haproxy missing fetch method in ACL expression

Question

i am using these conditions in ha proxy

use_backend test if { path_beg -i /test/ } { { ssl_fc_has_crt } || { src 10.0.0.25 }  || { src 10.1.0.152 }  || { src 10.0.2.41 }  || { src 10.0.0.158}  || { src 64.32.12.252 }  || { src 35.43.19.101 } || { src 80.240.254.1 } || { src 82.10.80.7 } }

But i am seeing this error:

error detected while parsing switching rule : missing fetch method in ACL expression '{'.

Answer 1

Docs show { } like it could group ACLs, but doesn't elaborate on it:

A condition is formed as a disjunctive form:

   [!]acl1 [!]acl2 ... [!]acln  { or [!]acl1 [!]acl2 ... [!]acln } ...

So maybe it isn't grouping at all. All examples with {} i can see are for anonymous ACLs. You want to combine AND with OR in one condition and haproxy isn't very helpful, but here is something that should work:

acl allowed_to_test_site src 10.0.0.25 10.0.0.24 10.1.0.152 10.0.2.41 10.0.0.158 64.32.12.252 35.43.19.101 80.240.254.1 82.10.80.7
acl allowed_to_test_site ssl_fc_has_crt
use_backend backend-sonar if { path_beg -i /test/ } allowed_to_test_site                                                                                                           

Few points to explain here:

1. src IP1 || src IP2 can be declared as acl ip src IP1 IP2 and so on. such list works as multiple OR
2. declaring ACL multiple times works again as multiple OR
   Docs say:

acl <aclname> <criterion> [flags] [operator] <value> ...
Declare or complete an access list.

which could use some more explicit explaination 3. AND is implicit

This way we get the logic of (path_beg -i /test/) AND ( ssl_fc_has_crt OR src matches one of the IPs)
Maybe one day haproxy will have better syntax for that.