The test you appear to be wanting to impose is this:
A && !(B || C)
…but that is not logically equivalent to what you’ve written, which is essentially this…
(A && !B) || (A && !C)
The logical equivalent of A && !(B || C)
without using parentheses for precedence is actually this:
A && !B && !C
So what you’re looking for should be this:
http-request deny if is_test !is_allowed !is_devtool
Or, to restate it: deny the request if —
- it matches
is_test
, and - it doesn’t match
is_allowed
, and - it doesn’t match
is_devtool
As long as any one of these condtions is false (isn’t test, is allowed, is devtool) your rule doesn’t match, and doesn’t deny the request.