[Question] Can't override front-end rule from back-end rule?

[sladkoff]

I'm adding some headers with the EXTRA_FRONTEND_SETTINGS_443 variable which should apply the header on all back-ends.

Here's an excerpt of the startup config log (note the highlighted lines):

frontend port_443
  bind :443 ssl crt /certs/
  reqadd X-Forwarded-Proto:\ https
  maxconn 4096
  http-response set-header Strict-Transport-Security max-age=31536000
->http-response set-header X-Frame-Options DENY 
  http-response set-header X-Content-Type-Options nosniff
  acl host_rule_11 hdr(host) -i domain.test.com
  acl host_rule_11_port hdr(host) -i domain.test.com:443
  use_backend SERVICE_1 if host_rule_11 or host_rule_11_port
frontend port_80
  bind :80
  reqadd X-Forwarded-Proto:\ http
  maxconn 4096
  acl host_rule_12 hdr(host) -i domain.test.com
  acl host_rule_12_port hdr(host) -i domain.test.com:80
  use_backend SERVICE_1 if host_rule_12 or host_rule_12_port
backend SERVICE_1
  redirect scheme https code 301 if !{ ssl_fc }
->http-response set-header X-Frame-Options ALLOWALL
  server SERVICE_1 10.7.0.105:8080 check inter 2000 rise 2 fall 3

As you can see I'm trying to override the set-header statement in the back-end by specifying it in EXTRA_SETTINGS.

I always receive the header as defined in the front-end section though.

Is this the expected behaviour? If I'm not mistaken the back-end rule should override the front-end rule, no?

Thank you for your time.

[tifayuki]

@sladkoff Found the following on the config manual

processing. The rules are evaluated in their declaration order when they are
met in a frontend, listen or backend section. Any rule may optionally be
followed by an ACL-based condition, in which case it will only be evaluated
if the condition is true. Since these rules apply on responses, the backend
rules are applied first, followed by the frontend's rules.```

To my understanding, HAProxy will evaluate `X-Frame-Options ALLOWALL` first, then `X-Frame-Options DENY`. This means `DENY` overrides `ALLOWALL`