[DOC] add some documentation about ACLs
Minimal documentation about ACLs
diff --git a/doc/haproxy-en.txt b/doc/haproxy-en.txt
index 1341aea..865bf8e 100644
--- a/doc/haproxy-en.txt
+++ b/doc/haproxy-en.txt
@@ -2525,6 +2525,80 @@
forwarded unmodified to the server as if the option was not set.
+5) Access lists
+===============
+
+With version 1.3.10, a new concept of access lists (acl) was born. As it was
+not necesary to reinvent the wheel, and because even long thoughts lead to
+unsatisfying proposals, it was finally decided that something close to what
+Squid provides would be a good compromise between features and ease of use.
+
+The principle is very simple : acls are declared with a name, a test and a list
+of valid values to check against during the test. Conditions are applied on
+various actions, and those conditions apply a logical AND between acls. The
+condition is then only met if all acls are true.
+
+It is possible to use the reserved keyword "OR" in conditions, and it is
+possible for an acl to be specified multiple times, even with various tests, in
+which case the first one which returns true validates the ACL.
+
+As of 1.3.10, only the following tests have been implemented :
+
+ Layer 3/4 :
+ src <ipv4_address>[/mask] ... : match IPv4 source address
+ dst <ipv4_address>[/mask] ... : match IPv4 destination address
+ src_port <low>[:<high>] ... : match source port range
+ dst_port <low>[:<high>] ... : match destination port range
+ dst_limit <max> : true if frontend has less than <max> connections
+
+ Layer 7 :
+ method <HTTP method> ... : match HTTP method
+ req_ver <1.0|1.1> ... : match HTTP request version
+ resp_ver <1.0|1.1> ... : match HTTP response version
+ status <low>[:<high>] ... : match HTTP response status code in range
+ url <string> ... : exact string match on URI
+ url_reg <regex> ... : regex string match on URI
+ url_beg <string> ... : true if URI begins with <string>
+ url_end <string> ... : true if URI ends with <string>
+ url_sub <string> ... : true if URI contains <string>
+ url_dir <string> ... : true if URI contains <string> between slashes
+ url_dom <string> ... : true if URI contains <string> between slashes or dots
+
+Other ones are coming (headers, cookies, time, auth), it's just a matter of
+time. It is also planned to be able to read the patterns from a file, as well
+as to ignore the case for some of them.
+
+The only command supporting a condition right now is the "block" command, which
+blocks a request and returns a 403 if its condition is true (with the "if"
+keyword), or if it is false (with the "unless" keyword).
+
+Example :
+---------
+
+ acl options_uris url *
+ acl meth_option method OPTIONS
+ acl http_1.1 req_ver 1.1
+ acl allowed_meth method GET HEAD POST OPTIONS CONNECT
+ acl connect_meth method CONNECT
+ acl proxy_url url_beg http://
+
+ # block if reserved URI "*" used with a method other than "OPTIONS"
+ block if options_uris !meth_option
+
+ # block if the OPTIONS method is used with HTTP 1.0
+ block if meth_option !http_1.1
+
+ # allow non-proxy url with anything but the CONNECT method
+ block if !connect_meth !proxy_url
+
+ # block all unknown methods
+ block unless allowed_meth
+
+Note: this documentation is very light but should permit one to start and above
+all it should permit to work on the project without being slowed down too much
+with the doc.
+
+
=========================
| System-specific setup |
=========================