multiple haproxy-route relations provide allow_http data, the template concatenates all ACLs into a single http-request redirect line using || operators. With 7+ relations this exceeds HAProxy's hardcoded 64-word per-line parser limit, causing config validation failures.

Changes

  • Template (haproxy_route.cfg.j2): Replace inline OR-chained ACLs with a single named is_allow_http ACL. HAProxy implicitly ORs multiple acl lines sharing the same name, so each relation gets its own short line. The ACL is defined once and reused in both the redirect and HSTS rules:
# Before (single line that grows unbounded)
http-request redirect scheme https unless { ssl_fc }  || { ... } || { ... } || ...

# After (one line per relation, OR'd by HAProxy)
acl is_allow_http { req.hdr(host),field(1,:) -i example.com } { path_beg -i /api }
acl is_allow_http { req.hdr(host),field(1,:) -i other.com }
http-request redirect scheme https unless { ssl_fc } || is_allow_http
  • HSTS rule: Reuses the same is_allow_http ACL to prevent the identical word-limit issue on the http-response set-header line, avoiding duplicate ACL definitions.
  • Tests: Updated test_hsts_disabled_allow_http assertion to match new output format. Added test_redirect_without_allow_http_uses_named_acl and test_redirect_allow_http_uses_named_acl.

Copilot AI linked an issue Apr 13, 2026 that may be closed by this pull request
Template generates redirect line exceeding HAProxy's 64-word parser limit #409
Open
Copilot AI and others added 2 commits April 13, 2026 10:19
@Thanhphan1147
fix: use named ACLs to avoid exceeding HAProxy's 64-word parser limit
34a5e21 
Split the inline OR-chained ACL conditions in the redirect rule into
separate named ACL lines (do_not_redirect). In HAProxy, multiple ACL
lines with the same name are OR'd together, preserving the same logic
while keeping each line short.

Also refactor the HSTS template to use a named is_allow_http ACL to
avoid the same potential word-limit issue.

Agent-Logs-Url: https://github.com/canonical/haproxy-operator/sessions/0787275c-fa4f-4c2a-8201-ad38184c5afc

Co-authored-by: Thanhphan1147 <42444001+Thanhphan1147@users.noreply.github.com>
@Thanhphan1147
refactor: rename test for clarity
a9ec559 
Agent-Logs-Url: https://github.com/canonical/haproxy-operator/sessions/0787275c-fa4f-4c2a-8201-ad38184c5afc

Co-authored-by: Thanhphan1147 <42444001+Thanhphan1147@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix template redirect line exceeding HAProxy's 64-word limit Use named ACLs to avoid exceeding HAProxy's 64-word parser limit Apr 13, 2026
Copilot AI requested a review from Thanhphan1147 April 13, 2026 10:23
Thanhphan1147
Thanhphan1147 reviewed Apr 14, 2026
View reviewed changes
Comment thread haproxy-operator/templates/haproxy_route.cfg.j2 Outdated
@Thanhphan1147 Thanhphan1147 marked this pull request as ready for review April 14, 2026 11:15
@Thanhphan1147 Thanhphan1147 requested a review from a team as a code owner April 14, 2026 11:15
Copilot AI requested a review from Thanhphan1147 April 14, 2026 11:16
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026

Test results for commit fc19f42

Test coverage for fc19f42

Name                                       Stmts   Miss Branch BrPart  Cover   Missing
--------------------------------------------------------------------------------------
lib/charms/haproxy/v0/ddos_protection.py     154     51     34      8    64%   157-174, 183-187, 288, 316-318, 323, 326-330, 342-344, 381, 387, 393, 396, 424, 495-498, 510-529
src/charm.py                                  21      0      0      0   100%
src/state.py                                  43      0      0      0   100%
--------------------------------------------------------------------------------------
TOTAL                                        218     51     34      8    73%

Static code analysis report

Run started:2026-04-24 12:31:05.433272+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 333
  Total lines skipped (#nosec): 0
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026

Test results for commit fc19f42

Test coverage for fc19f42

Name                                         Stmts   Miss Branch BrPart  Cover   Missing
----------------------------------------------------------------------------------------
lib/charms/haproxy/v0/ddos_protection.py       154     42     34      3    72%   157-174, 183-187, 265, 284, 415-418, 422-424, 459-478, 514-529
lib/charms/haproxy/v0/spoe_auth.py             158     55     32      2    59%   203, 304-306, 315, 354-381, 392-402, 441-442, 459-472, 484-501, 522-525, 529-531
lib/charms/haproxy/v1/haproxy_route_tcp.py     385    153     78      8    56%   209, 212, 281, 290-293, 297-300, 318-321, 336, 342-347, 447, 452, 829-832, 836, 863-874, 897-900, 904-906, 926-928, 1042-1083, 1087-1093, 1097, 1166-1195, 1266-1305, 1335-1337, 1362-1364, 1386-1390, 1409-1411, 1429-1431, 1438-1444, 1452-1454, 1462-1463, 1474-1481, 1494-1505, 1513-1534, 1546-1547, 1558-1559, 1570-1573, 1584-1585, 1614-1623, 1639-1642, 1658-1669, 1685-1688, 1706-1717, 1728-1729, 1737-1738, 1746-1747, 1758-1761
lib/charms/haproxy/v2/haproxy_route.py         385     53     98     26    82%   181, 257, 266-269, 294-297, 318-323, 673-674, 860->exit, 867, 893-904, 927-930, 934-936, 955-957, 1129-1135, 1139, 1336->1338, 1340->1342, 1342->1344, 1344->1346, 1346->1348, 1348->1351, 1386, 1394, 1399, 1402, 1427, 1455, 1459, 1463, 1486, 1506, 1515-1516, 1518->exit, 1554-1556, 1576, 1590, 1595-1597
src/charm.py                                   293     71     84     13    71%   102, 228, 236-252, 257, 262, 280, 291, 297-298, 332-352, 371, 471, 478-486, 514-527, 540-545, 554, 567-568, 575, 585, 595, 601-607, 623, 674-677, 683->682, 696-699
src/haproxy.py                                 125     31      6      2    75%   108-114, 134-156, 266-267, 270, 278-284, 312, 342-353, 365-367, 377-378
src/http_interface.py                           73     25      4      0    62%   74, 83, 92, 106-108, 126, 138, 150, 162, 170-175, 187, 194, 202, 217-227
src/state/charm_state.py                        78     15     14      4    79%   94-96, 101-102, 105, 150-155, 164, 216-218, 230-231
src/state/ddos_protection.py                    39      0      2      0   100%
src/state/exception.py                           1      0      0      0   100%
src/state/ha.py                                 30      1      2      1    94%   50
src/state/haproxy_route.py                     284     46     76      8    82%   161, 190-199, 256, 281, 332-360, 369, 378, 387, 396, 408, 446-472, 528, 568, 584-585, 602, 817-830
src/state/haproxy_route_tcp.py                 120     17     42      1    80%   92-94, 109->112, 147-160
src/state/ingress.py                            38      0      4      0   100%
src/state/ingress_per_unit.py                   32      0      4      0   100%
src/state/spoe_auth.py                          26      2      2      0    93%   63-64
src/state/tls.py                                39      7     12      4    78%   74, 77-78, 127-135, 141-142
src/state/validation.py                         46     23      8      1    44%   66-67, 71-98
src/tls_relation.py                             62      3     14      3    92%   87->86, 119-129, 141->143
----------------------------------------------------------------------------------------
TOTAL                                         2368    544    516     76    74%

Static code analysis report

Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Run started:2026-04-24 12:31:27.064206+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 10687
  Total lines skipped (#nosec): 13
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 10

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026

Test results for commit fc19f42

Test coverage for fc19f42

Name                      Stmts   Miss Branch BrPart  Cover   Missing
---------------------------------------------------------------------
src/charm.py                 88     29     14      3    63%   97-98, 108-113, 138, 145-157, 161-176, 184-199
src/policy.py                66     37      2      0    43%   30-32, 37-38, 43-53, 58-59, 64-65, 78-92, 115-117, 140-141, 159-176, 187-197, 208-211
src/state/database.py        32      2      6      2    89%   76, 79
src/state/policy.py          62      2     10      2    94%   94, 106
src/state/validation.py      44     18      0      0    59%   57-59, 61-63, 74-87
---------------------------------------------------------------------
TOTAL                       292     88     32      7    68%

Static code analysis report

Run started:2026-04-24 12:31:09.334269+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 1152
  Total lines skipped (#nosec): 10
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026

Test results for commit fc19f42

Test coverage for fc19f42

Name                                        Stmts   Miss  Cover
---------------------------------------------------------------
haproxy_route_policy/__init__.py                0      0   100%
haproxy_route_policy/settings.py               30      1    97%
haproxy_route_policy/test_settings.py           4      0   100%
haproxy_route_policy/urls.py                    5      0   100%
manage.py                                      11      2    82%
policy/__init__.py                              0      0   100%
policy/admin.py                                22      5    77%
policy/apps.py                                  3      0   100%
policy/db_models.py                            50      2    96%
policy/management/__init__.py                   0      0   100%
policy/management/commands/__init__.py          0      0   100%
policy/middleware.py                           16      4    75%
policy/migrations/0001_initial.py               7      0   100%
policy/migrations/0002_rule.py                  5      0   100%
policy/migrations/0003_alter_rule_kind.py       4      0   100%
policy/migrations/__init__.py                   0      0   100%
policy/rule_engine.py                          42      6    86%
policy/serializers.py                          30      4    87%
policy/tests/__init__.py                        0      0   100%
policy/tests/test_auth.py                      36     20    44%
policy/tests/test_models.py                    85      0   100%
policy/tests/test_rule_engine.py              117      0   100%
policy/tests/test_views.py                    201      0   100%
policy/urls.py                                  3      0   100%
policy/views.py                                95     16    83%
---------------------------------------------------------------
TOTAL                                         766     60    92%

Static code analysis report

Run started:2026-04-24 12:31:04.665059+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 1680
  Total lines skipped (#nosec): 1
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026

Test results for commit fc19f42

Test coverage for fc19f42

Name                               Stmts   Miss Branch BrPart  Cover   Missing
------------------------------------------------------------------------------
src/charm.py                          45      9      2      0    77%   65-91, 96-98
src/haproxy_spoe_auth_service.py      44     16      2      0    61%   56-64, 76-82, 93-117
src/state.py                          55     15      6      1    67%   64-66, 79, 125-146
------------------------------------------------------------------------------
TOTAL                                144     40     10      1    68%

Static code analysis report

Run started:2026-04-24 12:31:05.841405

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 409
  Total lines skipped (#nosec): 1
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 1

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seb4stien seb4stien seb4stien approved these changes

@Thanhphan1147 Thanhphan1147 Awaiting requested review from Thanhphan1147

Assignees

@Thanhphan1147 Thanhphan1147

Copilot code review Copilot

Labels

Libraries: OK

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Template generates redirect line exceeding HAProxy's 64-word parser limit

3 participants

@seb4stien @Thanhphan1147