upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-10 06:13:20 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 20
haproxy/src/http_act.c

2508 lines
77 KiB
C
Raw Permalink Normal View History

REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
/*
* HTTP actions
*
* Copyright 2000-2018 Willy Tarreau <w@1wt.eu>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
#include <sys/types.h>
#include <ctype.h>
#include <string.h>
#include <time.h>
REORG: include: move acl.h to haproxy/acl.h{,-t}.h The files were moved almost as-is, just dropping arg-t and auth-t from acl-t but keeping arg-t in acl.h. It was useful to revisit the call places since a handful of files used to continue to include acl.h while they did not need it at all. Struct stream was only made a forward declaration since not otherwise needed.
2020-06-04 13:11:43 -04:00
#include <haproxy/acl.h>
REORG: include: move action.h to haproxy/action{,-t}.h List.h was missing for LIST_ADDQ(). A few unneeded includes of action.h were removed from certain files. This one still relies on applet.h and stick-table.h.
2020-06-04 04:15:32 -04:00
#include <haproxy/action.h>
REORG: include: update all files to use haproxy/api.h or api-t.h if needed All files that were including one of the following include files have been updated to only include haproxy/api.h or haproxy/api-t.h once instead: - common/config.h - common/compat.h - common/compiler.h - common/defaults.h - common/initcall.h - common/tools.h The choice is simple: if the file only requires type definitions, it includes api-t.h, otherwise it includes the full api.h. In addition, in these files, explicit includes for inttypes.h and limits.h were dropped since these are now covered by api.h and api-t.h. No other change was performed, given that this patch is large and affects 201 files. At least one (tools.h) was already freestanding and didn't get the new one added.
2020-05-27 06:58:42 -04:00
#include <haproxy/api.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/arg.h>
#include <haproxy/capture-t.h>
REORG: include: move cfgparse.h to haproxy/cfgparse.h There's no point splitting the file in two since only cfgparse uses the types defined there. A few call places were updated and cleaned up. All of them were in C files which register keywords. There is nothing left in common/ now so this directory must not be used anymore.
2020-06-04 18:00:29 -04:00
#include <haproxy/cfgparse.h>
REORG: include: move common/chunk.h to haproxy/chunk.h No change was necessary, it was already properly split.
2020-06-02 04:22:45 -04:00
#include <haproxy/chunk.h>
REORG: include: split global.h into haproxy/global{,-t}.h global.h was one of the messiest files, it has accumulated tons of implicit dependencies and declares many globals that make almost all other file include it. It managed to silence a dependency loop between server.h and proxy.h by being well placed to pre-define the required structs, forcing struct proxy and struct server to be forward-declared in a significant number of files. It was split in to, one which is the global struct definition and the few macros and flags, and the rest containing the functions prototypes. The UNIX_MAX_PATH definition was moved to compat.h.
2020-06-04 11:05:57 -04:00
#include <haproxy/global.h>
REORG: include: split common/http.h into haproxy/http{,-t}.h So the enums and structs were placed into http-t.h and the functions into http.h. This revealed that several files were dependeng on http.h but not including it, as it was silently inherited via other files.
2020-06-02 13:11:26 -04:00
#include <haproxy/http.h>
REORG: include: move http_ana.h to haproxy/http_ana{,-t}.h It was moved without any change, however many callers didn't need it at all. This was a consequence of the split of proto_http.c into several parts that resulted in many locations to still reference it.
2020-06-04 15:21:03 -04:00
#include <haproxy/http_ana.h>
REORG: include: move http_htx.h to haproxy/http_htx{,-t}.h A few includes had to be added, namely list-t.h in the type file and types/proxy.h in the proto file. actions.h was including http-htx.h but didn't need it so it was dropped.
2020-06-04 03:08:41 -04:00
#include <haproxy/http_htx.h>
REORG: include: move http_rules.h to haproxy/http_rules.h There was no include file. This one still includes types/proxy.h.
2020-06-04 05:40:28 -04:00
#include <haproxy/http_rules.h>
REORG: include: move the error reporting functions to from log.h to errors.h Most of the files dealing with error reports have to include log.h in order to access ha_alert(), ha_warning() etc. But while these functions don't depend on anything, log.h depends on a lot of stuff because it deals with log-formats and samples. As a result it's impossible not to embark long dependencies when using ha_warning() or qfprintf(). This patch moves these low-level functions to errors.h, which already defines the error codes used at the same places. About half of the users of log.h could be adjusted, sometimes revealing other issues such as missing tools.h. Interestingly the total preprocessed size shrunk by 4%.
2020-06-05 11:27:29 -04:00
#include <haproxy/log.h>
REORG: include: move pattern.h to haproxy/pattern{,-t}.h It was moved as-is, except for extern declaration of pattern_reference. A few C files used to include it but didn't need it anymore after having been split apart so this was cleaned.
2020-06-04 09:06:28 -04:00
#include <haproxy/pattern.h>
REORG: include: move common/memory.h to haproxy/pool.h Now the file is ready to be stored into its final destination. A few minor reorderings were performed to keep the file properly organized, making the various sections more visible (cache & lockless). In addition and to stay consistent, memory.c was renamed to pool.c.
2020-06-02 03:38:52 -04:00
#include <haproxy/pool.h>
REORG: include: split common/regex.h into haproxy/regex{,-t}.h Regex are essentially included for myregex_t but it turns out that several of the C files didn't include it directly, relying on the one included by their own .h. This has been cleanly addressed so that only the type is included by H files which need it, and adding the missing includes for the other ones.
2020-06-02 11:32:26 -04:00
#include <haproxy/regex.h>
REORG: include: move sample.h to haproxy/sample{,-t}.h This one is particularly tricky to move because everyone uses it and it depends on a lot of other types. For example it cannot include arg-t.h and must absolutely only rely on forward declarations to avoid dependency loops between vars -> sample_data -> arg. In order to address this one, it would be nice to split the sample_data part out of sample.h.
2020-06-04 09:33:47 -04:00
#include <haproxy/sample.h>
REORG: rename cs_utils.h to sc_strm.h This file contains all the stream-connector functions that are specific to application layers of type stream. So let's name it accordingly so that it's easier to figure what's located there. The alphabetical ordering of include files was preserved.
2022-05-27 03:25:10 -04:00
#include <haproxy/sc_strm.h>
REORG: stconn: rename conn_stream.{c,h} to stconn.{c,h} There's no more reason for keepin the code and definitions in conn_stream, let's move all that to stconn. The alphabetical ordering of include files was adjusted.
2022-05-27 03:47:12 -04:00
#include <haproxy/stconn.h>
REORG: tools: split common/standard.h into haproxy/tools{,-t}.h And also rename standard.c to tools.c. The original split between tools.h and standard.h dates from version 1.3-dev and was mostly an accident. This patch moves the files back to what they were expected to be, and takes care of not changing anything else. However this time tools.h was split between functions and types, because it contains a small number of commonly used macros and structures (e.g. name_desc) which in turn cause the massive list of includes of tools.h to conflict with the callers. They remain the ugliest files of the whole project and definitely need to be cleaned and split apart. A few types are defined there only for functions provided there, and some parts are even OS-specific and should move somewhere else, such as the symbol resolution code.
2020-06-03 12:09:46 -04:00
#include <haproxy/tools.h>
REORG: include: split common/uri_auth.h into haproxy/uri_auth{,-t}.h Initially it looked like this could have been placed into auth.h or stats.h but it's not the case as it's what makes the link between them and the HTTP layer. However the file needed to be split in two. Quite a number of call places were dropped because these were mostly leftovers from the early days where the stats and cli were packed together.
2020-06-04 13:27:34 -04:00
#include <haproxy/uri_auth-t.h>
MINOR: uri_normalizer: Add `http-request normalize-uri` This patch adds the `http-request normalize-uri` action that was requested in GitHub issue #714. Normalizers will be added in the next patches.
2021-04-15 15:45:57 -04:00
#include <haproxy/uri_normalizer.h>
REORG: include: move version.h to haproxy/ Few files were affected. The release scripts was updated.
2020-05-27 09:59:00 -04:00
#include <haproxy/version.h>
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
CLEANUP: assorted typo fixes in the code and comments code, comments and doc actually.
2025-04-01 16:44:54 -04:00
/* Release memory allocated by most of HTTP actions. Concretely, it releases
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
* <arg.http>.
*/
static void release_http_action(struct act_rule *rule)
{
CLEANUP: Use `isttest()` and `istfree()` This adjusts a few locations to make use of `isttest()` and `istfree()`.
2020-03-05 11:56:33 -05:00
istfree(&rule->arg.http.str);
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
if (rule->arg.http.re)
regex_free(rule->arg.http.re);
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_deinit(&rule->arg.http.fmt);
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
}
CLEANUP: assorted typo fixes in the code and comments code, comments and doc actually.
2025-04-01 16:44:54 -04:00
/* Release memory allocated by HTTP actions relying on an http reply. Concretely,
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
* it releases <.arg.http_reply>
*/
static void release_act_http_reply(struct act_rule *rule)
{
release_http_reply(rule->arg.http_reply);
rule->arg.http_reply = NULL;
}
/* Check function for HTTP actions relying on an http reply. The function
* returns 1 in success case, otherwise, it returns 0 and err is filled.
*/
static int check_act_http_reply(struct act_rule *rule, struct proxy *px, char **err)
{
struct http_reply *reply = rule->arg.http_reply;
if (!http_check_http_reply(reply, px, err)) {
release_act_http_reply(rule);
return 0;
}
return 1;
}
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
/* This function executes one of the set-{method,path,query,uri} actions. It
* builds a string in the trash from the specified format string. It finds
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
* the action to be performed in <.action>, previously filled by function
CLEANUP: assorted typo fixes in the code and comments This is 9th iteration of typo fixes
2020-05-05 15:53:22 -04:00
* parse_set_req_line(). The replacement action is executed by the function
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
* http_action_set_req_line(). On success, it returns ACT_RET_CONT. If an error
* occurs while soft rewrites are enabled, the action is canceled, but the rule
* processing continue. Otherwsize ACT_RET_ERR is returned.
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
*/
static enum act_return http_action_set_req_line(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct buffer *replace;
MINOR: actions: Use ACT_RET_CONT code to ignore an error from a custom action Some custom actions are just ignored and skipped when an error is encoutered. In that case, we jump to the next rule. To do so, most of them use the return code ACT_RET_ERR. Currently, for http rules and tcp content rules, it is not a problem because this code is handled the same way than ACT_RET_CONT. But, it means there is no way to handle the error as other actions. The custom actions must handle the error and return ACT_RET_DONE. For instance, when http-request rules are processed, an error when we try to replace a header value leads to a bad request and an error 400 is returned to the client. But when we fail to replace the URI, the error is silently ignored. This difference between the custom actions and the others is an obstacle to write new custom actions. So, in this first patch, ACT_RET_CONT is now returned from custom actions instead of ACT_RET_ERR when an error is encoutered if it should be ignored. The behavior remains the same but it is now possible to handle true errors using the return code ACT_RET_ERR. Some actions will probably be reviewed to determine if an error is fatal or not. Other patches will be pushed to trigger an error when a custom action returns the ACT_RET_ERR code. This patch is not tagged as a bug because it is just a design issue. But others will depends on it. So be careful during backports, if so.
2019-12-13 03:01:57 -05:00
enum act_return ret = ACT_RET_CONT;
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
replace = alloc_trash_chunk();
if (!replace)
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
goto fail_alloc;
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
/* If we have to create a query string, prepare a '?'. */
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
if (rule->action == 2) // set-query
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
replace->area[replace->data++] = '?';
replace->data += build_logline(s, replace->area + replace->data,
replace->size - replace->data,
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
&rule->arg.http.fmt);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
if (http_req_replace_stline(rule->action, replace->area, replace->data, px, s) == -1)
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
goto fail_rewrite;
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
leave:
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
free_trash_chunk(replace);
return ret;
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
fail_alloc:
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_RESOURCE;
ret = ACT_RET_ERR;
goto leave;
fail_rewrite:
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->fe->fe_counters.failed_rewrites);
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
if (s->flags & SF_BE_ASSIGNED)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&s->be->be_counters.failed_rewrites);
BUG/MEDIUM: session: NULL dereference possible when accessing the listener When implementing a client applet, a NULL dereference was encountered on the error path which increment the counters. Indeed, the counters incremented are the one in the listener which does not exist in the case of client applets, so in sess->listener->counters, listener is NULL. This patch fixes the access to the listener structure when accessing from a sesssion, most of the access are the counters in error paths. Must be backported as far as 1.8.
2021-03-08 09:26:48 -05:00
if (sess->listener && sess->listener->counters)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->listener->counters->failed_rewrites);
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
if (objt_server(s->target))
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&__objt_server(s->target)->counters.failed_rewrites);
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails When a header rewrite fails, an internal errors is triggered. But SF_ERR_INTERNAL is documented to be the concequence of a bug and must be reported to the dev teamm. So, when this happens, the SF_ERR_PRXCOND termination flag is set now.
2020-01-22 08:38:05 -05:00
if (!(s->txn->req.flags & HTTP_MSGF_SOFT_RW)) {
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
ret = ACT_RET_ERR;
MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails When a header rewrite fails, an internal errors is triggered. But SF_ERR_INTERNAL is documented to be the concequence of a bug and must be reported to the dev teamm. So, when this happens, the SF_ERR_PRXCOND termination flag is set now.
2020-01-22 08:38:05 -05:00
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_PRXCOND;
}
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
goto leave;
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
}
/* parse an http-request action among :
* set-method
* set-path
MINOR: http-rules: Add set-pathq and replace-pathq actions These actions do the same as corresponding "-path" versions except the query-string is included to the manipulated request path. This means set-pathq action replaces the path and the query-string and replace-pathq action matches and replace the path including the query-string. This patch may be backported to 2.2.
2020-09-02 11:17:44 -04:00
* set-pathq
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
* set-query
* set-uri
*
* All of them accept a single argument of type string representing a log-format.
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
* The resulting rule makes use of <http.fmt> to store the log-format list head,
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
* and <.action> to store the action type as an int (0=method, 1=path, 2=query,
* 3=uri). It returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
*/
static enum act_parse_ret parse_set_req_line(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
int cur_arg = *orig_arg;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
int cap = 0;
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
switch (args[0][4]) {
case 'm' :
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
rule->action = 0; // set-method
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
break;
case 'p' :
MINOR: http-rules: Add set-pathq and replace-pathq actions These actions do the same as corresponding "-path" versions except the query-string is included to the manipulated request path. This means set-pathq action replaces the path and the query-string and replace-pathq action matches and replace the path including the query-string. This patch may be backported to 2.2.
2020-09-02 11:17:44 -04:00
if (args[0][8] == 'q')
rule->action = 4; // set-pathq
else
rule->action = 1; // set-path
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
break;
case 'q' :
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
rule->action = 2; // set-query
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
break;
case 'u' :
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
rule->action = 3; // set-uri
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
break;
default:
memprintf(err, "internal error: unhandled action '%s'", args[0]);
return ACT_RET_PRS_ERR;
}
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
rule->action_ptr = http_action_set_req_line;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_action;
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&rule->arg.http.fmt);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
if (!*args[cur_arg] ||
(*args[cur_arg + 1] && strcmp(args[cur_arg + 1], "if") != 0 && strcmp(args[cur_arg + 1], "unless") != 0)) {
memprintf(err, "expects exactly 1 argument <format>");
return ACT_RET_PRS_ERR;
}
px->conf.args.ctx = ARGC_HRQ;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
if (px->cap & PR_CAP_FE)
cap |= SMP_VAL_FE_HRQ_HDR;
if (px->cap & PR_CAP_BE)
cap |= SMP_VAL_BE_HRQ_HDR;
if (!parse_logformat_string(args[cur_arg], px, &rule->arg.http.fmt, LOG_OPT_HTTP, cap, err)) {
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
(*orig_arg)++;
return ACT_RET_PRS_OK;
}
MINOR: uri_normalizer: Add `http-request normalize-uri` This patch adds the `http-request normalize-uri` action that was requested in GitHub issue #714. Normalizers will be added in the next patches.
2021-04-15 15:45:57 -04:00
/* This function executes the http-request normalize-uri action.
* `rule->action` is expected to be a value from `enum act_normalize_uri`.
*
* On success, it returns ACT_RET_CONT. If an error
* occurs while soft rewrites are enabled, the action is canceled, but the rule
* processing continue. Otherwsize ACT_RET_ERR is returned.
*/
static enum act_return http_action_normalize_uri(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
enum act_return ret = ACT_RET_CONT;
struct htx *htx = htxbuf(&s->req.buf);
const struct ist uri = htx_sl_req_uri(http_get_stline(htx));
struct buffer *replace = alloc_trash_chunk();
enum uri_normalizer_err err = URI_NORMALIZER_ERR_INTERNAL_ERROR;
if (!replace)
goto fail_alloc;
switch ((enum act_normalize_uri) rule->action) {
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
case ACT_NORMALIZE_URI_PATH_MERGE_SLASHES: {
MINOR: http: use http uri parser for path Replace http_get_path by the http_uri_parser API. The new functions is renamed http_parse_path. Replace duplicated code for scheme and authority parsing by invocations to http_parse_scheme/authority. If no scheme is found for an URI detected as an absolute-uri/authority, consider it to be an authority format : no path will be found. For an absolute-uri or absolute-path, use the remaining of the string as the path. A new http_uri_parser state is declared to mark the path parsing as done.
2021-07-06 05:40:12 -04:00
struct http_uri_parser parser = http_uri_parser_init(uri);
const struct ist path = http_parse_path(&parser);
MINOR: uri_normalizer: Add a `merge-slashes` normalizer to http-request normalize-uri This normalizer merges adjacent slashes into a single slash, thus removing empty path segments. See GitHub Issue #714.
2021-04-15 15:45:58 -04:00
struct ist newpath = ist2(replace->area, replace->size);
if (!isttest(path))
goto leave;
err = uri_normalizer_path_merge_slashes(iststop(path, '?'), &newpath);
MINOR: uri_normalizer: Add a `dotdot` normalizer to http-request normalize-uri This normalizer merges `../` path segments with the predecing segment, removing both the preceding segment and the `../`. Empty segments do not receive special treatment. The `merge-slashes` normalizer should be executed first. See GitHub Issue #714.
2021-04-15 15:45:59 -04:00
if (err != URI_NORMALIZER_ERR_NONE)
break;
if (!http_replace_req_path(htx, newpath, 0))
goto fail_rewrite;
break;
}
MINOR: uri_normalizer: Add a `strip-dot` normalizer This normalizer removes "/./" segments from the path component. Usually the dot refers to the current directory which renders those segments redundant. See GitHub Issue #714.
2021-04-20 18:22:50 -04:00
case ACT_NORMALIZE_URI_PATH_STRIP_DOT: {
MINOR: http: use http uri parser for path Replace http_get_path by the http_uri_parser API. The new functions is renamed http_parse_path. Replace duplicated code for scheme and authority parsing by invocations to http_parse_scheme/authority. If no scheme is found for an URI detected as an absolute-uri/authority, consider it to be an authority format : no path will be found. For an absolute-uri or absolute-path, use the remaining of the string as the path. A new http_uri_parser state is declared to mark the path parsing as done.
2021-07-06 05:40:12 -04:00
struct http_uri_parser parser = http_uri_parser_init(uri);
const struct ist path = http_parse_path(&parser);
MINOR: uri_normalizer: Add a `strip-dot` normalizer This normalizer removes "/./" segments from the path component. Usually the dot refers to the current directory which renders those segments redundant. See GitHub Issue #714.
2021-04-20 18:22:50 -04:00
struct ist newpath = ist2(replace->area, replace->size);
if (!isttest(path))
goto leave;
err = uri_normalizer_path_dot(iststop(path, '?'), &newpath);
if (err != URI_NORMALIZER_ERR_NONE)
break;
if (!http_replace_req_path(htx, newpath, 0))
goto fail_rewrite;
break;
}
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
case ACT_NORMALIZE_URI_PATH_STRIP_DOTDOT:
case ACT_NORMALIZE_URI_PATH_STRIP_DOTDOT_FULL: {
MINOR: http: use http uri parser for path Replace http_get_path by the http_uri_parser API. The new functions is renamed http_parse_path. Replace duplicated code for scheme and authority parsing by invocations to http_parse_scheme/authority. If no scheme is found for an URI detected as an absolute-uri/authority, consider it to be an authority format : no path will be found. For an absolute-uri or absolute-path, use the remaining of the string as the path. A new http_uri_parser state is declared to mark the path parsing as done.
2021-07-06 05:40:12 -04:00
struct http_uri_parser parser = http_uri_parser_init(uri);
const struct ist path = http_parse_path(&parser);
MINOR: uri_normalizer: Add a `dotdot` normalizer to http-request normalize-uri This normalizer merges `../` path segments with the predecing segment, removing both the preceding segment and the `../`. Empty segments do not receive special treatment. The `merge-slashes` normalizer should be executed first. See GitHub Issue #714.
2021-04-15 15:45:59 -04:00
struct ist newpath = ist2(replace->area, replace->size);
if (!isttest(path))
goto leave;
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
err = uri_normalizer_path_dotdot(iststop(path, '?'), rule->action == ACT_NORMALIZE_URI_PATH_STRIP_DOTDOT_FULL, &newpath);
MINOR: uri_normalizer: Add a `dotdot` normalizer to http-request normalize-uri This normalizer merges `../` path segments with the predecing segment, removing both the preceding segment and the `../`. Empty segments do not receive special treatment. The `merge-slashes` normalizer should be executed first. See GitHub Issue #714.
2021-04-15 15:45:59 -04:00
MINOR: uri_normalizer: Add a `merge-slashes` normalizer to http-request normalize-uri This normalizer merges adjacent slashes into a single slash, thus removing empty path segments. See GitHub Issue #714.
2021-04-15 15:45:58 -04:00
if (err != URI_NORMALIZER_ERR_NONE)
break;
if (!http_replace_req_path(htx, newpath, 0))
goto fail_rewrite;
break;
}
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
case ACT_NORMALIZE_URI_QUERY_SORT_BY_NAME: {
MINOR: http: use http uri parser for path Replace http_get_path by the http_uri_parser API. The new functions is renamed http_parse_path. Replace duplicated code for scheme and authority parsing by invocations to http_parse_scheme/authority. If no scheme is found for an URI detected as an absolute-uri/authority, consider it to be an authority format : no path will be found. For an absolute-uri or absolute-path, use the remaining of the string as the path. A new http_uri_parser state is declared to mark the path parsing as done.
2021-07-06 05:40:12 -04:00
struct http_uri_parser parser = http_uri_parser_init(uri);
const struct ist path = http_parse_path(&parser);
MINOR: uri_normalizer: Add a `sort-query` normalizer This normalizer sorts the `&` delimited query parameters by parameter name. See GitHub Issue #714.
2021-04-15 15:46:01 -04:00
struct ist newquery = ist2(replace->area, replace->size);
if (!isttest(path))
goto leave;
err = uri_normalizer_query_sort(istfind(path, '?'), '&', &newquery);
if (err != URI_NORMALIZER_ERR_NONE)
break;
if (!http_replace_req_query(htx, newquery))
goto fail_rewrite;
break;
}
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
case ACT_NORMALIZE_URI_PERCENT_TO_UPPERCASE:
case ACT_NORMALIZE_URI_PERCENT_TO_UPPERCASE_STRICT: {
MINOR: http: use http uri parser for path Replace http_get_path by the http_uri_parser API. The new functions is renamed http_parse_path. Replace duplicated code for scheme and authority parsing by invocations to http_parse_scheme/authority. If no scheme is found for an URI detected as an absolute-uri/authority, consider it to be an authority format : no path will be found. For an absolute-uri or absolute-path, use the remaining of the string as the path. A new http_uri_parser state is declared to mark the path parsing as done.
2021-07-06 05:40:12 -04:00
struct http_uri_parser parser = http_uri_parser_init(uri);
const struct ist path = http_parse_path(&parser);
MINOR: uri_normalizer: Add a `percent-upper` normalizer This normalizer uppercases the hexadecimal characters used in percent-encoding. See GitHub Issue #714.
2021-04-15 15:46:02 -04:00
struct ist newpath = ist2(replace->area, replace->size);
if (!isttest(path))
goto leave;
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
err = uri_normalizer_percent_upper(path, rule->action == ACT_NORMALIZE_URI_PERCENT_TO_UPPERCASE_STRICT, &newpath);
MINOR: uri_normalizer: Add a `percent-upper` normalizer This normalizer uppercases the hexadecimal characters used in percent-encoding. See GitHub Issue #714.
2021-04-15 15:46:02 -04:00
MINOR: uri_normalizer: Add a `percent-decode-unreserved` normalizer This normalizer decodes percent encoded characters within the RFC 3986 unreserved set. See GitHub Issue #714.
2021-04-21 15:20:36 -04:00
if (err != URI_NORMALIZER_ERR_NONE)
break;
if (!http_replace_req_path(htx, newpath, 1))
goto fail_rewrite;
break;
}
case ACT_NORMALIZE_URI_PERCENT_DECODE_UNRESERVED:
case ACT_NORMALIZE_URI_PERCENT_DECODE_UNRESERVED_STRICT: {
MINOR: http: use http uri parser for path Replace http_get_path by the http_uri_parser API. The new functions is renamed http_parse_path. Replace duplicated code for scheme and authority parsing by invocations to http_parse_scheme/authority. If no scheme is found for an URI detected as an absolute-uri/authority, consider it to be an authority format : no path will be found. For an absolute-uri or absolute-path, use the remaining of the string as the path. A new http_uri_parser state is declared to mark the path parsing as done.
2021-07-06 05:40:12 -04:00
struct http_uri_parser parser = http_uri_parser_init(uri);
const struct ist path = http_parse_path(&parser);
MINOR: uri_normalizer: Add a `percent-decode-unreserved` normalizer This normalizer decodes percent encoded characters within the RFC 3986 unreserved set. See GitHub Issue #714.
2021-04-21 15:20:36 -04:00
struct ist newpath = ist2(replace->area, replace->size);
if (!isttest(path))
goto leave;
err = uri_normalizer_percent_decode_unreserved(path, rule->action == ACT_NORMALIZE_URI_PERCENT_DECODE_UNRESERVED_STRICT, &newpath);
MINOR: uri_normalizer: Add `fragment-strip` normalizer This normalizer strips the URI's fragment component which should never be sent to the server. See GitHub Issue #714.
2021-05-10 11:28:25 -04:00
if (err != URI_NORMALIZER_ERR_NONE)
break;
if (!http_replace_req_path(htx, newpath, 1))
goto fail_rewrite;
break;
}
case ACT_NORMALIZE_URI_FRAGMENT_STRIP: {
MINOR: http: use http uri parser for path Replace http_get_path by the http_uri_parser API. The new functions is renamed http_parse_path. Replace duplicated code for scheme and authority parsing by invocations to http_parse_scheme/authority. If no scheme is found for an URI detected as an absolute-uri/authority, consider it to be an authority format : no path will be found. For an absolute-uri or absolute-path, use the remaining of the string as the path. A new http_uri_parser state is declared to mark the path parsing as done.
2021-07-06 05:40:12 -04:00
struct http_uri_parser parser = http_uri_parser_init(uri);
const struct ist path = http_parse_path(&parser);
MINOR: uri_normalizer: Add `fragment-strip` normalizer This normalizer strips the URI's fragment component which should never be sent to the server. See GitHub Issue #714.
2021-05-10 11:28:25 -04:00
struct ist newpath = ist2(replace->area, replace->size);
if (!isttest(path))
goto leave;
err = uri_normalizer_fragment_strip(path, &newpath);
MINOR: uri_normalizer: Add `fragment-encode` normalizer This normalizer encodes '#' as '%23'. See GitHub Issue #714.
2021-05-10 11:28:26 -04:00
if (err != URI_NORMALIZER_ERR_NONE)
break;
if (!http_replace_req_path(htx, newpath, 1))
goto fail_rewrite;
break;
}
case ACT_NORMALIZE_URI_FRAGMENT_ENCODE: {
MINOR: http: use http uri parser for path Replace http_get_path by the http_uri_parser API. The new functions is renamed http_parse_path. Replace duplicated code for scheme and authority parsing by invocations to http_parse_scheme/authority. If no scheme is found for an URI detected as an absolute-uri/authority, consider it to be an authority format : no path will be found. For an absolute-uri or absolute-path, use the remaining of the string as the path. A new http_uri_parser state is declared to mark the path parsing as done.
2021-07-06 05:40:12 -04:00
struct http_uri_parser parser = http_uri_parser_init(uri);
const struct ist path = http_parse_path(&parser);
MINOR: uri_normalizer: Add `fragment-encode` normalizer This normalizer encodes '#' as '%23'. See GitHub Issue #714.
2021-05-10 11:28:26 -04:00
struct ist newpath = ist2(replace->area, replace->size);
if (!isttest(path))
goto leave;
err = uri_normalizer_fragment_encode(path, &newpath);
MINOR: uri_normalizer: Add a `percent-upper` normalizer This normalizer uppercases the hexadecimal characters used in percent-encoding. See GitHub Issue #714.
2021-04-15 15:46:02 -04:00
if (err != URI_NORMALIZER_ERR_NONE)
break;
if (!http_replace_req_path(htx, newpath, 1))
goto fail_rewrite;
break;
}
MINOR: uri_normalizer: Add `http-request normalize-uri` This patch adds the `http-request normalize-uri` action that was requested in GitHub issue #714. Normalizers will be added in the next patches.
2021-04-15 15:45:57 -04:00
}
switch (err) {
case URI_NORMALIZER_ERR_NONE:
break;
case URI_NORMALIZER_ERR_INTERNAL_ERROR:
ret = ACT_RET_ERR;
break;
case URI_NORMALIZER_ERR_INVALID_INPUT:
ret = ACT_RET_INV;
break;
case URI_NORMALIZER_ERR_ALLOC:
goto fail_alloc;
}
leave:
free_trash_chunk(replace);
return ret;
fail_alloc:
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_RESOURCE;
ret = ACT_RET_ERR;
goto leave;
fail_rewrite:
_HA_ATOMIC_ADD(&sess->fe->fe_counters.failed_rewrites, 1);
if (s->flags & SF_BE_ASSIGNED)
_HA_ATOMIC_ADD(&s->be->be_counters.failed_rewrites, 1);
if (sess->listener && sess->listener->counters)
_HA_ATOMIC_ADD(&sess->listener->counters->failed_rewrites, 1);
if (objt_server(s->target))
_HA_ATOMIC_ADD(&__objt_server(s->target)->counters.failed_rewrites, 1);
if (!(s->txn->req.flags & HTTP_MSGF_SOFT_RW)) {
ret = ACT_RET_ERR;
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_PRXCOND;
}
goto leave;
}
/* Parses the http-request normalize-uri action. It expects a single <normalizer>
* argument, corresponding too a value in `enum act_normalize_uri`.
*
* It returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_normalize_uri(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
int cur_arg = *orig_arg;
rule->action_ptr = http_action_normalize_uri;
rule->release_ptr = NULL;
if (!*args[cur_arg]) {
memprintf(err, "missing argument <normalizer>");
return ACT_RET_PRS_ERR;
}
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
if (strcmp(args[cur_arg], "path-merge-slashes") == 0) {
MINOR: uri_normalizer: Add a `merge-slashes` normalizer to http-request normalize-uri This normalizer merges adjacent slashes into a single slash, thus removing empty path segments. See GitHub Issue #714.
2021-04-15 15:45:58 -04:00
cur_arg++;
MINOR: uri_normalizer: Add `http-request normalize-uri` This patch adds the `http-request normalize-uri` action that was requested in GitHub issue #714. Normalizers will be added in the next patches.
2021-04-15 15:45:57 -04:00
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
rule->action = ACT_NORMALIZE_URI_PATH_MERGE_SLASHES;
MINOR: uri_normalizer: Add `http-request normalize-uri` This patch adds the `http-request normalize-uri` action that was requested in GitHub issue #714. Normalizers will be added in the next patches.
2021-04-15 15:45:57 -04:00
}
MINOR: uri_normalizer: Add a `strip-dot` normalizer This normalizer removes "/./" segments from the path component. Usually the dot refers to the current directory which renders those segments redundant. See GitHub Issue #714.
2021-04-20 18:22:50 -04:00
else if (strcmp(args[cur_arg], "path-strip-dot") == 0) {
cur_arg++;
rule->action = ACT_NORMALIZE_URI_PATH_STRIP_DOT;
}
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
else if (strcmp(args[cur_arg], "path-strip-dotdot") == 0) {
MINOR: uri_normalizer: Add a `dotdot` normalizer to http-request normalize-uri This normalizer merges `../` path segments with the predecing segment, removing both the preceding segment and the `../`. Empty segments do not receive special treatment. The `merge-slashes` normalizer should be executed first. See GitHub Issue #714.
2021-04-15 15:45:59 -04:00
cur_arg++;
MINOR: uri_normalizer: Add support for supressing leading `../` for dotdot normalizer This adds an option to supress `../` at the start of the resulting path.
2021-04-15 15:46:00 -04:00
if (strcmp(args[cur_arg], "full") == 0) {
cur_arg++;
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
rule->action = ACT_NORMALIZE_URI_PATH_STRIP_DOTDOT_FULL;
MINOR: uri_normalizer: Add support for supressing leading `../` for dotdot normalizer This adds an option to supress `../` at the start of the resulting path.
2021-04-15 15:46:00 -04:00
}
else if (!*args[cur_arg]) {
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
rule->action = ACT_NORMALIZE_URI_PATH_STRIP_DOTDOT;
MINOR: uri_normalizer: Add support for supressing leading `../` for dotdot normalizer This adds an option to supress `../` at the start of the resulting path.
2021-04-15 15:46:00 -04:00
}
else if (strcmp(args[cur_arg], "if") != 0 && strcmp(args[cur_arg], "unless") != 0) {
BUG/MINOR: http_act: Fix normalizer names in error messages These places were forgotten when the normalizers were renamed. Bug introduced in 5be6ab269e5606aef954f39d6717b024f97b3789, which is 2.4. No backport needed.
2021-05-10 17:21:20 -04:00
memprintf(err, "unknown argument '%s' for 'path-strip-dotdot' normalizer", args[cur_arg]);
MINOR: uri_normalizer: Add support for supressing leading `../` for dotdot normalizer This adds an option to supress `../` at the start of the resulting path.
2021-04-15 15:46:00 -04:00
return ACT_RET_PRS_ERR;
}
MINOR: uri_normalizer: Add a `dotdot` normalizer to http-request normalize-uri This normalizer merges `../` path segments with the predecing segment, removing both the preceding segment and the `../`. Empty segments do not receive special treatment. The `merge-slashes` normalizer should be executed first. See GitHub Issue #714.
2021-04-15 15:45:59 -04:00
}
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
else if (strcmp(args[cur_arg], "query-sort-by-name") == 0) {
MINOR: uri_normalizer: Add a `sort-query` normalizer This normalizer sorts the `&` delimited query parameters by parameter name. See GitHub Issue #714.
2021-04-15 15:46:01 -04:00
cur_arg++;
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
rule->action = ACT_NORMALIZE_URI_QUERY_SORT_BY_NAME;
MINOR: uri_normalizer: Add a `sort-query` normalizer This normalizer sorts the `&` delimited query parameters by parameter name. See GitHub Issue #714.
2021-04-15 15:46:01 -04:00
}
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
else if (strcmp(args[cur_arg], "percent-to-uppercase") == 0) {
MINOR: uri_normalizer: Add a `percent-upper` normalizer This normalizer uppercases the hexadecimal characters used in percent-encoding. See GitHub Issue #714.
2021-04-15 15:46:02 -04:00
cur_arg++;
if (strcmp(args[cur_arg], "strict") == 0) {
cur_arg++;
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
rule->action = ACT_NORMALIZE_URI_PERCENT_TO_UPPERCASE_STRICT;
MINOR: uri_normalizer: Add a `percent-upper` normalizer This normalizer uppercases the hexadecimal characters used in percent-encoding. See GitHub Issue #714.
2021-04-15 15:46:02 -04:00
}
else if (!*args[cur_arg]) {
MEDIUM: http_act: Rename uri-normalizers This patch renames all existing uri-normalizers into a more consistent naming scheme: 1. The part of the URI that is being touched. 2. The modification being performed as an explicit verb.
2021-04-17 05:21:10 -04:00
rule->action = ACT_NORMALIZE_URI_PERCENT_TO_UPPERCASE;
MINOR: uri_normalizer: Add a `percent-upper` normalizer This normalizer uppercases the hexadecimal characters used in percent-encoding. See GitHub Issue #714.
2021-04-15 15:46:02 -04:00
}
else if (strcmp(args[cur_arg], "if") != 0 && strcmp(args[cur_arg], "unless") != 0) {
BUG/MINOR: http_act: Fix normalizer names in error messages These places were forgotten when the normalizers were renamed. Bug introduced in 5be6ab269e5606aef954f39d6717b024f97b3789, which is 2.4. No backport needed.
2021-05-10 17:21:20 -04:00
memprintf(err, "unknown argument '%s' for 'percent-to-uppercase' normalizer", args[cur_arg]);
MINOR: uri_normalizer: Add a `percent-upper` normalizer This normalizer uppercases the hexadecimal characters used in percent-encoding. See GitHub Issue #714.
2021-04-15 15:46:02 -04:00
return ACT_RET_PRS_ERR;
}
}
MINOR: uri_normalizer: Add a `percent-decode-unreserved` normalizer This normalizer decodes percent encoded characters within the RFC 3986 unreserved set. See GitHub Issue #714.
2021-04-21 15:20:36 -04:00
else if (strcmp(args[cur_arg], "percent-decode-unreserved") == 0) {
cur_arg++;
if (strcmp(args[cur_arg], "strict") == 0) {
cur_arg++;
rule->action = ACT_NORMALIZE_URI_PERCENT_DECODE_UNRESERVED_STRICT;
}
else if (!*args[cur_arg]) {
rule->action = ACT_NORMALIZE_URI_PERCENT_DECODE_UNRESERVED;
}
else if (strcmp(args[cur_arg], "if") != 0 && strcmp(args[cur_arg], "unless") != 0) {
memprintf(err, "unknown argument '%s' for 'percent-decode-unreserved' normalizer", args[cur_arg]);
return ACT_RET_PRS_ERR;
}
}
MINOR: uri_normalizer: Add `fragment-strip` normalizer This normalizer strips the URI's fragment component which should never be sent to the server. See GitHub Issue #714.
2021-05-10 11:28:25 -04:00
else if (strcmp(args[cur_arg], "fragment-strip") == 0) {
cur_arg++;
rule->action = ACT_NORMALIZE_URI_FRAGMENT_STRIP;
}
MINOR: uri_normalizer: Add `fragment-encode` normalizer This normalizer encodes '#' as '%23'. See GitHub Issue #714.
2021-05-10 11:28:26 -04:00
else if (strcmp(args[cur_arg], "fragment-encode") == 0) {
cur_arg++;
rule->action = ACT_NORMALIZE_URI_FRAGMENT_ENCODE;
}
MINOR: uri_normalizer: Add `http-request normalize-uri` This patch adds the `http-request normalize-uri` action that was requested in GitHub issue #714. Normalizers will be added in the next patches.
2021-04-15 15:45:57 -04:00
else {
memprintf(err, "unknown normalizer '%s'", args[cur_arg]);
return ACT_RET_PRS_ERR;
}
*orig_arg = cur_arg;
return ACT_RET_PRS_OK;
}
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
/* This function executes a replace-uri action. It finds its arguments in
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
* <rule>.arg.http. It builds a string in the trash from the format string
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
* previously filled by function parse_replace_uri() and will execute the regex
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
* in <http.re> to replace the URI. It uses the format string present in
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
* <http.fmt>. The component to act on (path/uri) is taken from <.action> which
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
* contains 1 for the path or 3 for the URI (values used by
* http_req_replace_stline()). On success, it returns ACT_RET_CONT. If an error
* occurs while soft rewrites are enabled, the action is canceled, but the rule
* processing continue. Otherwsize ACT_RET_ERR is returned.
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
*/
static enum act_return http_action_replace_uri(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
MINOR: actions: Use ACT_RET_CONT code to ignore an error from a custom action Some custom actions are just ignored and skipped when an error is encoutered. In that case, we jump to the next rule. To do so, most of them use the return code ACT_RET_ERR. Currently, for http rules and tcp content rules, it is not a problem because this code is handled the same way than ACT_RET_CONT. But, it means there is no way to handle the error as other actions. The custom actions must handle the error and return ACT_RET_DONE. For instance, when http-request rules are processed, an error when we try to replace a header value leads to a bad request and an error 400 is returned to the client. But when we fail to replace the URI, the error is silently ignored. This difference between the custom actions and the others is an obstacle to write new custom actions. So, in this first patch, ACT_RET_CONT is now returned from custom actions instead of ACT_RET_ERR when an error is encoutered if it should be ignored. The behavior remains the same but it is now possible to handle true errors using the return code ACT_RET_ERR. Some actions will probably be reviewed to determine if an error is fatal or not. Other patches will be pushed to trigger an error when a custom action returns the ACT_RET_ERR code. This patch is not tagged as a bug because it is just a design issue. But others will depends on it. So be careful during backports, if so.
2019-12-13 03:01:57 -05:00
enum act_return ret = ACT_RET_CONT;
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
struct buffer *replace, *output;
struct ist uri;
int len;
replace = alloc_trash_chunk();
output = alloc_trash_chunk();
if (!replace || !output)
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
goto fail_alloc;
MINOR: http_act: Remove code relying on the legacy HTTP mode Actions updating the request or the response start-line are concerned.
2019-07-15 10:30:24 -04:00
uri = htx_sl_req_uri(http_get_stline(htxbuf(&s->req.buf)));
MINOR: http: add a new "replace-path" action This action is very similar to "replace-uri" except that it only acts on the path component. This is assumed to better match users' expectations when they used to rely on "replace-uri" in HTTP/1 because mostly origin forms were used in H1 while mostly absolute URI form is used in H2, and their rules very often start with a '/', and as such do not match. It could help users to get this backported to 2.0 and 2.1.
2019-12-17 00:52:51 -05:00
MINOR: http: use http uri parser for path Replace http_get_path by the http_uri_parser API. The new functions is renamed http_parse_path. Replace duplicated code for scheme and authority parsing by invocations to http_parse_scheme/authority. If no scheme is found for an URI detected as an absolute-uri/authority, consider it to be an authority format : no path will be found. For an absolute-uri or absolute-path, use the remaining of the string as the path. A new http_uri_parser state is declared to mark the path parsing as done.
2021-07-06 05:40:12 -04:00
if (rule->action == 1) { // replace-path
struct http_uri_parser parser = http_uri_parser_init(uri);
uri = iststop(http_parse_path(&parser), '?');
}
else if (rule->action == 4) { // replace-pathq
struct http_uri_parser parser = http_uri_parser_init(uri);
uri = http_parse_path(&parser);
}
MINOR: http: add a new "replace-path" action This action is very similar to "replace-uri" except that it only acts on the path component. This is assumed to better match users' expectations when they used to rely on "replace-uri" in HTTP/1 because mostly origin forms were used in H1 while mostly absolute URI form is used in H2, and their rules very often start with a '/', and as such do not match. It could help users to get this backported to 2.0 and 2.1.
2019-12-17 00:52:51 -05:00
BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid For replace-path, replace-pathq and replace-uri actions, we must take care to not match on the selected element if it is not defined. regex_exec_match2() function expects to be called with a defined subject. However, if the request path is invalid or not found, the function is called with a NULL subject, leading to a crash when compiled without the PRCE/PCRE2 support. For instance the following rules crashes HAProxy on a CONNECT request: http-request replace-path /short/(.) /\1 This patch must be backported as far as 2.0.
2022-04-08 04:44:21 -04:00
if (!istlen(uri))
goto leave;
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
if (!regex_exec_match2(rule->arg.http.re, uri.ptr, uri.len, MAX_MATCH, pmatch, 0))
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
goto leave;
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
replace->data = build_logline(s, replace->area, replace->size, &rule->arg.http.fmt);
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
/* note: uri.ptr doesn't need to be zero-terminated because it will
* only be used to pick pmatch references.
*/
len = exp_replace(output->area, output->size, uri.ptr, replace->area, pmatch);
if (len == -1)
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
goto fail_rewrite;
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
if (http_req_replace_stline(rule->action, output->area, len, px, s) == -1)
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
goto fail_rewrite;
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
leave:
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
free_trash_chunk(output);
free_trash_chunk(replace);
return ret;
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
fail_alloc:
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_RESOURCE;
ret = ACT_RET_ERR;
goto leave;
fail_rewrite:
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->fe->fe_counters.failed_rewrites);
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
if (s->flags & SF_BE_ASSIGNED)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&s->be->be_counters.failed_rewrites);
BUG/MEDIUM: session: NULL dereference possible when accessing the listener When implementing a client applet, a NULL dereference was encountered on the error path which increment the counters. Indeed, the counters incremented are the one in the listener which does not exist in the case of client applets, so in sess->listener->counters, listener is NULL. This patch fixes the access to the listener structure when accessing from a sesssion, most of the access are the counters in error paths. Must be backported as far as 1.8.
2021-03-08 09:26:48 -05:00
if (sess->listener && sess->listener->counters)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->listener->counters->failed_rewrites);
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
if (objt_server(s->target))
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&__objt_server(s->target)->counters.failed_rewrites);
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails When a header rewrite fails, an internal errors is triggered. But SF_ERR_INTERNAL is documented to be the concequence of a bug and must be reported to the dev teamm. So, when this happens, the SF_ERR_PRXCOND termination flag is set now.
2020-01-22 08:38:05 -05:00
if (!(s->txn->req.flags & HTTP_MSGF_SOFT_RW)) {
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
ret = ACT_RET_ERR;
MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails When a header rewrite fails, an internal errors is triggered. But SF_ERR_INTERNAL is documented to be the concequence of a bug and must be reported to the dev teamm. So, when this happens, the SF_ERR_PRXCOND termination flag is set now.
2020-01-22 08:38:05 -05:00
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_PRXCOND;
}
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
goto leave;
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
}
MINOR: http-rules: Add set-pathq and replace-pathq actions These actions do the same as corresponding "-path" versions except the query-string is included to the manipulated request path. This means set-pathq action replaces the path and the query-string and replace-pathq action matches and replace the path including the query-string. This patch may be backported to 2.2.
2020-09-02 11:17:44 -04:00
/* parse a "replace-uri", "replace-path" or "replace-pathq"
* http-request action.
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
* This action takes 2 arguments (a regex and a replacement format string).
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
* The resulting rule makes use of <.action> to store the action (1/3 for now),
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
* <http.re> to store the compiled regex, and <http.fmt> to store the log-format
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
* list head. It returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_replace_uri(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
int cur_arg = *orig_arg;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
int cap = 0;
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
char *error = NULL;
MINOR: http-rules: Add set-pathq and replace-pathq actions These actions do the same as corresponding "-path" versions except the query-string is included to the manipulated request path. This means set-pathq action replaces the path and the query-string and replace-pathq action matches and replace the path including the query-string. This patch may be backported to 2.2.
2020-09-02 11:17:44 -04:00
switch (args[0][8]) {
case 'p':
if (args[0][12] == 'q')
rule->action = 4; // replace-pathq, same as set-pathq
else
rule->action = 1; // replace-path, same as set-path
break;
case 'u':
MINOR: http-rules: Use a specific action type for some custom HTTP actions For set-method, set-path, set-query and set-uri, a specific action type is used. The same as before but no longer stored in <arg.http.i>. Same is done for replace-path and replace-uri. The same types are used than the "set-" versions.
2019-12-18 09:39:56 -05:00
rule->action = 3; // replace-uri, same as set-uri
MINOR: http-rules: Add set-pathq and replace-pathq actions These actions do the same as corresponding "-path" versions except the query-string is included to the manipulated request path. This means set-pathq action replaces the path and the query-string and replace-pathq action matches and replace the path including the query-string. This patch may be backported to 2.2.
2020-09-02 11:17:44 -04:00
break;
default:
memprintf(err, "internal error: unhandled action '%s'", args[0]);
return ACT_RET_PRS_ERR;
}
MINOR: http: add a new "replace-path" action This action is very similar to "replace-uri" except that it only acts on the path component. This is assumed to better match users' expectations when they used to rely on "replace-uri" in HTTP/1 because mostly origin forms were used in H1 while mostly absolute URI form is used in H2, and their rules very often start with a '/', and as such do not match. It could help users to get this backported to 2.0 and 2.1.
2019-12-17 00:52:51 -05:00
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
rule->action_ptr = http_action_replace_uri;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_action;
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&rule->arg.http.fmt);
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
if (!*args[cur_arg] || !*args[cur_arg+1] ||
(*args[cur_arg+2] && strcmp(args[cur_arg+2], "if") != 0 && strcmp(args[cur_arg+2], "unless") != 0)) {
memprintf(err, "expects exactly 2 arguments <match-regex> and <replace-format>");
return ACT_RET_PRS_ERR;
}
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
if (!(rule->arg.http.re = regex_comp(args[cur_arg], 1, 1, &error))) {
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
memprintf(err, "failed to parse the regex : %s", error);
free(error);
return ACT_RET_PRS_ERR;
}
px->conf.args.ctx = ARGC_HRQ;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
if (px->cap & PR_CAP_FE)
cap |= SMP_VAL_FE_HRQ_HDR;
if (px->cap & PR_CAP_BE)
cap |= SMP_VAL_BE_HRQ_HDR;
if (!parse_logformat_string(args[cur_arg + 1], px, &rule->arg.http.fmt, LOG_OPT_HTTP, cap, err)) {
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
regex_free(rule->arg.http.re);
MINOR: http: add a new "http-request replace-uri" action This action is particularly convenient to replace some deprecated usees of "reqrep". It takes a match and a format string including back- references. The reqrep warning was updated to suggest it as well.
2019-06-12 11:44:02 -04:00
return ACT_RET_PRS_ERR;
}
(*orig_arg) += 2;
return ACT_RET_PRS_OK;
}
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
/* This function is just a compliant action wrapper for "set-status". */
static enum act_return action_http_set_status(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
if (http_res_set_status(rule->arg.http.i, rule->arg.http.str, s) == -1) {
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->fe->fe_counters.failed_rewrites);
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
if (s->flags & SF_BE_ASSIGNED)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&s->be->be_counters.failed_rewrites);
BUG/MEDIUM: session: NULL dereference possible when accessing the listener When implementing a client applet, a NULL dereference was encountered on the error path which increment the counters. Indeed, the counters incremented are the one in the listener which does not exist in the case of client applets, so in sess->listener->counters, listener is NULL. This patch fixes the access to the listener structure when accessing from a sesssion, most of the access are the counters in error paths. Must be backported as far as 1.8.
2021-03-08 09:26:48 -05:00
if (sess->listener && sess->listener->counters)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->listener->counters->failed_rewrites);
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
if (objt_server(s->target))
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&__objt_server(s->target)->counters.failed_rewrites);
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails When a header rewrite fails, an internal errors is triggered. But SF_ERR_INTERNAL is documented to be the concequence of a bug and must be reported to the dev teamm. So, when this happens, the SF_ERR_PRXCOND termination flag is set now.
2020-01-22 08:38:05 -05:00
if (!(s->txn->req.flags & HTTP_MSGF_SOFT_RW)) {
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_PRXCOND;
BUG/MINOR: http-act: Set stream error flag before returning an error In action_http_set_status(), when a rewrite error occurred, the stream error flag must be set before returning the error. No need to backport this patch except if commit 333bf8c33 ("MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails") is backported. This bug was reported in issue #491.
2020-02-07 04:22:31 -05:00
return ACT_RET_ERR;
MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails When a header rewrite fails, an internal errors is triggered. But SF_ERR_INTERNAL is documented to be the concequence of a bug and must be reported to the dev teamm. So, when this happens, the SF_ERR_PRXCOND termination flag is set now.
2020-01-22 08:38:05 -05:00
}
MINOR: http-rules: Handle all message rewrites the same way In HTTP rules, error handling during a rewrite is now handle the same way for all rules. First, allocation errors are reported as internal errors. Then, if soft rewrites are allowed, rewrite errors are ignored and only the failed_rewrites counter is incremented. Otherwise, when strict rewrites are mandatory, interanl errors are returned. For now, only soft rewrites are supported. Note also that the warning sent to notify a rewrite failure was removed. It will be useless once the strict rewrites will be possible.
2019-12-16 11:18:42 -05:00
}
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_CONT;
}
/* parse set-status action:
* This action accepts a single argument of type int representing
* an http status code. It returns ACT_RET_PRS_OK on success,
* ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_set_status(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
char *error;
rule->action = ACT_CUSTOM;
rule->action_ptr = action_http_set_status;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_action;
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&rule->arg.http.fmt);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
/* Check if an argument is available */
if (!*args[*orig_arg]) {
memprintf(err, "expects 1 argument: <status>; or 3 arguments: <status> reason <fmt>");
return ACT_RET_PRS_ERR;
}
/* convert status code as integer */
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
rule->arg.http.i = strtol(args[*orig_arg], &error, 10);
if (*error != '\0' || rule->arg.http.i < 100 || rule->arg.http.i > 999) {
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
memprintf(err, "expects an integer status code between 100 and 999");
return ACT_RET_PRS_ERR;
}
(*orig_arg)++;
/* set custom reason string */
MINOR: actions: Regroup some info about HTTP rules in the same struct Info used by HTTP rules manipulating the message itself are splitted in several structures in the arg union. But it is possible to group all of them in a unique struct. Now, <arg.http> is used by most of these rules, which contains: * <arg.http.i> : an integer used as status code, nice/tos/mark/loglevel or action id. * <arg.http.str> : an IST used as header name, reason string or auth realm. * <arg.http.fmt> : a log-format compatible expression * <arg.http.re> : a regular expression used by replace rules
2019-12-17 07:46:18 -05:00
rule->arg.http.str = ist(NULL); // If null, we use the default reason for the status code.
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
if (*args[*orig_arg] && strcmp(args[*orig_arg], "reason") == 0 &&
(*args[*orig_arg + 1] && strcmp(args[*orig_arg + 1], "if") != 0 && strcmp(args[*orig_arg + 1], "unless") != 0)) {
(*orig_arg)++;
CLEANUP: Reapply ist.cocci This makes use of the newly added: - i.ptr = p; - i.len = strlen(i.ptr); + i = ist(p); patch.
2022-03-15 08:11:08 -04:00
rule->arg.http.str = ist(strdup(args[*orig_arg]));
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
(*orig_arg)++;
}
return ACT_RET_PRS_OK;
}
/* This function executes the "reject" HTTP action. It clears the request and
* response buffer without sending any response. It can be useful as an HTTP
* alternative to the silent-drop action to defend against DoS attacks, and may
* also be used with HTTP/2 to close a connection instead of just a stream.
* The txn status is unchanged, indicating no response was sent. The termination
BUG/MINOR: http-rules: Return ACT_RET_ABRT to abort a transaction When an action interrupts a transaction, returning a response or not, it must return the ACT_RET_ABRT value and not ACT_RET_DONE. ACT_RET_DONE is reserved to stop the processing on the current channel but some analysers may still be active. When ACT_RET_ABRT is returned, all analysers are removed, except FLT_END if it is set. No backport needed because on previous verions, the action return value was not handled the same way. It is stated in the comment the return action returns ACT_RET_ABRT on success. It it the right code to use to abort a transaction. ACT_RET_DONE must be used when the message processing must be stopped. This does not means the transaction is interrupted. No backport needed.
2020-03-06 05:18:39 -05:00
* flags will indicate "PR". It always returns ACT_RET_ABRT.
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
*/
static enum act_return http_action_reject(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
MINOR: tree-wide: Replace several chn_prod() by the corresponding SC At many places, call to chn_prod() can be easily replaced by the corresponding SC. It is a bit easier to understand which side is manipulated.
2023-04-13 10:44:18 -04:00
sc_must_kill_conn(s->scf);
MINOR: stream: Introduce stream_abort() to abort on both sides in same time The function stream_abort() should now be called when an abort is performed on the both channels in same time.
2023-04-13 09:22:29 -04:00
stream_abort(s);
BUG/MINOR: http-rules: Fix a typo in the reject action function A typo was introduced by the commit c5bb5a0f2 ("BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action"). This patch must be backported with the commit c5bb5a0f2.
2020-03-06 09:07:09 -05:00
s->req.analysers &= AN_REQ_FLT_END;
s->res.analysers &= AN_RES_FLT_END;
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&s->be->be_counters.denied_req);
_HA_ATOMIC_INC(&sess->fe->fe_counters.denied_req);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
if (sess->listener && sess->listener->counters)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->listener->counters->denied_req);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_PRXCOND;
if (!(s->flags & SF_FINST_MASK))
s->flags |= SF_FINST_R;
BUG/MINOR: http-rules: Return ACT_RET_ABRT to abort a transaction When an action interrupts a transaction, returning a response or not, it must return the ACT_RET_ABRT value and not ACT_RET_DONE. ACT_RET_DONE is reserved to stop the processing on the current channel but some analysers may still be active. When ACT_RET_ABRT is returned, all analysers are removed, except FLT_END if it is set. No backport needed because on previous verions, the action return value was not handled the same way. It is stated in the comment the return action returns ACT_RET_ABRT on success. It it the right code to use to abort a transaction. ACT_RET_DONE must be used when the message processing must be stopped. This does not means the transaction is interrupted. No backport needed.
2020-03-06 05:18:39 -05:00
return ACT_RET_ABRT;
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
}
/* parse the "reject" action:
* This action takes no argument and returns ACT_RET_PRS_OK on success,
* ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_action_reject(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
rule->action = ACT_CUSTOM;
rule->action_ptr = http_action_reject;
return ACT_RET_PRS_OK;
}
MEDIUM: streams: Add a new http action, disable-l7-retry. Add a new action for http-request, disable-l7-retry, that can be used to disable any attempt at retry requests (see retry-on) if it fails for any reason other than a connection failure. This is useful for example to make sure POST requests aren't retried.
2019-05-10 07:59:15 -04:00
/* This function executes the "disable-l7-retry" HTTP action.
* It disables L7 retries (all retry except for a connection failure). This
* can be useful for example to avoid retrying on POST requests.
MINOR: stream-int/txn: Move buffer for L7 retries in the HTTP transaction The L7 retries only concerns the stream when a server connection is established. Thus instead of storing the L7 buffer into the stream-interface, it may be moved to the stream. And because it is only available for HTTP streams, it may be moved in the HTTP transaction. Associated flags are also moved into the HTTP transaction.
2022-03-29 09:23:40 -04:00
* It just removes the L7 retry flag on the HTTP transaction, and always
MEDIUM: streams: Add a new http action, disable-l7-retry. Add a new action for http-request, disable-l7-retry, that can be used to disable any attempt at retry requests (see retry-on) if it fails for any reason other than a connection failure. This is useful for example to make sure POST requests aren't retried.
2019-05-10 07:59:15 -04:00
* return ACT_RET_CONT;
*/
static enum act_return http_req_disable_l7_retry(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
MINOR: stream-int/txn: Move buffer for L7 retries in the HTTP transaction The L7 retries only concerns the stream when a server connection is established. Thus instead of storing the L7 buffer into the stream-interface, it may be moved to the stream. And because it is only available for HTTP streams, it may be moved in the HTTP transaction. Associated flags are also moved into the HTTP transaction.
2022-03-29 09:23:40 -04:00
/* In theory, the TX_L7_RETRY flags isn't set at this point, but
MEDIUM: streams: Add a new http action, disable-l7-retry. Add a new action for http-request, disable-l7-retry, that can be used to disable any attempt at retry requests (see retry-on) if it fails for any reason other than a connection failure. This is useful for example to make sure POST requests aren't retried.
2019-05-10 07:59:15 -04:00
* let's be future-proof and remove it anyway.
*/
MINOR: stream-int/txn: Move buffer for L7 retries in the HTTP transaction The L7 retries only concerns the stream when a server connection is established. Thus instead of storing the L7 buffer into the stream-interface, it may be moved to the stream. And because it is only available for HTTP streams, it may be moved in the HTTP transaction. Associated flags are also moved into the HTTP transaction.
2022-03-29 09:23:40 -04:00
s->txn->flags &= ~TX_L7_RETRY;
s->txn->flags |= TX_D_L7_RETRY;
MEDIUM: streams: Add a new http action, disable-l7-retry. Add a new action for http-request, disable-l7-retry, that can be used to disable any attempt at retry requests (see retry-on) if it fails for any reason other than a connection failure. This is useful for example to make sure POST requests aren't retried.
2019-05-10 07:59:15 -04:00
return ACT_RET_CONT;
}
/* parse the "disable-l7-retry" action:
* This action takes no argument and returns ACT_RET_PRS_OK on success,
* ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_req_disable_l7_retry(const char **args,
int *orig_args, struct proxy *px,
struct act_rule *rule, char **err)
{
rule->action = ACT_CUSTOM;
rule->action_ptr = http_req_disable_l7_retry;
return ACT_RET_PRS_OK;
}
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
/* This function executes the "capture" action. It executes a fetch expression,
* turns the result into a string and puts it in a capture slot. It always
* returns 1. If an error occurs the action is cancelled, but the rule
* processing continues.
*/
static enum act_return http_action_req_capture(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct sample *key;
struct cap_hdr *h = rule->arg.cap.hdr;
char **cap = s->req_cap;
int len;
key = sample_fetch_as_type(s->be, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.cap.expr, SMP_T_STR);
if (!key)
return ACT_RET_CONT;
if (cap[h->index] == NULL)
cap[h->index] = pool_alloc(h->pool);
if (cap[h->index] == NULL) /* no more capture memory */
return ACT_RET_CONT;
len = key->data.u.str.data;
if (len > h->len)
len = h->len;
memcpy(cap[h->index], key->data.u.str.area, len);
cap[h->index][len] = 0;
return ACT_RET_CONT;
}
/* This function executes the "capture" action and store the result in a
* capture slot if exists. It executes a fetch expression, turns the result
* into a string and puts it in a capture slot. It always returns 1. If an
* error occurs the action is cancelled, but the rule processing continues.
*/
static enum act_return http_action_req_capture_by_id(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct sample *key;
struct cap_hdr *h;
char **cap = s->req_cap;
struct proxy *fe = strm_fe(s);
int len;
int i;
/* Look for the original configuration. */
for (h = fe->req_cap, i = fe->nb_req_cap - 1;
h != NULL && i != rule->arg.capid.idx ;
i--, h = h->next);
if (!h)
return ACT_RET_CONT;
key = sample_fetch_as_type(s->be, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.capid.expr, SMP_T_STR);
if (!key)
return ACT_RET_CONT;
if (cap[h->index] == NULL)
cap[h->index] = pool_alloc(h->pool);
if (cap[h->index] == NULL) /* no more capture memory */
return ACT_RET_CONT;
len = key->data.u.str.data;
if (len > h->len)
len = h->len;
memcpy(cap[h->index], key->data.u.str.area, len);
cap[h->index][len] = 0;
return ACT_RET_CONT;
}
/* Check an "http-request capture" action.
*
* The function returns 1 in success case, otherwise, it returns 0 and err is
* filled.
*/
static int check_http_req_capture(struct act_rule *rule, struct proxy *px, char **err)
{
if (rule->action_ptr != http_action_req_capture_by_id)
return 1;
BUG/MINOR: http_act: don't check capture id in backend A wrong behavior was introduced by e9544935e86278dfa3d49fb4b97b860774730625, leading to preventing loading any configuration where a capture slot id is used in a backend. IE, the configuration below does not parse: frontend f bind *:80 declare capture request len 32 default_backend webserver backend webserver http-request capture req.hdr(Host) id 1 The point is that such type of configuration is valid and should run. This patch enforces the check of capture slot id only if the action rule is configured in a frontend. The point is that at configuration parsing time, it is impossible to check which frontend could point to this backend (furthermore if we use dynamic backend name resolution at runtime). The documentation has been updated to warn the user to ensure that relevant frontends have required declaration when such rule has to be used in a backend. If no capture slot can be found, then the action will just not be executed and HAProxy will process the next one in the list, as expected. This should be backported to all supported branches (bug created as part of a bug fix introduced into 1.7 and backported to 1.6).
2020-01-16 08:34:22 -05:00
/* capture slots can only be declared in frontends, so we can't check their
* existence in backends at configuration parsing step
*/
if (px->cap & PR_CAP_FE && rule->arg.capid.idx >= px->nb_req_cap) {
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
memprintf(err, "unable to find capture id '%d' referenced by http-request capture rule",
rule->arg.capid.idx);
return 0;
}
return 1;
}
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
/* Release memory allocate by an http capture action */
static void release_http_capture(struct act_rule *rule)
{
if (rule->action_ptr == http_action_req_capture)
release_sample_expr(rule->arg.cap.expr);
else
release_sample_expr(rule->arg.capid.expr);
}
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
/* parse an "http-request capture" action. It takes a single argument which is
* a sample fetch expression. It stores the expression into arg->act.p[0] and
* the allocated hdr_cap struct or the preallocated "id" into arg->act.p[1].
* It returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_req_capture(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
struct sample_expr *expr;
struct cap_hdr *hdr;
int cur_arg;
int len = 0;
for (cur_arg = *orig_arg; cur_arg < *orig_arg + 3 && *args[cur_arg]; cur_arg++)
if (strcmp(args[cur_arg], "if") == 0 ||
strcmp(args[cur_arg], "unless") == 0)
break;
if (cur_arg < *orig_arg + 3) {
memprintf(err, "expects <expression> [ 'len' <length> | id <idx> ]");
return ACT_RET_PRS_ERR;
}
cur_arg = *orig_arg;
MINOR: sample: make sample_parse_expr() able to return an end pointer When an end pointer is passed, instead of complaining that a comma is missing after a keyword, sample_parse_expr() will silently return the pointer to the current location into this return pointer so that the caller can continue its parsing. This will be used by more complex expressions which embed sample expressions, and may even permit to embed sample expressions into arguments of other expressions.
2020-02-14 10:50:14 -05:00
expr = sample_parse_expr((char **)args, &cur_arg, px->conf.args.file, px->conf.args.line, err, &px->conf.args, NULL);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
if (!expr)
return ACT_RET_PRS_ERR;
if (!(expr->fetch->val & SMP_VAL_FE_HRQ_HDR)) {
memprintf(err,
"fetch method '%s' extracts information from '%s', none of which is available here",
args[cur_arg-1], sample_src_names(expr->fetch->use));
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
if (!args[cur_arg] || !*args[cur_arg]) {
memprintf(err, "expects 'len or 'id'");
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
if (strcmp(args[cur_arg], "len") == 0) {
cur_arg++;
if (!(px->cap & PR_CAP_FE)) {
memprintf(err, "proxy '%s' has no frontend capability", px->id);
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
px->conf.args.ctx = ARGC_CAP;
if (!args[cur_arg]) {
memprintf(err, "missing length value");
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
/* we copy the table name for now, it will be resolved later */
len = atoi(args[cur_arg]);
if (len <= 0) {
memprintf(err, "length must be > 0");
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
cur_arg++;
hdr = calloc(1, sizeof(*hdr));
BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture A memory allocation failure happening in parse_http_req_capture while processing a "len" keyword and allocating a cap_hdr structure would have resulted in a crash. This function is only called during configuration parsing. It was raised in GitHub issue #1233. It could be backported to all stable branches.
2021-05-12 11:54:17 -04:00
if (!hdr) {
memprintf(err, "out of memory");
release_sample_expr(expr);
return ACT_RET_PRS_ERR;
}
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
hdr->next = px->req_cap;
hdr->name = NULL; /* not a header capture */
hdr->namelen = 0;
hdr->len = len;
hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED);
hdr->index = px->nb_req_cap++;
px->req_cap = hdr;
px->to_log |= LW_REQHDR;
rule->action = ACT_CUSTOM;
rule->action_ptr = http_action_req_capture;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_capture;
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
rule->arg.cap.expr = expr;
rule->arg.cap.hdr = hdr;
}
else if (strcmp(args[cur_arg], "id") == 0) {
int id;
char *error;
cur_arg++;
if (!args[cur_arg]) {
memprintf(err, "missing id value");
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
id = strtol(args[cur_arg], &error, 10);
if (*error != '\0') {
memprintf(err, "cannot parse id '%s'", args[cur_arg]);
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
cur_arg++;
px->conf.args.ctx = ARGC_CAP;
rule->action = ACT_CUSTOM;
rule->action_ptr = http_action_req_capture_by_id;
rule->check_ptr = check_http_req_capture;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_capture;
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
rule->arg.capid.expr = expr;
rule->arg.capid.idx = id;
}
else {
memprintf(err, "expects 'len' or 'id', found '%s'", args[cur_arg]);
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
*orig_arg = cur_arg;
return ACT_RET_PRS_OK;
}
/* This function executes the "capture" action and store the result in a
* capture slot if exists. It executes a fetch expression, turns the result
* into a string and puts it in a capture slot. It always returns 1. If an
* error occurs the action is cancelled, but the rule processing continues.
*/
static enum act_return http_action_res_capture_by_id(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct sample *key;
struct cap_hdr *h;
char **cap = s->res_cap;
struct proxy *fe = strm_fe(s);
int len;
int i;
/* Look for the original configuration. */
for (h = fe->rsp_cap, i = fe->nb_rsp_cap - 1;
h != NULL && i != rule->arg.capid.idx ;
i--, h = h->next);
if (!h)
return ACT_RET_CONT;
key = sample_fetch_as_type(s->be, sess, s, SMP_OPT_DIR_RES|SMP_OPT_FINAL, rule->arg.capid.expr, SMP_T_STR);
if (!key)
return ACT_RET_CONT;
if (cap[h->index] == NULL)
cap[h->index] = pool_alloc(h->pool);
if (cap[h->index] == NULL) /* no more capture memory */
return ACT_RET_CONT;
len = key->data.u.str.data;
if (len > h->len)
len = h->len;
memcpy(cap[h->index], key->data.u.str.area, len);
cap[h->index][len] = 0;
return ACT_RET_CONT;
}
/* Check an "http-response capture" action.
*
* The function returns 1 in success case, otherwise, it returns 0 and err is
* filled.
*/
static int check_http_res_capture(struct act_rule *rule, struct proxy *px, char **err)
{
if (rule->action_ptr != http_action_res_capture_by_id)
return 1;
BUG/MINOR: http_act: don't check capture id in backend (2) Please refer to commit 19a69b3740702ce5503a063e9dfbcea5b9187d27 for all the details. This follow up commit fixes the `http-response capture` case, the previous one only fixed the `http-request capture` one. The documentation was already updated and the change to `check_http_res_capture` is identical to the `check_http_req_capture` change. This patch must be backported together with 19a69b3740702ce5503a063e9dfbcea5b9187d27. Most likely this is 1.6+.
2020-07-03 07:43:42 -04:00
/* capture slots can only be declared in frontends, so we can't check their
* existence in backends at configuration parsing step
*/
if (px->cap & PR_CAP_FE && rule->arg.capid.idx >= px->nb_rsp_cap) {
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
memprintf(err, "unable to find capture id '%d' referenced by http-response capture rule",
rule->arg.capid.idx);
return 0;
}
return 1;
}
/* parse an "http-response capture" action. It takes a single argument which is
* a sample fetch expression. It stores the expression into arg->act.p[0] and
CLEANUP: Fix spelling errors in comments This is from the output of codespell. It's done at once over a bunch of files and only affects comments, so there is nothing user-visible. No backport needed.
2021-01-07 23:35:52 -05:00
* the allocated hdr_cap struct of the preallocated id into arg->act.p[1].
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
* It returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_res_capture(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
struct sample_expr *expr;
int cur_arg;
int id;
char *error;
for (cur_arg = *orig_arg; cur_arg < *orig_arg + 3 && *args[cur_arg]; cur_arg++)
if (strcmp(args[cur_arg], "if") == 0 ||
strcmp(args[cur_arg], "unless") == 0)
break;
if (cur_arg < *orig_arg + 3) {
memprintf(err, "expects <expression> id <idx>");
return ACT_RET_PRS_ERR;
}
cur_arg = *orig_arg;
MINOR: sample: make sample_parse_expr() able to return an end pointer When an end pointer is passed, instead of complaining that a comma is missing after a keyword, sample_parse_expr() will silently return the pointer to the current location into this return pointer so that the caller can continue its parsing. This will be used by more complex expressions which embed sample expressions, and may even permit to embed sample expressions into arguments of other expressions.
2020-02-14 10:50:14 -05:00
expr = sample_parse_expr((char **)args, &cur_arg, px->conf.args.file, px->conf.args.line, err, &px->conf.args, NULL);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
if (!expr)
return ACT_RET_PRS_ERR;
if (!(expr->fetch->val & SMP_VAL_FE_HRS_HDR)) {
memprintf(err,
"fetch method '%s' extracts information from '%s', none of which is available here",
args[cur_arg-1], sample_src_names(expr->fetch->use));
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
if (!args[cur_arg] || !*args[cur_arg]) {
memprintf(err, "expects 'id'");
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
if (strcmp(args[cur_arg], "id") != 0) {
memprintf(err, "expects 'id', found '%s'", args[cur_arg]);
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
cur_arg++;
if (!args[cur_arg]) {
memprintf(err, "missing id value");
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
id = strtol(args[cur_arg], &error, 10);
if (*error != '\0') {
memprintf(err, "cannot parse id '%s'", args[cur_arg]);
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
return ACT_RET_PRS_ERR;
}
cur_arg++;
px->conf.args.ctx = ARGC_CAP;
rule->action = ACT_CUSTOM;
rule->action_ptr = http_action_res_capture_by_id;
rule->check_ptr = check_http_res_capture;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_capture;
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
rule->arg.capid.expr = expr;
rule->arg.capid.idx = id;
*orig_arg = cur_arg;
return ACT_RET_PRS_OK;
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
/* Parse a "allow" action for a request or a response rule. It takes no argument. It
* returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_allow(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
rule->action = ACT_ACTION_ALLOW;
MINOR: actions: Add flags to configure the action behaviour Some flags can now be set on an action when it is registered. The flags are defined in the act_flag enum. For now, only ACT_FLAG_FINAL may be set on an action to specify if it stops the rules evaluation. It is set on ACT_ACTION_ALLOW, ACT_ACTION_DENY, ACT_HTTP_REQ_TARPIT, ACT_HTTP_REQ_AUTH, ACT_HTTP_REDIR and ACT_TCP_CLOSE actions. But, when required, it may also be set on custom actions. Consequently, this flag is checked instead of the action type during the configuration parsing to trigger a warning when a rule inhibits all the following ones.
2019-12-18 08:58:12 -05:00
rule->flags |= ACT_FLAG_FINAL;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
return ACT_RET_PRS_OK;
}
MINOR: http-rules: Use same function to parse request and response deny actions Because there is no more difference between http-request and http-response rules, the same function is now used to parse them.
2020-01-13 15:49:03 -05:00
/* Parse "deny" or "tarpit" actions for a request rule or "deny" action for a
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
* response rule. It returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on
* error. It relies on http_parse_http_reply() to set
* <.arg.http_reply>.
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
*/
MINOR: http-rules: Use same function to parse request and response deny actions Because there is no more difference between http-request and http-response rules, the same function is now used to parse them.
2020-01-13 15:49:03 -05:00
static enum act_parse_ret parse_http_deny(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
int default_status;
int cur_arg, arg = 0;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
cur_arg = *orig_arg;
MINOR: http-rules: Use same function to parse request and response deny actions Because there is no more difference between http-request and http-response rules, the same function is now used to parse them.
2020-01-13 15:49:03 -05:00
if (rule->from == ACT_F_HTTP_REQ) {
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(args[cur_arg - 1], "tarpit") == 0) {
MINOR: http-rules: Use same function to parse request and response deny actions Because there is no more difference between http-request and http-response rules, the same function is now used to parse them.
2020-01-13 15:49:03 -05:00
rule->action = ACT_HTTP_REQ_TARPIT;
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
default_status = 500;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
}
MINOR: http-rules: Use same function to parse request and response deny actions Because there is no more difference between http-request and http-response rules, the same function is now used to parse them.
2020-01-13 15:49:03 -05:00
else {
rule->action = ACT_ACTION_DENY;
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
default_status = 403;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
}
}
MINOR: http-rules: Use same function to parse request and response deny actions Because there is no more difference between http-request and http-response rules, the same function is now used to parse them.
2020-01-13 15:49:03 -05:00
else {
MEDIUM: http-rules: Support an optional error message in http deny rules It is now possible to set the error message to use when a deny rule is executed. It may be a specific error file, adding "errorfile <file>" : http-request deny deny_status 400 errorfile /etc/haproxy/errorfiles/400badreq.http It may also be an error file from an http-errors section, adding "errorfiles <name>" : http-request deny errorfiles my-errors # use 403 error from "my-errors" section When defined, this error message is set in the HTTP transaction. The tarpit rule is also concerned by this change.
2020-01-14 06:00:28 -05:00
rule->action = ACT_ACTION_DENY;
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
default_status = 502;
MINOR: http-rules: Use same function to parse request and response deny actions Because there is no more difference between http-request and http-response rules, the same function is now used to parse them.
2020-01-13 15:49:03 -05:00
}
MINOR: http-rules: Support an optional status on deny rules for http reponses It is now possible to specified the status code to return an http-response deny rules. For instance : http-response deny deny_status 500
2020-01-13 10:43:45 -05:00
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
/* If no args or only a deny_status specified, fallback on the legacy
* mode and use default error files despite the fact that
* default-errorfiles is not used. Otherwise, parse an http reply.
*/
MINOR: http-rules: Support an optional status on deny rules for http reponses It is now possible to specified the status code to return an http-response deny rules. For instance : http-response deny deny_status 500
2020-01-13 10:43:45 -05:00
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
/* Prepare parsing of log-format strings */
px->conf.args.ctx = ((rule->from == ACT_F_HTTP_REQ) ? ARGC_HRQ : ARGC_HRS);
MEDIUM: http-rules: Support an optional error message in http deny rules It is now possible to set the error message to use when a deny rule is executed. It may be a specific error file, adding "errorfile <file>" : http-request deny deny_status 400 errorfile /etc/haproxy/errorfiles/400badreq.http It may also be an error file from an http-errors section, adding "errorfiles <name>" : http-request deny errorfiles my-errors # use 403 error from "my-errors" section When defined, this error message is set in the HTTP transaction. The tarpit rule is also concerned by this change.
2020-01-14 06:00:28 -05:00
BUG/MINOR: http-rules: Fix ACLs parsing for http deny rules The parsing of http deny rules with no argument or only the deny_status argument is buggy if followed by an ACLs expression (starting with "if" or "unless" keyword). Instead of using the proxy errorfiles, a dummy error is used. To fix the bug, the parsing function must also check for "if" or "unless" keyword in such cases. This patch should fix the issue #720. No backport is needed.
2020-06-30 03:32:01 -04:00
if (!*(args[cur_arg]) || strcmp(args[cur_arg], "if") == 0 || strcmp(args[cur_arg], "unless") == 0) {
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
rule->arg.http_reply = http_parse_http_reply((const char *[]){"default-errorfiles", ""}, &arg, px, default_status, err);
goto end;
MEDIUM: http-rules: Support an optional error message in http deny rules It is now possible to set the error message to use when a deny rule is executed. It may be a specific error file, adding "errorfile <file>" : http-request deny deny_status 400 errorfile /etc/haproxy/errorfiles/400badreq.http It may also be an error file from an http-errors section, adding "errorfiles <name>" : http-request deny errorfiles my-errors # use 403 error from "my-errors" section When defined, this error message is set in the HTTP transaction. The tarpit rule is also concerned by this change.
2020-01-14 06:00:28 -05:00
}
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
if (strcmp(args[cur_arg], "deny_status") == 0) {
BUG/MINOR: http-rules: Fix ACLs parsing for http deny rules The parsing of http deny rules with no argument or only the deny_status argument is buggy if followed by an ACLs expression (starting with "if" or "unless" keyword). Instead of using the proxy errorfiles, a dummy error is used. To fix the bug, the parsing function must also check for "if" or "unless" keyword in such cases. This patch should fix the issue #720. No backport is needed.
2020-06-30 03:32:01 -04:00
if (!*(args[cur_arg+2]) || strcmp(args[cur_arg+2], "if") == 0 || strcmp(args[cur_arg+2], "unless") == 0) {
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
rule->arg.http_reply = http_parse_http_reply((const char *[]){"status", args[cur_arg+1], "default-errorfiles", ""},
&arg, px, default_status, err);
*orig_arg += 2;
goto end;
MEDIUM: http-rules: Support an optional error message in http deny rules It is now possible to set the error message to use when a deny rule is executed. It may be a specific error file, adding "errorfile <file>" : http-request deny deny_status 400 errorfile /etc/haproxy/errorfiles/400badreq.http It may also be an error file from an http-errors section, adding "errorfiles <name>" : http-request deny errorfiles my-errors # use 403 error from "my-errors" section When defined, this error message is set in the HTTP transaction. The tarpit rule is also concerned by this change.
2020-01-14 06:00:28 -05:00
}
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
args[cur_arg] += 5; /* skip "deny_" for the parsing */
MEDIUM: http-rules: Support an optional error message in http deny rules It is now possible to set the error message to use when a deny rule is executed. It may be a specific error file, adding "errorfile <file>" : http-request deny deny_status 400 errorfile /etc/haproxy/errorfiles/400badreq.http It may also be an error file from an http-errors section, adding "errorfiles <name>" : http-request deny errorfiles my-errors # use 403 error from "my-errors" section When defined, this error message is set in the HTTP transaction. The tarpit rule is also concerned by this change.
2020-01-14 06:00:28 -05:00
}
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
rule->arg.http_reply = http_parse_http_reply(args, orig_arg, px, default_status, err);
MEDIUM: http-rules: Support an optional error message in http deny rules It is now possible to set the error message to use when a deny rule is executed. It may be a specific error file, adding "errorfile <file>" : http-request deny deny_status 400 errorfile /etc/haproxy/errorfiles/400badreq.http It may also be an error file from an http-errors section, adding "errorfiles <name>" : http-request deny errorfiles my-errors # use 403 error from "my-errors" section When defined, this error message is set in the HTTP transaction. The tarpit rule is also concerned by this change.
2020-01-14 06:00:28 -05:00
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
end:
if (!rule->arg.http_reply)
return ACT_RET_PRS_ERR;
rule->flags |= ACT_FLAG_FINAL;
rule->check_ptr = check_act_http_reply;
rule->release_ptr = release_act_http_reply;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
return ACT_RET_PRS_OK;
}
MINOR: http-rules: Use an action function to eval http-request auth rules Now http-request auth rules are evaluated in a dedicated function and no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_REQ_AUTH is removed. In additionn, http_reply_40x_unauthorized() is also removed. This part is now handled in the new action_ptr callback function.
2020-05-27 09:26:43 -04:00
/* This function executes a auth action. It builds an 401/407 HTX message using
* the corresponding proxy's error message. On success, it returns
* ACT_RET_ABRT. If an error occurs ACT_RET_ERR is returned.
*/
static enum act_return http_action_auth(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct channel *req = &s->req;
struct channel *res = &s->res;
struct htx *htx = htx_from_buf(&res->buf);
struct http_reply *reply;
const char *auth_realm;
struct http_hdr_ctx ctx;
struct ist hdr;
/* Auth might be performed on regular http-req rules as well as on stats */
auth_realm = rule->arg.http.str.ptr;
if (!auth_realm) {
if (px->uri_auth && s->current_rule_list == &px->uri_auth->http_req_rules)
auth_realm = STATS_DEFAULT_REALM;
else
auth_realm = px->id;
}
if (!(s->txn->flags & TX_USE_PX_CONN)) {
s->txn->status = 401;
hdr = ist("WWW-Authenticate");
}
else {
s->txn->status = 407;
hdr = ist("Proxy-Authenticate");
}
reply = http_error_message(s);
channel_htx_truncate(res, htx);
if (chunk_printf(&trash, "Basic realm=\"%s\"", auth_realm) == -1)
goto fail;
/* Write the generic 40x message */
if (http_reply_to_htx(s, htx, reply) == -1)
goto fail;
/* Remove all existing occurrences of the XXX-Authenticate header */
ctx.blk = NULL;
while (http_find_header(htx, hdr, &ctx, 1))
http_remove_header(htx, &ctx);
/* Now a the right XXX-Authenticate header */
if (!http_add_header(htx, hdr, ist2(b_orig(&trash), b_data(&trash))))
goto fail;
/* Finally forward the reply */
htx_to_buf(htx, &res->buf);
if (!http_forward_proxy_resp(s, 1))
goto fail;
/* Note: Only eval on the request */
MEDIUM: clock: replace timeval "now" with integer "now_ns" This puts an end to the occasional confusion between the "now" date that is internal, monotonic and not synchronized with the system's date, and "date" which is the system's date and not necessarily monotonic. Variable "now" was removed and replaced with a 64-bit integer "now_ns" which is a counter of nanoseconds. It wraps every 585 years, so if all goes well (i.e. if humanity does not need haproxy anymore in 500 years), it will just never wrap. This implies that now_ns is never nul and that the zero value can reliably be used as "not set yet" for a timestamp if needed. This will also simplify date checks where it becomes possible again to do "date1<date2". All occurrences of "tv_to_ns(&now)" were simply replaced by "now_ns". Due to the intricacies between now, global_now and now_offset, all 3 had to be turned to nanoseconds at once. It's not a problem since all of them were solely used in 3 functions in clock.c, but they make the patch look bigger than it really is. The clock_update_local_date() and clock_update_global_date() functions are now much simpler as there's no need anymore to perform conversions nor to round the timeval up or down. The wrapping continues to happen by presetting the internal offset in the short future so that the 32-bit now_ms continues to wrap 20 seconds after boot. The start_time used to calculate uptime can still be turned to nanoseconds now. One interrogation concerns global_now_ms which is used only for the freq counters. It's unclear whether there's more value in using two variables that need to be synchronized sequentially like today or to just use global_now_ns divided by 1 million. Both approaches will work equally well on modern systems, the difference might come from smaller ones. Better not change anyhting for now. One benefit of the new approach is that we now have an internal date with a resolution of the nanosecond and the precision of the microsecond, which can be useful to extend some measurements given that timestamps also have this resolution.
2023-04-28 03:16:15 -04:00
s->logs.request_ts = now_ns;
MINOR: http-rules: Use an action function to eval http-request auth rules Now http-request auth rules are evaluated in a dedicated function and no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_REQ_AUTH is removed. In additionn, http_reply_40x_unauthorized() is also removed. This part is now handled in the new action_ptr callback function.
2020-05-27 09:26:43 -04:00
req->analysers &= AN_REQ_FLT_END;
if (s->sess->fe == s->be) /* report it if the request was intercepted by the frontend */
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&s->sess->fe->fe_counters.intercepted_req);
MINOR: http-rules: Use an action function to eval http-request auth rules Now http-request auth rules are evaluated in a dedicated function and no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_REQ_AUTH is removed. In additionn, http_reply_40x_unauthorized() is also removed. This part is now handled in the new action_ptr callback function.
2020-05-27 09:26:43 -04:00
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_LOCAL;
if (!(s->flags & SF_FINST_MASK))
s->flags |= SF_FINST_R;
stream_inc_http_err_ctr(s);
return ACT_RET_ABRT;
fail:
/* If an error occurred, remove the incomplete HTTP response from the
* buffer */
channel_htx_truncate(res, htx);
return ACT_RET_ERR;
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
/* Parse a "auth" action. It may take 2 optional arguments to define a "realm"
* parameter. It returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_auth(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
int cur_arg;
MINOR: http-rules: Use an action function to eval http-request auth rules Now http-request auth rules are evaluated in a dedicated function and no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_REQ_AUTH is removed. In additionn, http_reply_40x_unauthorized() is also removed. This part is now handled in the new action_ptr callback function.
2020-05-27 09:26:43 -04:00
rule->action = ACT_CUSTOM;
MINOR: actions: Add flags to configure the action behaviour Some flags can now be set on an action when it is registered. The flags are defined in the act_flag enum. For now, only ACT_FLAG_FINAL may be set on an action to specify if it stops the rules evaluation. It is set on ACT_ACTION_ALLOW, ACT_ACTION_DENY, ACT_HTTP_REQ_TARPIT, ACT_HTTP_REQ_AUTH, ACT_HTTP_REDIR and ACT_TCP_CLOSE actions. But, when required, it may also be set on custom actions. Consequently, this flag is checked instead of the action type during the configuration parsing to trigger a warning when a rule inhibits all the following ones.
2019-12-18 08:58:12 -05:00
rule->flags |= ACT_FLAG_FINAL;
MINOR: http-rules: Use an action function to eval http-request auth rules Now http-request auth rules are evaluated in a dedicated function and no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_REQ_AUTH is removed. In additionn, http_reply_40x_unauthorized() is also removed. This part is now handled in the new action_ptr callback function.
2020-05-27 09:26:43 -04:00
rule->action_ptr = http_action_auth;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_action;
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&rule->arg.http.fmt);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
cur_arg = *orig_arg;
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(args[cur_arg], "realm") == 0) {
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
cur_arg++;
if (!*args[cur_arg]) {
memprintf(err, "missing realm value.\n");
return ACT_RET_PRS_ERR;
}
CLEANUP: Reapply ist.cocci This makes use of the newly added: - i.ptr = p; - i.len = strlen(i.ptr); + i = ist(p); patch.
2022-03-15 08:11:08 -04:00
rule->arg.http.str = ist(strdup(args[cur_arg]));
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
cur_arg++;
}
*orig_arg = cur_arg;
return ACT_RET_PRS_OK;
}
MEDIUM: http-rules: Make early-hint custom actions Now, the early-hint action uses its own dedicated action and is no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_EARLY_HINT is removed. In additionn, http_add_early_hint_header() and http_reply_103_early_hints() are also removed. This part is now handled in the new action_ptr callback function.
2020-01-17 16:30:06 -05:00
/* This function executes a early-hint action. It adds an HTTP Early Hint HTTP
* 103 response header with <.arg.http.str> name and with a value built
* according to <.arg.http.fmt> log line format. If it is the first early-hint
CLEANUP: assorted typo fixes in the code and comments This is 9th iteration of typo fixes
2020-05-05 15:53:22 -04:00
* rule of series, the 103 response start-line is added first. At the end, if
MEDIUM: http-rules: Make early-hint custom actions Now, the early-hint action uses its own dedicated action and is no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_EARLY_HINT is removed. In additionn, http_add_early_hint_header() and http_reply_103_early_hints() are also removed. This part is now handled in the new action_ptr callback function.
2020-01-17 16:30:06 -05:00
* the next rule is not an early-hint rule or if it is the last rule, the EOH
* block is added to terminate the response. On success, it returns
* ACT_RET_CONT. If an error occurs while soft rewrites are enabled, the action
* is canceled, but the rule processing continue. Otherwsize ACT_RET_ERR is
* returned.
*/
static enum act_return http_action_early_hint(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
BUG/MINOR: http-act: Properly generate 103 responses when several rules are used When several "early-hint" rules are used, we try, as far as possible, to merge links into the same 103-early-hints response. However, it only works if there is no ACLs. If a "early-hint" rule is not executed an invalid response is generated. the EOH block or the start-line may be missing, depending on the rule order. To fix the bug, we use the transaction status code. It is unused at this stage. Thus, it is set to 103 when a 103-early-hints response is in progress. And it is reset when the response is forwarded. In addition, the response is forwarded if the next rule is an "early-hint" rule with an ACL. This way, the response is always valid. This patch must be backported as far as 2.2.
2022-07-05 10:24:15 -04:00
struct act_rule *next_rule;
MEDIUM: http-rules: Make early-hint custom actions Now, the early-hint action uses its own dedicated action and is no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_EARLY_HINT is removed. In additionn, http_add_early_hint_header() and http_reply_103_early_hints() are also removed. This part is now handled in the new action_ptr callback function.
2020-01-17 16:30:06 -05:00
struct channel *res = &s->res;
struct htx *htx = htx_from_buf(&res->buf);
struct buffer *value = alloc_trash_chunk();
enum act_return ret = ACT_RET_CONT;
if (!(s->txn->req.flags & HTTP_MSGF_VER_11))
goto leave;
if (!value) {
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_RESOURCE;
goto error;
}
BUG/MINOR: http-act: Properly generate 103 responses when several rules are used When several "early-hint" rules are used, we try, as far as possible, to merge links into the same 103-early-hints response. However, it only works if there is no ACLs. If a "early-hint" rule is not executed an invalid response is generated. the EOH block or the start-line may be missing, depending on the rule order. To fix the bug, we use the transaction status code. It is unused at this stage. Thus, it is set to 103 when a 103-early-hints response is in progress. And it is reset when the response is forwarded. In addition, the response is forwarded if the next rule is an "early-hint" rule with an ACL. This way, the response is always valid. This patch must be backported as far as 2.2.
2022-07-05 10:24:15 -04:00
/* if there is no pending 103 response, start a new response. Otherwise,
* continue to add link to a previously started response
*/
if (s->txn->status != 103) {
MEDIUM: http-rules: Make early-hint custom actions Now, the early-hint action uses its own dedicated action and is no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_EARLY_HINT is removed. In additionn, http_add_early_hint_header() and http_reply_103_early_hints() are also removed. This part is now handled in the new action_ptr callback function.
2020-01-17 16:30:06 -05:00
struct htx_sl *sl;
unsigned int flags = (HTX_SL_F_IS_RESP|HTX_SL_F_VER_11|
HTX_SL_F_XFER_LEN|HTX_SL_F_BODYLESS);
sl = htx_add_stline(htx, HTX_BLK_RES_SL, flags,
ist("HTTP/1.1"), ist("103"), ist("Early Hints"));
if (!sl)
goto error;
sl->info.res.status = 103;
BUG/MINOR: http-act: Properly generate 103 responses when several rules are used When several "early-hint" rules are used, we try, as far as possible, to merge links into the same 103-early-hints response. However, it only works if there is no ACLs. If a "early-hint" rule is not executed an invalid response is generated. the EOH block or the start-line may be missing, depending on the rule order. To fix the bug, we use the transaction status code. It is unused at this stage. Thus, it is set to 103 when a 103-early-hints response is in progress. And it is reset when the response is forwarded. In addition, the response is forwarded if the next rule is an "early-hint" rule with an ACL. This way, the response is always valid. This patch must be backported as far as 2.2.
2022-07-05 10:24:15 -04:00
s->txn->status = 103;
MEDIUM: http-rules: Make early-hint custom actions Now, the early-hint action uses its own dedicated action and is no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_EARLY_HINT is removed. In additionn, http_add_early_hint_header() and http_reply_103_early_hints() are also removed. This part is now handled in the new action_ptr callback function.
2020-01-17 16:30:06 -05:00
}
CLEANUP: assorted typo fixes in the code and comments This is 35th iteration of typo fixes
2023-04-01 06:26:42 -04:00
/* Add the HTTP Early Hint HTTP 103 response header */
MEDIUM: http-rules: Make early-hint custom actions Now, the early-hint action uses its own dedicated action and is no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_EARLY_HINT is removed. In additionn, http_add_early_hint_header() and http_reply_103_early_hints() are also removed. This part is now handled in the new action_ptr callback function.
2020-01-17 16:30:06 -05:00
value->data = build_logline(s, b_tail(value), b_room(value), &rule->arg.http.fmt);
if (!htx_add_header(htx, rule->arg.http.str, ist2(b_head(value), b_data(value))))
goto error;
BUG/MINOR: http-act: Properly generate 103 responses when several rules are used When several "early-hint" rules are used, we try, as far as possible, to merge links into the same 103-early-hints response. However, it only works if there is no ACLs. If a "early-hint" rule is not executed an invalid response is generated. the EOH block or the start-line may be missing, depending on the rule order. To fix the bug, we use the transaction status code. It is unused at this stage. Thus, it is set to 103 when a 103-early-hints response is in progress. And it is reset when the response is forwarded. In addition, the response is forwarded if the next rule is an "early-hint" rule with an ACL. This way, the response is always valid. This patch must be backported as far as 2.2.
2022-07-05 10:24:15 -04:00
/* if it is the last rule or the next one is not an early-hint or an
* conditional early-hint, terminate the current response.
*/
next_rule = LIST_NEXT(&rule->list, typeof(rule), list);
if (&next_rule->list == s->current_rule_list || next_rule->action_ptr != http_action_early_hint || next_rule->cond) {
if (!htx_add_endof(htx, HTX_BLK_EOH))
MEDIUM: http-rules: Make early-hint custom actions Now, the early-hint action uses its own dedicated action and is no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_EARLY_HINT is removed. In additionn, http_add_early_hint_header() and http_reply_103_early_hints() are also removed. This part is now handled in the new action_ptr callback function.
2020-01-17 16:30:06 -05:00
goto error;
MINOR: http-ana/http-rules: Use dedicated function to forward internal responses Call http_forward_proxy_resp() function when an internal response is returned. It concerns redirect, auth and error reponses. But also 100-Continue and 103-Early-Hints responses. For errors, there is a subtlety. if the forward fails, an HTTP 500 error is generated if it is not already an internal error. For now http_forward_proxy_resp() cannot fail. But it will be possible when the new ruleset applied on all responses will be added.
2020-01-28 03:28:11 -05:00
if (!http_forward_proxy_resp(s, 0))
goto error;
BUG/MINOR: http-act: Properly generate 103 responses when several rules are used When several "early-hint" rules are used, we try, as far as possible, to merge links into the same 103-early-hints response. However, it only works if there is no ACLs. If a "early-hint" rule is not executed an invalid response is generated. the EOH block or the start-line may be missing, depending on the rule order. To fix the bug, we use the transaction status code. It is unused at this stage. Thus, it is set to 103 when a 103-early-hints response is in progress. And it is reset when the response is forwarded. In addition, the response is forwarded if the next rule is an "early-hint" rule with an ACL. This way, the response is always valid. This patch must be backported as far as 2.2.
2022-07-05 10:24:15 -04:00
s->txn->status = 0;
MEDIUM: http-rules: Make early-hint custom actions Now, the early-hint action uses its own dedicated action and is no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_EARLY_HINT is removed. In additionn, http_add_early_hint_header() and http_reply_103_early_hints() are also removed. This part is now handled in the new action_ptr callback function.
2020-01-17 16:30:06 -05:00
}
leave:
free_trash_chunk(value);
return ret;
error:
/* If an error occurred during an Early-hint rule, remove the incomplete
* HTTP 103 response from the buffer */
channel_htx_truncate(res, htx);
ret = ACT_RET_ERR;
BUG/MINOR: http-act: Properly generate 103 responses when several rules are used When several "early-hint" rules are used, we try, as far as possible, to merge links into the same 103-early-hints response. However, it only works if there is no ACLs. If a "early-hint" rule is not executed an invalid response is generated. the EOH block or the start-line may be missing, depending on the rule order. To fix the bug, we use the transaction status code. It is unused at this stage. Thus, it is set to 103 when a 103-early-hints response is in progress. And it is reset when the response is forwarded. In addition, the response is forwarded if the next rule is an "early-hint" rule with an ACL. This way, the response is always valid. This patch must be backported as far as 2.2.
2022-07-05 10:24:15 -04:00
s->txn->status = 0;
MEDIUM: http-rules: Make early-hint custom actions Now, the early-hint action uses its own dedicated action and is no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_EARLY_HINT is removed. In additionn, http_add_early_hint_header() and http_reply_103_early_hints() are also removed. This part is now handled in the new action_ptr callback function.
2020-01-17 16:30:06 -05:00
goto leave;
}
MINOR: http-rules: Make set-header and add-header custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_SET_HDR and ACT_HTTP_ADD_VAL are removed. The action type is now set to 0 to set a header (so remove existing ones if any and add a new one) or to 1 to add a header (add without remove).
2019-12-17 03:33:38 -05:00
/* This function executes a set-header or add-header actions. It builds a string
* in the trash from the specified format string. It finds the action to be
* performed in <.action>, previously filled by function parse_set_header(). The
CLEANUP: assorted typo fixes in the code and comments This is 9th iteration of typo fixes
2020-05-05 15:53:22 -04:00
* replacement action is executed by the function http_action_set_header(). On
MINOR: http-rules: Make set-header and add-header custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_SET_HDR and ACT_HTTP_ADD_VAL are removed. The action type is now set to 0 to set a header (so remove existing ones if any and add a new one) or to 1 to add a header (add without remove).
2019-12-17 03:33:38 -05:00
* success, it returns ACT_RET_CONT. If an error occurs while soft rewrites are
* enabled, the action is canceled, but the rule processing continue. Otherwsize
* ACT_RET_ERR is returned.
*/
static enum act_return http_action_set_header(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
BUG/MINOR: http-act: Use the good message to test strict rewritting mode Since the strict rewritting mode was introduced, actions manipulating headers (set/add/replace) always rely on the request message to test if the HTTP_MSGF_SOFT_RW flag is set or not. But, of course, we must only rely on the request for http-request rules. For http-response rules, we must use the response message. This patch must be backported if the strict rewritting is backported too.
2020-01-24 09:37:13 -05:00
struct http_msg *msg = ((rule->from == ACT_F_HTTP_REQ) ? &s->txn->req : &s->txn->rsp);
struct htx *htx = htxbuf(&msg->chn->buf);
MINOR: http-rules: Make set-header and add-header custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_SET_HDR and ACT_HTTP_ADD_VAL are removed. The action type is now set to 0 to set a header (so remove existing ones if any and add a new one) or to 1 to add a header (add without remove).
2019-12-17 03:33:38 -05:00
enum act_return ret = ACT_RET_CONT;
struct buffer *replace;
struct http_hdr_ctx ctx;
struct ist n, v;
replace = alloc_trash_chunk();
if (!replace)
goto fail_alloc;
replace->data = build_logline(s, replace->area, replace->size, &rule->arg.http.fmt);
n = rule->arg.http.str;
v = ist2(replace->area, replace->data);
if (rule->action == 0) { // set-header
/* remove all occurrences of the header */
ctx.blk = NULL;
while (http_find_header(htx, n, &ctx, 1))
http_remove_header(htx, &ctx);
}
/* Now add header */
if (!http_add_header(htx, n, v))
goto fail_rewrite;
leave:
free_trash_chunk(replace);
return ret;
fail_alloc:
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_RESOURCE;
ret = ACT_RET_ERR;
goto leave;
fail_rewrite:
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->fe->fe_counters.failed_rewrites);
MINOR: http-rules: Make set-header and add-header custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_SET_HDR and ACT_HTTP_ADD_VAL are removed. The action type is now set to 0 to set a header (so remove existing ones if any and add a new one) or to 1 to add a header (add without remove).
2019-12-17 03:33:38 -05:00
if (s->flags & SF_BE_ASSIGNED)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&s->be->be_counters.failed_rewrites);
BUG/MEDIUM: session: NULL dereference possible when accessing the listener When implementing a client applet, a NULL dereference was encountered on the error path which increment the counters. Indeed, the counters incremented are the one in the listener which does not exist in the case of client applets, so in sess->listener->counters, listener is NULL. This patch fixes the access to the listener structure when accessing from a sesssion, most of the access are the counters in error paths. Must be backported as far as 1.8.
2021-03-08 09:26:48 -05:00
if (sess->listener && sess->listener->counters)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->listener->counters->failed_rewrites);
MINOR: http-rules: Make set-header and add-header custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_SET_HDR and ACT_HTTP_ADD_VAL are removed. The action type is now set to 0 to set a header (so remove existing ones if any and add a new one) or to 1 to add a header (add without remove).
2019-12-17 03:33:38 -05:00
if (objt_server(s->target))
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&__objt_server(s->target)->counters.failed_rewrites);
MINOR: http-rules: Make set-header and add-header custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_SET_HDR and ACT_HTTP_ADD_VAL are removed. The action type is now set to 0 to set a header (so remove existing ones if any and add a new one) or to 1 to add a header (add without remove).
2019-12-17 03:33:38 -05:00
MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails When a header rewrite fails, an internal errors is triggered. But SF_ERR_INTERNAL is documented to be the concequence of a bug and must be reported to the dev teamm. So, when this happens, the SF_ERR_PRXCOND termination flag is set now.
2020-01-22 08:38:05 -05:00
if (!(msg->flags & HTTP_MSGF_SOFT_RW)) {
MINOR: http-rules: Make set-header and add-header custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_SET_HDR and ACT_HTTP_ADD_VAL are removed. The action type is now set to 0 to set a header (so remove existing ones if any and add a new one) or to 1 to add a header (add without remove).
2019-12-17 03:33:38 -05:00
ret = ACT_RET_ERR;
MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails When a header rewrite fails, an internal errors is triggered. But SF_ERR_INTERNAL is documented to be the concequence of a bug and must be reported to the dev teamm. So, when this happens, the SF_ERR_PRXCOND termination flag is set now.
2020-01-22 08:38:05 -05:00
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_PRXCOND;
}
MINOR: http-rules: Make set-header and add-header custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_SET_HDR and ACT_HTTP_ADD_VAL are removed. The action type is now set to 0 to set a header (so remove existing ones if any and add a new one) or to 1 to add a header (add without remove).
2019-12-17 03:33:38 -05:00
goto leave;
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
/* Parse a "set-header", "add-header" or "early-hint" actions. It takes an
* header name and a log-format string as arguments. It returns ACT_RET_PRS_OK
* on success, ACT_RET_PRS_ERR on error.
*
* Note: same function is used for the request and the response. However
* "early-hint" rules are only supported for request rules.
*/
static enum act_parse_ret parse_http_set_header(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
int cap = 0, cur_arg;
MINOR: http-act: emit a warning when a header field name contains forbidden chars As found in issue #2089, it's easy to mistakenly paste a colon in a header name, or other chars (e.g. spaces) when quotes are in use, and this causes all sort of trouble in field because such chars are rejected by the peer. Better try to detect these upfront. That's what we're doing here during the parsing of the add-header/set-header/early-hint actions, where a warning is emitted if a non-token character is found in a header name. A special case is made for the colon at the beginning so that it remains possible to place any future pseudo-headers that may appear. E.g: [WARNING] (14388) : config : parsing [badchar.cfg:23] : header name 'X-Content-Type-Options:' contains forbidden character ':'. This should be backported to 2.7, and ideally it should be turned to an error in future versions.
2023-04-03 23:25:16 -04:00
const char *p;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
MEDIUM: http-rules: Make early-hint custom actions Now, the early-hint action uses its own dedicated action and is no longer handled "in place" during the HTTP rules evaluation. Thus the action name ACT_HTTP_EARLY_HINT is removed. In additionn, http_add_early_hint_header() and http_reply_103_early_hints() are also removed. This part is now handled in the new action_ptr callback function.
2020-01-17 16:30:06 -05:00
if (args[*orig_arg-1][0] == 'e') {
rule->action = ACT_CUSTOM;
rule->action_ptr = http_action_early_hint;
}
MINOR: http-rules: Make set-header and add-header custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_SET_HDR and ACT_HTTP_ADD_VAL are removed. The action type is now set to 0 to set a header (so remove existing ones if any and add a new one) or to 1 to add a header (add without remove).
2019-12-17 03:33:38 -05:00
else {
if (args[*orig_arg-1][0] == 's')
rule->action = 0; // set-header
else
rule->action = 1; // add-header
rule->action_ptr = http_action_set_header;
}
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_action;
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&rule->arg.http.fmt);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
cur_arg = *orig_arg;
if (!*args[cur_arg] || !*args[cur_arg+1]) {
memprintf(err, "expects exactly 2 arguments");
return ACT_RET_PRS_ERR;
}
CLEANUP: Reapply ist.cocci This makes use of the newly added: - i.ptr = p; - i.len = strlen(i.ptr); + i = ist(p); patch.
2022-03-15 08:11:08 -04:00
rule->arg.http.str = ist(strdup(args[cur_arg]));
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
if (rule->from == ACT_F_HTTP_REQ) {
px->conf.args.ctx = ARGC_HRQ;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
if (px->cap & PR_CAP_FE)
cap |= SMP_VAL_FE_HRQ_HDR;
if (px->cap & PR_CAP_BE)
cap |= SMP_VAL_BE_HRQ_HDR;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
}
else{
px->conf.args.ctx = ARGC_HRS;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
if (px->cap & PR_CAP_FE)
cap |= SMP_VAL_FE_HRS_HDR;
if (px->cap & PR_CAP_BE)
cap |= SMP_VAL_BE_HRS_HDR;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
}
cur_arg++;
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
if (!parse_logformat_string(args[cur_arg], px, &rule->arg.http.fmt, LOG_OPT_HTTP, cap, err)) {
CLEANUP: Use `isttest()` and `istfree()` This adjusts a few locations to make use of `isttest()` and `istfree()`.
2020-03-05 11:56:33 -05:00
istfree(&rule->arg.http.str);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
return ACT_RET_PRS_ERR;
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
MINOR: http-act: emit a warning when a header field name contains forbidden chars As found in issue #2089, it's easy to mistakenly paste a colon in a header name, or other chars (e.g. spaces) when quotes are in use, and this causes all sort of trouble in field because such chars are rejected by the peer. Better try to detect these upfront. That's what we're doing here during the parsing of the add-header/set-header/early-hint actions, where a warning is emitted if a non-token character is found in a header name. A special case is made for the colon at the beginning so that it remains possible to place any future pseudo-headers that may appear. E.g: [WARNING] (14388) : config : parsing [badchar.cfg:23] : header name 'X-Content-Type-Options:' contains forbidden character ':'. This should be backported to 2.7, and ideally it should be turned to an error in future versions.
2023-04-03 23:25:16 -04:00
/* some characters are totally forbidden in header names and
* may happen by accident when writing configs, causing strange
* failures in field. Better catch these ones early, nobody will
* miss them. In particular, a colon at the end (or anywhere
* after the first char) or a space/cr anywhere due to misplaced
* quotes are hard to spot.
*/
for (p = istptr(rule->arg.http.str); p < istend(rule->arg.http.str); p++) {
if (HTTP_IS_TOKEN(*p))
continue;
if (p == istptr(rule->arg.http.str) && *p == ':')
continue;
/* we only report this as-is but it will not cause an error */
memprintf(err, "header name '%s' contains forbidden character '%c'", istptr(rule->arg.http.str), *p);
break;
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
*orig_arg = cur_arg + 1;
return ACT_RET_PRS_OK;
}
MINOR: http-rules: Make replace-header and replace-value custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_REPLACE_HDR and ACT_HTTP_REPLACE_VAL are removed. The action type is now set to 0 to evaluate the whole header or to 1 to evaluate every comma-delimited values. The function http_transform_header_str() is renamed to http_replace_hdrs() to be more explicit and the function http_transform_header() is removed. In fact, this last one is now more or less the new action function. The lua code has been updated accordingly to use http_replace_hdrs().
2019-12-17 03:20:34 -05:00
/* This function executes a replace-header or replace-value actions. It
* builds a string in the trash from the specified format string. It finds
* the action to be performed in <.action>, previously filled by function
CLEANUP: assorted typo fixes in the code and comments This is 9th iteration of typo fixes
2020-05-05 15:53:22 -04:00
* parse_replace_header(). The replacement action is executed by the function
MINOR: http-rules: Make replace-header and replace-value custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_REPLACE_HDR and ACT_HTTP_REPLACE_VAL are removed. The action type is now set to 0 to evaluate the whole header or to 1 to evaluate every comma-delimited values. The function http_transform_header_str() is renamed to http_replace_hdrs() to be more explicit and the function http_transform_header() is removed. In fact, this last one is now more or less the new action function. The lua code has been updated accordingly to use http_replace_hdrs().
2019-12-17 03:20:34 -05:00
* http_action_replace_header(). On success, it returns ACT_RET_CONT. If an error
* occurs while soft rewrites are enabled, the action is canceled, but the rule
* processing continue. Otherwsize ACT_RET_ERR is returned.
*/
static enum act_return http_action_replace_header(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
BUG/MINOR: http-act: Use the good message to test strict rewritting mode Since the strict rewritting mode was introduced, actions manipulating headers (set/add/replace) always rely on the request message to test if the HTTP_MSGF_SOFT_RW flag is set or not. But, of course, we must only rely on the request for http-request rules. For http-response rules, we must use the response message. This patch must be backported if the strict rewritting is backported too.
2020-01-24 09:37:13 -05:00
struct http_msg *msg = ((rule->from == ACT_F_HTTP_REQ) ? &s->txn->req : &s->txn->rsp);
struct htx *htx = htxbuf(&msg->chn->buf);
MINOR: http-rules: Make replace-header and replace-value custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_REPLACE_HDR and ACT_HTTP_REPLACE_VAL are removed. The action type is now set to 0 to evaluate the whole header or to 1 to evaluate every comma-delimited values. The function http_transform_header_str() is renamed to http_replace_hdrs() to be more explicit and the function http_transform_header() is removed. In fact, this last one is now more or less the new action function. The lua code has been updated accordingly to use http_replace_hdrs().
2019-12-17 03:20:34 -05:00
enum act_return ret = ACT_RET_CONT;
struct buffer *replace;
int r;
replace = alloc_trash_chunk();
if (!replace)
goto fail_alloc;
replace->data = build_logline(s, replace->area, replace->size, &rule->arg.http.fmt);
r = http_replace_hdrs(s, htx, rule->arg.http.str, replace->area, rule->arg.http.re, (rule->action == 0));
if (r == -1)
goto fail_rewrite;
leave:
free_trash_chunk(replace);
return ret;
fail_alloc:
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_RESOURCE;
ret = ACT_RET_ERR;
goto leave;
fail_rewrite:
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->fe->fe_counters.failed_rewrites);
MINOR: http-rules: Make replace-header and replace-value custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_REPLACE_HDR and ACT_HTTP_REPLACE_VAL are removed. The action type is now set to 0 to evaluate the whole header or to 1 to evaluate every comma-delimited values. The function http_transform_header_str() is renamed to http_replace_hdrs() to be more explicit and the function http_transform_header() is removed. In fact, this last one is now more or less the new action function. The lua code has been updated accordingly to use http_replace_hdrs().
2019-12-17 03:20:34 -05:00
if (s->flags & SF_BE_ASSIGNED)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&s->be->be_counters.failed_rewrites);
BUG/MEDIUM: session: NULL dereference possible when accessing the listener When implementing a client applet, a NULL dereference was encountered on the error path which increment the counters. Indeed, the counters incremented are the one in the listener which does not exist in the case of client applets, so in sess->listener->counters, listener is NULL. This patch fixes the access to the listener structure when accessing from a sesssion, most of the access are the counters in error paths. Must be backported as far as 1.8.
2021-03-08 09:26:48 -05:00
if (sess->listener && sess->listener->counters)
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&sess->listener->counters->failed_rewrites);
MINOR: http-rules: Make replace-header and replace-value custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_REPLACE_HDR and ACT_HTTP_REPLACE_VAL are removed. The action type is now set to 0 to evaluate the whole header or to 1 to evaluate every comma-delimited values. The function http_transform_header_str() is renamed to http_replace_hdrs() to be more explicit and the function http_transform_header() is removed. In fact, this last one is now more or less the new action function. The lua code has been updated accordingly to use http_replace_hdrs().
2019-12-17 03:20:34 -05:00
if (objt_server(s->target))
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&__objt_server(s->target)->counters.failed_rewrites);
MINOR: http-rules: Make replace-header and replace-value custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_REPLACE_HDR and ACT_HTTP_REPLACE_VAL are removed. The action type is now set to 0 to evaluate the whole header or to 1 to evaluate every comma-delimited values. The function http_transform_header_str() is renamed to http_replace_hdrs() to be more explicit and the function http_transform_header() is removed. In fact, this last one is now more or less the new action function. The lua code has been updated accordingly to use http_replace_hdrs().
2019-12-17 03:20:34 -05:00
MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails When a header rewrite fails, an internal errors is triggered. But SF_ERR_INTERNAL is documented to be the concequence of a bug and must be reported to the dev teamm. So, when this happens, the SF_ERR_PRXCOND termination flag is set now.
2020-01-22 08:38:05 -05:00
if (!(msg->flags & HTTP_MSGF_SOFT_RW)) {
MINOR: http-rules: Make replace-header and replace-value custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_REPLACE_HDR and ACT_HTTP_REPLACE_VAL are removed. The action type is now set to 0 to evaluate the whole header or to 1 to evaluate every comma-delimited values. The function http_transform_header_str() is renamed to http_replace_hdrs() to be more explicit and the function http_transform_header() is removed. In fact, this last one is now more or less the new action function. The lua code has been updated accordingly to use http_replace_hdrs().
2019-12-17 03:20:34 -05:00
ret = ACT_RET_ERR;
MINOR: http-rules: Set SF_ERR_PRXCOND termination flag when a header rewrite fails When a header rewrite fails, an internal errors is triggered. But SF_ERR_INTERNAL is documented to be the concequence of a bug and must be reported to the dev teamm. So, when this happens, the SF_ERR_PRXCOND termination flag is set now.
2020-01-22 08:38:05 -05:00
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_PRXCOND;
}
MINOR: http-rules: Make replace-header and replace-value custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_REPLACE_HDR and ACT_HTTP_REPLACE_VAL are removed. The action type is now set to 0 to evaluate the whole header or to 1 to evaluate every comma-delimited values. The function http_transform_header_str() is renamed to http_replace_hdrs() to be more explicit and the function http_transform_header() is removed. In fact, this last one is now more or less the new action function. The lua code has been updated accordingly to use http_replace_hdrs().
2019-12-17 03:20:34 -05:00
goto leave;
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
/* Parse a "replace-header" or "replace-value" actions. It takes an header name,
* a regex and replacement string as arguments. It returns ACT_RET_PRS_OK on
* success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_replace_header(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
int cap = 0, cur_arg;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
MINOR: http-rules: Make replace-header and replace-value custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_REPLACE_HDR and ACT_HTTP_REPLACE_VAL are removed. The action type is now set to 0 to evaluate the whole header or to 1 to evaluate every comma-delimited values. The function http_transform_header_str() is renamed to http_replace_hdrs() to be more explicit and the function http_transform_header() is removed. In fact, this last one is now more or less the new action function. The lua code has been updated accordingly to use http_replace_hdrs().
2019-12-17 03:20:34 -05:00
if (args[*orig_arg-1][8] == 'h')
rule->action = 0; // replace-header
else
rule->action = 1; // replace-value
rule->action_ptr = http_action_replace_header;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_action;
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&rule->arg.http.fmt);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
cur_arg = *orig_arg;
if (!*args[cur_arg] || !*args[cur_arg+1] || !*args[cur_arg+2]) {
memprintf(err, "expects exactly 3 arguments");
return ACT_RET_PRS_ERR;
}
CLEANUP: Reapply ist.cocci This makes use of the newly added: - i.ptr = p; - i.len = strlen(i.ptr); + i = ist(p); patch.
2022-03-15 08:11:08 -04:00
rule->arg.http.str = ist(strdup(args[cur_arg]));
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
cur_arg++;
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
if (!(rule->arg.http.re = regex_comp(args[cur_arg], 1, 1, err))) {
CLEANUP: Use `isttest()` and `istfree()` This adjusts a few locations to make use of `isttest()` and `istfree()`.
2020-03-05 11:56:33 -05:00
istfree(&rule->arg.http.str);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
return ACT_RET_PRS_ERR;
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
if (rule->from == ACT_F_HTTP_REQ) {
px->conf.args.ctx = ARGC_HRQ;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
if (px->cap & PR_CAP_FE)
cap |= SMP_VAL_FE_HRQ_HDR;
if (px->cap & PR_CAP_BE)
cap |= SMP_VAL_BE_HRQ_HDR;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
}
else{
px->conf.args.ctx = ARGC_HRS;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
if (px->cap & PR_CAP_FE)
cap |= SMP_VAL_FE_HRS_HDR;
if (px->cap & PR_CAP_BE)
cap |= SMP_VAL_BE_HRS_HDR;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
}
cur_arg++;
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
if (!parse_logformat_string(args[cur_arg], px, &rule->arg.http.fmt, LOG_OPT_HTTP, cap, err)) {
CLEANUP: Use `isttest()` and `istfree()` This adjusts a few locations to make use of `isttest()` and `istfree()`.
2020-03-05 11:56:33 -05:00
istfree(&rule->arg.http.str);
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
regex_free(rule->arg.http.re);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
return ACT_RET_PRS_ERR;
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
*orig_arg = cur_arg + 1;
return ACT_RET_PRS_OK;
}
MINOR: http_act: Add -m flag for del-header name matching method This patch adds -m flag which allows to specify header name matching method when deleting headers from http request/response. Currently beg, end, sub, str and reg are supported. This is related to GitHub issue #909
2020-11-20 08:58:48 -05:00
/* This function executes a del-header action with selected matching mode for
* header name. It finds the matching method to be performed in <.action>, previously
* filled by function parse_http_del_header(). On success, it returns ACT_RET_CONT.
* Otherwise ACT_RET_ERR is returned.
*/
static enum act_return http_action_del_header(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct http_hdr_ctx ctx;
struct http_msg *msg = ((rule->from == ACT_F_HTTP_REQ) ? &s->txn->req : &s->txn->rsp);
struct htx *htx = htxbuf(&msg->chn->buf);
enum act_return ret = ACT_RET_CONT;
/* remove all occurrences of the header */
ctx.blk = NULL;
switch (rule->action) {
case PAT_MATCH_STR:
while (http_find_header(htx, rule->arg.http.str, &ctx, 1))
http_remove_header(htx, &ctx);
break;
case PAT_MATCH_BEG:
while (http_find_pfx_header(htx, rule->arg.http.str, &ctx, 1))
http_remove_header(htx, &ctx);
break;
case PAT_MATCH_END:
while (http_find_sfx_header(htx, rule->arg.http.str, &ctx, 1))
http_remove_header(htx, &ctx);
break;
case PAT_MATCH_SUB:
while (http_find_sub_header(htx, rule->arg.http.str, &ctx, 1))
http_remove_header(htx, &ctx);
break;
case PAT_MATCH_REG:
while (http_match_header(htx, rule->arg.http.re, &ctx, 1))
http_remove_header(htx, &ctx);
break;
default:
return ACT_RET_ERR;
}
return ret;
}
/* Parse a "del-header" action. It takes string as a required argument,
* optional flag (currently only -m) and optional matching method of input string
* with header name to be deleted. Default matching method is exact match (-m str).
* It returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
*/
static enum act_parse_ret parse_http_del_header(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
int cur_arg;
MINOR: http_act: Add -m flag for del-header name matching method This patch adds -m flag which allows to specify header name matching method when deleting headers from http request/response. Currently beg, end, sub, str and reg are supported. This is related to GitHub issue #909
2020-11-20 08:58:48 -05:00
int pat_idx;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
MINOR: http_act: Add -m flag for del-header name matching method This patch adds -m flag which allows to specify header name matching method when deleting headers from http request/response. Currently beg, end, sub, str and reg are supported. This is related to GitHub issue #909
2020-11-20 08:58:48 -05:00
/* set exact matching (-m str) as default */
rule->action = PAT_MATCH_STR;
rule->action_ptr = http_action_del_header;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_action;
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&rule->arg.http.fmt);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
cur_arg = *orig_arg;
if (!*args[cur_arg]) {
MINOR: http_act: Add -m flag for del-header name matching method This patch adds -m flag which allows to specify header name matching method when deleting headers from http request/response. Currently beg, end, sub, str and reg are supported. This is related to GitHub issue #909
2020-11-20 08:58:48 -05:00
memprintf(err, "expects at least 1 argument");
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
return ACT_RET_PRS_ERR;
}
CLEANUP: Reapply ist.cocci This makes use of the newly added: - i.ptr = p; - i.len = strlen(i.ptr); + i = ist(p); patch.
2022-03-15 08:11:08 -04:00
rule->arg.http.str = ist(strdup(args[cur_arg]));
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
px->conf.args.ctx = (rule->from == ACT_F_HTTP_REQ ? ARGC_HRQ : ARGC_HRS);
MINOR: http_act: Add -m flag for del-header name matching method This patch adds -m flag which allows to specify header name matching method when deleting headers from http request/response. Currently beg, end, sub, str and reg are supported. This is related to GitHub issue #909
2020-11-20 08:58:48 -05:00
if (strcmp(args[cur_arg+1], "-m") == 0) {
cur_arg++;
if (!*args[cur_arg+1]) {
memprintf(err, "-m flag expects exactly 1 argument");
return ACT_RET_PRS_ERR;
}
cur_arg++;
pat_idx = pat_find_match_name(args[cur_arg]);
switch (pat_idx) {
case PAT_MATCH_REG:
if (!(rule->arg.http.re = regex_comp(rule->arg.http.str.ptr, 1, 1, err)))
return ACT_RET_PRS_ERR;
BUILD: http_act: use __fallthrough in parse_http_del_header() This avoids one build warning when preprocessing happens before compiling with gcc >= 7.
2022-11-14 01:32:04 -05:00
__fallthrough;
MINOR: http_act: Add -m flag for del-header name matching method This patch adds -m flag which allows to specify header name matching method when deleting headers from http request/response. Currently beg, end, sub, str and reg are supported. This is related to GitHub issue #909
2020-11-20 08:58:48 -05:00
case PAT_MATCH_STR:
case PAT_MATCH_BEG:
case PAT_MATCH_END:
case PAT_MATCH_SUB:
rule->action = pat_idx;
break;
default:
memprintf(err, "-m with unsupported matching method '%s'", args[cur_arg]);
return ACT_RET_PRS_ERR;
}
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
*orig_arg = cur_arg + 1;
return ACT_RET_PRS_OK;
}
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
/* Release memory allocated by an http redirect action. */
static void release_http_redir(struct act_rule *rule)
{
struct redirect_rule *redir;
redir = rule->arg.redir;
BUG/MINOR: http-act: make release_http_redir() more robust Since commit dd7e6c6dc ("BUG/MINOR: http-rules: completely free incorrect TCP rules on error") free_act_rule() is called on some error paths, and one of them involves incomplete redirect rules that may cause a crash if the rule wasn't yet initialized, as shown in this config snippet: frontend ft mode http bind *:8001 http-request redirect location /%[always_false,sdbm] Let's simply make release_http_redir() more robust against null redirect rules. No backport needed since it seems that the only way to trigger this was the extra check above that was merged during 2.6-dev.
2022-04-25 04:25:15 -04:00
if (!redir)
return;
CLEANUP: lists/tree-wide: rename some list operations to avoid some confusion The current "ADD" vs "ADDQ" is confusing because when thinking in terms of appending at the end of a list, "ADD" naturally comes to mind, but here it does the opposite, it inserts. Several times already it's been incorrectly used where ADDQ was expected, the latest of which was a fortunate accident explained in 6fa922562 ("CLEANUP: stream: explain why we queue the stream at the head of the server list"). Let's use more explicit (but slightly longer) names now: LIST_ADD -> LIST_INSERT LIST_ADDQ -> LIST_APPEND LIST_ADDED -> LIST_INLIST LIST_DEL -> LIST_DELETE The same is true for MT_LISTs, including their "TRY" variant. LIST_DEL_INIT keeps its short name to encourage to use it instead of the lazier LIST_DELETE which is often less safe. The change is large (~674 non-comment entries) but is mechanical enough to remain safe. No permutation was performed, so any out-of-tree code can easily map older names to new ones. The list doc was updated.
2021-04-21 01:32:39 -04:00
LIST_DELETE(&redir->list);
CLEANUP: http_act: use http_free_redirect_rule() to clean redirect act Since redirect rules now have a dedicated cleanup function, better use it to prevent code duplication.
2023-05-11 06:42:24 -04:00
http_free_redirect_rule(redir);
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
/* Parse a "redirect" action. It returns ACT_RET_PRS_OK on success,
* ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_redirect(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
struct redirect_rule *redir;
int dir, cur_arg;
rule->action = ACT_HTTP_REDIR;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_redir;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
cur_arg = *orig_arg;
dir = (rule->from == ACT_F_HTTP_REQ ? 0 : 1);
if ((redir = http_parse_redirect_rule(px->conf.args.file, px->conf.args.line, px, &args[cur_arg], err, 1, dir)) == NULL)
return ACT_RET_PRS_ERR;
MINOR: http-rules: add a new "ignore-empty" option to redirects. Sometimes it is convenient to remap large sets of URIs to new ones (e.g. after a site migration for example). This can be achieved using "http-request redirect" combined with maps, but one difficulty there is that non-matching entries will return an empty response. In order to avoid this, duplicating the operation as an ACL condition ending in "-m found" is possible but it becomes complex and error-prone while it's known that an empty URL is not valid in a location header. This patch addresses this by improving the redirect rules to be able to simply ignore the rule and skip to the next one if the result of the evaluation of the "location" expression is empty. However in order not to break existing setups, it requires a new "ignore-empty" keyword. There used to be an ACT_FLAG_FINAL on redirect rules that's used during the parsing to emit a warning if followed by another rule, so here we only set it if the option is not there. The http_apply_redirect_rule() function now returns a 3rd value to mention that it did nothing and that this was not an error, so that callers can just ignore the rule. The regular "redirect" rules were not modified however since this does not apply there. The map_redirect VTC was completed with such a test and updated to 2.5 and an example was added into the documentation.
2021-09-02 10:54:33 -04:00
if (!(redir->flags & REDIRECT_FLAG_IGNORE_EMPTY))
rule->flags |= ACT_FLAG_FINAL;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
rule->arg.redir = redir;
rule->cond = redir->cond;
redir->cond = NULL;
/* skip all arguments */
while (*args[cur_arg])
cur_arg++;
*orig_arg = cur_arg;
return ACT_RET_PRS_OK;
}
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
/* This function executes a add-acl, del-acl, set-map or del-map actions. On
* success, it returns ACT_RET_CONT. Otherwsize ACT_RET_ERR is returned.
*/
static enum act_return http_action_set_map(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct pat_ref *ref;
struct buffer *key = NULL, *value = NULL;
enum act_return ret = ACT_RET_CONT;
/* collect reference */
ref = pat_ref_lookup(rule->arg.map.ref);
if (!ref)
goto leave;
/* allocate key */
key = alloc_trash_chunk();
if (!key)
goto fail_alloc;
/* collect key */
key->data = build_logline(s, key->area, key->size, &rule->arg.map.key);
key->area[key->data] = '\0';
switch (rule->action) {
case 0: // add-acl
/* add entry only if it does not already exist */
MEDIUM: map/acl: Replace map/acl spin lock by a read/write lock. Replace ->lock type of pat_ref struct by HA_RWLOCK_T. Replace all calls to HA_SPIN_LOCK() (resp. HA_SPIN_UNLOCK()) by HA_RWLOCK_WRLOCK() (resp. HA_RWLOCK_WRUNLOCK()) when a write access is required. There is only one read access which is needed. This is in the "show map" command callback, cli_io_handler_map_lookup() where a HA_SPIN_LOCK() call is replaced by HA_RWLOCK_RDLOCK() (resp. HA_SPIN_UNLOCK() by HA_RWLOCK_RDUNLOCK). Replace HA_SPIN_INIT() calls by HA_RWLOCK_INIT() calls.
2023-08-21 12:44:24 -04:00
HA_RWLOCK_WRLOCK(PATREF_LOCK, &ref->lock);
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
if (pat_ref_find_elt(ref, key->area) == NULL)
pat_ref_add(ref, key->area, NULL, NULL);
MEDIUM: map/acl: Replace map/acl spin lock by a read/write lock. Replace ->lock type of pat_ref struct by HA_RWLOCK_T. Replace all calls to HA_SPIN_LOCK() (resp. HA_SPIN_UNLOCK()) by HA_RWLOCK_WRLOCK() (resp. HA_RWLOCK_WRUNLOCK()) when a write access is required. There is only one read access which is needed. This is in the "show map" command callback, cli_io_handler_map_lookup() where a HA_SPIN_LOCK() call is replaced by HA_RWLOCK_RDLOCK() (resp. HA_SPIN_UNLOCK() by HA_RWLOCK_RDUNLOCK). Replace HA_SPIN_INIT() calls by HA_RWLOCK_INIT() calls.
2023-08-21 12:44:24 -04:00
HA_RWLOCK_WRUNLOCK(PATREF_LOCK, &ref->lock);
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
break;
case 1: // set-map
MEDIUM: map/acl: Improve pat_ref_set() efficiency (for "set-map", "add-acl" action perfs) Organize reference to pattern element of map (struct pat_ref_elt) into an ebtree: - add an eb_root member to the map (pat_ref struct) and an ebpt_node to its element (pat_ref_elt struct), - modify the code to insert these nodes into their ebtrees each time they are allocated. This is done in pat_ref_append(). Note that ->head member (struct list) of map (struct pat_ref) is not removed could have been removed. This is not the case because still necessary to dump the map contents from the CLI in the order the map elememnts have been inserted. This patch also modifies http_action_set_map() which is the callback at least used by "set-map" action. The pat_ref_elt element returned by pat_ref_find_elt() is no more ignored, but reused if not NULL by pat_ref_set() as first element to lookup from. This latter is also modified to use the ebtree attached to the map in place of the ->head list attached to each map element (pat_ref_elt struct). Also modify pat_ref_find_elt() to makes it use ->eb_root map ebtree added to the map by this patch in place of inspecting all the elements with a strcmp() call.
2023-08-22 10:52:47 -04:00
{
struct pat_ref_elt *elt;
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
/* allocate value */
value = alloc_trash_chunk();
if (!value)
goto fail_alloc;
/* collect value */
value->data = build_logline(s, value->area, value->size, &rule->arg.map.value);
value->area[value->data] = '\0';
MEDIUM: map/acl: Replace map/acl spin lock by a read/write lock. Replace ->lock type of pat_ref struct by HA_RWLOCK_T. Replace all calls to HA_SPIN_LOCK() (resp. HA_SPIN_UNLOCK()) by HA_RWLOCK_WRLOCK() (resp. HA_RWLOCK_WRUNLOCK()) when a write access is required. There is only one read access which is needed. This is in the "show map" command callback, cli_io_handler_map_lookup() where a HA_SPIN_LOCK() call is replaced by HA_RWLOCK_RDLOCK() (resp. HA_SPIN_UNLOCK() by HA_RWLOCK_RDUNLOCK). Replace HA_SPIN_INIT() calls by HA_RWLOCK_INIT() calls.
2023-08-21 12:44:24 -04:00
HA_RWLOCK_WRLOCK(PATREF_LOCK, &ref->lock);
MEDIUM: map/acl: Improve pat_ref_set() efficiency (for "set-map", "add-acl" action perfs) Organize reference to pattern element of map (struct pat_ref_elt) into an ebtree: - add an eb_root member to the map (pat_ref struct) and an ebpt_node to its element (pat_ref_elt struct), - modify the code to insert these nodes into their ebtrees each time they are allocated. This is done in pat_ref_append(). Note that ->head member (struct list) of map (struct pat_ref) is not removed could have been removed. This is not the case because still necessary to dump the map contents from the CLI in the order the map elememnts have been inserted. This patch also modifies http_action_set_map() which is the callback at least used by "set-map" action. The pat_ref_elt element returned by pat_ref_find_elt() is no more ignored, but reused if not NULL by pat_ref_set() as first element to lookup from. This latter is also modified to use the ebtree attached to the map in place of the ->head list attached to each map element (pat_ref_elt struct). Also modify pat_ref_find_elt() to makes it use ->eb_root map ebtree added to the map by this patch in place of inspecting all the elements with a strcmp() call.
2023-08-22 10:52:47 -04:00
elt = pat_ref_find_elt(ref, key->area);
if (elt) {
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
/* update entry if it exists */
MINOR: pattern: split pat_ref_set() split pat_ref_set() function in 2 distinct functions. Indeed, since 0844bed7d3 ("MEDIUM: map/acl: Improve pat_ref_set() efficiency (for "set-map", "add-acl" action perfs)"), pat_ref_set() prototype was updated to include an extra <elt> argument. But the logic behind is not explicit because the function will not only try to set <elt>, but also its duplicate (unlike pat_ref_set_elt() which only tries to update <elt>). Thus, to make it clearer and better distinguish between the key-based lookup version and the elt-based one, restotre pat_ref_set() previous prototype and add a dedicated pat_ref_set_elt_duplicate() that takes <elt> as argument and tries to update <elt> and all duplicates.
2024-11-20 10:22:22 -05:00
pat_ref_set_elt_duplicate(ref, elt, value->area, NULL);
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
}
else {
/* insert a new entry */
pat_ref_add(ref, key->area, value->area, NULL);
}
MEDIUM: map/acl: Replace map/acl spin lock by a read/write lock. Replace ->lock type of pat_ref struct by HA_RWLOCK_T. Replace all calls to HA_SPIN_LOCK() (resp. HA_SPIN_UNLOCK()) by HA_RWLOCK_WRLOCK() (resp. HA_RWLOCK_WRUNLOCK()) when a write access is required. There is only one read access which is needed. This is in the "show map" command callback, cli_io_handler_map_lookup() where a HA_SPIN_LOCK() call is replaced by HA_RWLOCK_RDLOCK() (resp. HA_SPIN_UNLOCK() by HA_RWLOCK_RDUNLOCK). Replace HA_SPIN_INIT() calls by HA_RWLOCK_INIT() calls.
2023-08-21 12:44:24 -04:00
HA_RWLOCK_WRUNLOCK(PATREF_LOCK, &ref->lock);
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
break;
MEDIUM: map/acl: Improve pat_ref_set() efficiency (for "set-map", "add-acl" action perfs) Organize reference to pattern element of map (struct pat_ref_elt) into an ebtree: - add an eb_root member to the map (pat_ref struct) and an ebpt_node to its element (pat_ref_elt struct), - modify the code to insert these nodes into their ebtrees each time they are allocated. This is done in pat_ref_append(). Note that ->head member (struct list) of map (struct pat_ref) is not removed could have been removed. This is not the case because still necessary to dump the map contents from the CLI in the order the map elememnts have been inserted. This patch also modifies http_action_set_map() which is the callback at least used by "set-map" action. The pat_ref_elt element returned by pat_ref_find_elt() is no more ignored, but reused if not NULL by pat_ref_set() as first element to lookup from. This latter is also modified to use the ebtree attached to the map in place of the ->head list attached to each map element (pat_ref_elt struct). Also modify pat_ref_find_elt() to makes it use ->eb_root map ebtree added to the map by this patch in place of inspecting all the elements with a strcmp() call.
2023-08-22 10:52:47 -04:00
}
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
case 2: // del-acl
case 3: // del-map
/* returned code: 1=ok, 0=ko */
MEDIUM: map/acl: Replace map/acl spin lock by a read/write lock. Replace ->lock type of pat_ref struct by HA_RWLOCK_T. Replace all calls to HA_SPIN_LOCK() (resp. HA_SPIN_UNLOCK()) by HA_RWLOCK_WRLOCK() (resp. HA_RWLOCK_WRUNLOCK()) when a write access is required. There is only one read access which is needed. This is in the "show map" command callback, cli_io_handler_map_lookup() where a HA_SPIN_LOCK() call is replaced by HA_RWLOCK_RDLOCK() (resp. HA_SPIN_UNLOCK() by HA_RWLOCK_RDUNLOCK). Replace HA_SPIN_INIT() calls by HA_RWLOCK_INIT() calls.
2023-08-21 12:44:24 -04:00
HA_RWLOCK_WRLOCK(PATREF_LOCK, &ref->lock);
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
pat_ref_delete(ref, key->area);
MEDIUM: map/acl: Replace map/acl spin lock by a read/write lock. Replace ->lock type of pat_ref struct by HA_RWLOCK_T. Replace all calls to HA_SPIN_LOCK() (resp. HA_SPIN_UNLOCK()) by HA_RWLOCK_WRLOCK() (resp. HA_RWLOCK_WRUNLOCK()) when a write access is required. There is only one read access which is needed. This is in the "show map" command callback, cli_io_handler_map_lookup() where a HA_SPIN_LOCK() call is replaced by HA_RWLOCK_RDLOCK() (resp. HA_SPIN_UNLOCK() by HA_RWLOCK_RDUNLOCK). Replace HA_SPIN_INIT() calls by HA_RWLOCK_INIT() calls.
2023-08-21 12:44:24 -04:00
HA_RWLOCK_WRUNLOCK(PATREF_LOCK, &ref->lock);
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
break;
default:
ret = ACT_RET_ERR;
}
leave:
free_trash_chunk(key);
free_trash_chunk(value);
return ret;
fail_alloc:
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_RESOURCE;
ret = ACT_RET_ERR;
goto leave;
}
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
/* Release memory allocated by an http map/acl action. */
static void release_http_map(struct act_rule *rule)
{
free(rule->arg.map.ref);
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_deinit(&rule->arg.map.key);
CLEANUP: log: deinitialization of the log buffer in one function In several places in the source, there was the same block of code that was used to deinitialize the log buffer. There were even two functions that did this, but they were called only from the code that is in the same source file (free_tcpcheck_fmt() in src/tcpcheck.c and free_logformat_list() in src/proxy.c - they were both static functions). The function free_logformat_list() was moved from the file src/proxy.c to src/log.c, and a check of the list before freeing the memory was added to that function.
2024-01-29 21:14:09 -05:00
if (rule->action == 1)
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_deinit(&rule->arg.map.value);
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
/* Parse a "add-acl", "del-acl", "set-map" or "del-map" actions. It takes one or
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
* two log-format string as argument depending on the action. The action is
* stored in <.action> as an int (0=add-acl, 1=set-map, 2=del-acl,
* 3=del-map). It returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
*/
static enum act_parse_ret parse_http_set_map(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
int cap = 0, cur_arg;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
if (args[*orig_arg-1][0] == 'a') // add-acl
rule->action = 0;
else if (args[*orig_arg-1][0] == 's') // set-map
rule->action = 1;
else if (args[*orig_arg-1][4] == 'a') // del-acl
rule->action = 2;
else if (args[*orig_arg-1][4] == 'm') // del-map
rule->action = 3;
else {
memprintf(err, "internal error: unhandled action '%s'", args[0]);
return ACT_RET_PRS_ERR;
}
rule->action_ptr = http_action_set_map;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_map;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
cur_arg = *orig_arg;
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
if (rule->action == 1 && (!*args[cur_arg] || !*args[cur_arg+1])) {
/* 2 args for set-map */
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
memprintf(err, "expects exactly 2 arguments");
return ACT_RET_PRS_ERR;
}
else if (!*args[cur_arg]) {
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
/* only one arg for other actions */
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
memprintf(err, "expects exactly 1 arguments");
return ACT_RET_PRS_ERR;
}
/*
* '+ 8' for 'set-map(' (same for del-map)
* '- 9' for 'set-map(' + trailing ')' (same for del-map)
*/
rule->arg.map.ref = my_strndup(args[cur_arg-1] + 8, strlen(args[cur_arg-1]) - 9);
if (rule->from == ACT_F_HTTP_REQ) {
px->conf.args.ctx = ARGC_HRQ;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
if (px->cap & PR_CAP_FE)
cap |= SMP_VAL_FE_HRQ_HDR;
if (px->cap & PR_CAP_BE)
cap |= SMP_VAL_BE_HRQ_HDR;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
}
else{
px->conf.args.ctx = ARGC_HRS;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
if (px->cap & PR_CAP_FE)
cap |= SMP_VAL_FE_HRS_HDR;
if (px->cap & PR_CAP_BE)
cap |= SMP_VAL_BE_HRS_HDR;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
}
/* key pattern */
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&rule->arg.map.key);
MINOR: http: don't %-encode the payload when not relevant As reported by Pierre Maoui in GH #2477, it's not possible to render control chars from variables or expressions verbatim in the payload part of http-return statements. That's a problem because this part should not require to be encoded at all (we could even imagine building favicons on the fly for example). In fact it is the LOG_OPT_HTTP option when passed as default options on parse_logformat_string() which tells the log encoder that the payload should be http-encoded using lf_chunk() instead of being printed using the per-type encoder. This option was set when parsing logformat expressions for lf-string expression under http-return statements, as well as logformat expressions for set-map action. While it is true that those actions may only be used under http context, the LOG_OPT_HTTP logformat option is not relevant there, because the payload is expected to be used without being encoded. So let's simply get rid of this option when parsing logformat expressions for set-map action key/value and lf-string from http-request return action, and add a note next to LOG_OPT_HTTP option to indicate that it is used to tell the log encoder that the payload should be HTTP-encoded. Thanks to Pierre for having reported the issue and Willy for the analysis and patch proposal.
2024-11-06 03:48:32 -05:00
if (!parse_logformat_string(args[cur_arg], px, &rule->arg.map.key, LOG_OPT_NONE, cap, err)) {
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
free(rule->arg.map.ref);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
return ACT_RET_PRS_ERR;
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
MINOR: http-rules: Make set/del-map and add/del-acl custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the HTTP rules evaluation. Thus the action names ACT_HTTP_*_ACL and ACT_HTTP_*_MAP are removed. The action type is now mapped as following: 0 = add-acl, 1 = set-map, 2 = del-acl and 3 = del-map.
2019-12-17 09:45:23 -05:00
if (rule->action == 1) {
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
/* value pattern for set-map only */
cur_arg++;
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&rule->arg.map.value);
MINOR: http: don't %-encode the payload when not relevant As reported by Pierre Maoui in GH #2477, it's not possible to render control chars from variables or expressions verbatim in the payload part of http-return statements. That's a problem because this part should not require to be encoded at all (we could even imagine building favicons on the fly for example). In fact it is the LOG_OPT_HTTP option when passed as default options on parse_logformat_string() which tells the log encoder that the payload should be http-encoded using lf_chunk() instead of being printed using the per-type encoder. This option was set when parsing logformat expressions for lf-string expression under http-return statements, as well as logformat expressions for set-map action. While it is true that those actions may only be used under http context, the LOG_OPT_HTTP logformat option is not relevant there, because the payload is expected to be used without being encoded. So let's simply get rid of this option when parsing logformat expressions for set-map action key/value and lf-string from http-request return action, and add a note next to LOG_OPT_HTTP option to indicate that it is used to tell the log encoder that the payload should be HTTP-encoded. Thanks to Pierre for having reported the issue and Willy for the analysis and patch proposal.
2024-11-06 03:48:32 -05:00
if (!parse_logformat_string(args[cur_arg], px, &rule->arg.map.value, LOG_OPT_NONE, cap, err)) {
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
free(rule->arg.map.ref);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
return ACT_RET_PRS_ERR;
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
}
*orig_arg = cur_arg + 1;
return ACT_RET_PRS_OK;
}
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
/* This function executes a track-sc* actions. On success, it returns
* ACT_RET_CONT. Otherwsize ACT_RET_ERR is returned.
*/
static enum act_return http_action_track_sc(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct stktable *t;
struct stksess *ts;
struct stktable_key *key;
MINOR: stick-tables/counters: add http_fail_cnt and http_fail_rate data types Historically we've been counting lots of client-triggered events in stick tables to help detect misbehaving ones, but we've been missing the same on the server side, and there's been repeated requests for being able to count the server errors per URL in order to precisely monitor the quality of service or even to avoid routing requests to certain dead services, which is also called "circuit breaking" nowadays. This commit introduces http_fail_cnt and http_fail_rate, which work like http_err_cnt and http_err_rate in that they respectively count events and their frequency, but they only consider server-side issues such as network errors, unparsable and truncated responses, and 5xx status codes other than 501 and 505 (since these ones are usually triggered by the client). Note that retryable errors are purposely not accounted for, so that only what the client really sees is considered. With this it becomes very simple to put some protective measures in place to perform a redirect or return an excuse page when the error rate goes beyond a certain threshold for a given URL, and give more chances to the server to recover from this condition. Typically it could look like this to bypass a URL causing more than 10 requests per second: stick-table type string len 80 size 4k expire 1m store http_fail_rate(1m) http-request track-sc0 base # track host+path, ignore query string http-request return status 503 content-type text/html \ lf-file excuse.html if { sc0_http_fail_rate gt 10 } A more advanced mechanism using gpt0 could even implement high/low rates to disable/enable the service. Reg-test converteers_ref_cnt_never_dec.vtc was updated to test it.
2021-02-10 06:07:15 -05:00
void *ptr1, *ptr2, *ptr3, *ptr4, *ptr5, *ptr6;
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
int opt;
MINOR: stick-tables/counters: add http_fail_cnt and http_fail_rate data types Historically we've been counting lots of client-triggered events in stick tables to help detect misbehaving ones, but we've been missing the same on the server side, and there's been repeated requests for being able to count the server errors per URL in order to precisely monitor the quality of service or even to avoid routing requests to certain dead services, which is also called "circuit breaking" nowadays. This commit introduces http_fail_cnt and http_fail_rate, which work like http_err_cnt and http_err_rate in that they respectively count events and their frequency, but they only consider server-side issues such as network errors, unparsable and truncated responses, and 5xx status codes other than 501 and 505 (since these ones are usually triggered by the client). Note that retryable errors are purposely not accounted for, so that only what the client really sees is considered. With this it becomes very simple to put some protective measures in place to perform a redirect or return an excuse page when the error rate goes beyond a certain threshold for a given URL, and give more chances to the server to recover from this condition. Typically it could look like this to bypass a URL causing more than 10 requests per second: stick-table type string len 80 size 4k expire 1m store http_fail_rate(1m) http-request track-sc0 base # track host+path, ignore query string http-request return status 503 content-type text/html \ lf-file excuse.html if { sc0_http_fail_rate gt 10 } A more advanced mechanism using gpt0 could even implement high/low rates to disable/enable the service. Reg-test converteers_ref_cnt_never_dec.vtc was updated to test it.
2021-02-10 06:07:15 -05:00
ptr1 = ptr2 = ptr3 = ptr4 = ptr5 = ptr6 = NULL;
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
opt = ((rule->from == ACT_F_HTTP_REQ) ? SMP_OPT_DIR_REQ : SMP_OPT_DIR_RES) | SMP_OPT_FINAL;
t = rule->arg.trk_ctr.table.t;
BUG/MEDIUM: stick-tables: fix ref counter in table entry using multiple http tracksc. Setting multiple http-request track-scX rules generates entries which never expires. If there was already an entry registered by a previous http rule 'stream_track_stkctr(&s->stkctr[rule->action], t, ts)' didn't register the new 'ts' into the stkctr. And function is left with no reference on 'ts' whereas refcount had been increased by the '_get_entry' The patch applies the same policy as the one showed on tcp track rules and if there is successive rules the track counter keep the first entry registered in the counter and nothing more is computed. After validation this should be backported in all versions.
2021-03-10 10:58:03 -05:00
if (stkctr_entry(&s->stkctr[rule->action]))
goto end;
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
key = stktable_fetch_key(t, s->be, sess, s, opt, rule->arg.trk_ctr.expr, NULL);
if (!key)
goto end;
ts = stktable_get_entry(t, key);
if (!ts)
goto end;
stream_track_stkctr(&s->stkctr[rule->action], t, ts);
/* let's count a new HTTP request as it's the first time we do it */
ptr1 = stktable_data_ptr(t, ts, STKTABLE_DT_HTTP_REQ_CNT);
ptr2 = stktable_data_ptr(t, ts, STKTABLE_DT_HTTP_REQ_RATE);
/* When the client triggers a 4xx from the server, it's most often due
* to a missing object or permission. These events should be tracked
* because if they happen often, it may indicate a brute force or a
* vulnerability scan. Normally this is done when receiving the response
* but here we're tracking after this ought to have been done so we have
* to do it on purpose.
*/
MEDIUM: http_act: check status codes against the bit fields for err/fail This drops the hard-coded 4xx and 5xx status codes for err_cnt and fail_cnt, in favor of the new bit fields that will soon be configurable. There should be no difference at all since the bit fields are initialized to the exact same sets (400-499 for err, 500-599 minus 501 and 505 for fail).
2024-01-10 12:44:30 -05:00
if (rule->from == ACT_F_HTTP_RES &&
http_status_matches(http_err_status_codes, s->txn->status)) {
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
ptr3 = stktable_data_ptr(t, ts, STKTABLE_DT_HTTP_ERR_CNT);
ptr4 = stktable_data_ptr(t, ts, STKTABLE_DT_HTTP_ERR_RATE);
}
MEDIUM: http_act: check status codes against the bit fields for err/fail This drops the hard-coded 4xx and 5xx status codes for err_cnt and fail_cnt, in favor of the new bit fields that will soon be configurable. There should be no difference at all since the bit fields are initialized to the exact same sets (400-499 for err, 500-599 minus 501 and 505 for fail).
2024-01-10 12:44:30 -05:00
if (rule->from == ACT_F_HTTP_RES &&
http_status_matches(http_fail_status_codes, s->txn->status)) {
MINOR: stick-tables/counters: add http_fail_cnt and http_fail_rate data types Historically we've been counting lots of client-triggered events in stick tables to help detect misbehaving ones, but we've been missing the same on the server side, and there's been repeated requests for being able to count the server errors per URL in order to precisely monitor the quality of service or even to avoid routing requests to certain dead services, which is also called "circuit breaking" nowadays. This commit introduces http_fail_cnt and http_fail_rate, which work like http_err_cnt and http_err_rate in that they respectively count events and their frequency, but they only consider server-side issues such as network errors, unparsable and truncated responses, and 5xx status codes other than 501 and 505 (since these ones are usually triggered by the client). Note that retryable errors are purposely not accounted for, so that only what the client really sees is considered. With this it becomes very simple to put some protective measures in place to perform a redirect or return an excuse page when the error rate goes beyond a certain threshold for a given URL, and give more chances to the server to recover from this condition. Typically it could look like this to bypass a URL causing more than 10 requests per second: stick-table type string len 80 size 4k expire 1m store http_fail_rate(1m) http-request track-sc0 base # track host+path, ignore query string http-request return status 503 content-type text/html \ lf-file excuse.html if { sc0_http_fail_rate gt 10 } A more advanced mechanism using gpt0 could even implement high/low rates to disable/enable the service. Reg-test converteers_ref_cnt_never_dec.vtc was updated to test it.
2021-02-10 06:07:15 -05:00
ptr5 = stktable_data_ptr(t, ts, STKTABLE_DT_HTTP_FAIL_CNT);
ptr6 = stktable_data_ptr(t, ts, STKTABLE_DT_HTTP_FAIL_RATE);
}
if (ptr1 || ptr2 || ptr3 || ptr4 || ptr5 || ptr6) {
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock);
if (ptr1)
MINOR: stick-table: make skttable_data_cast to use only std types This patch replaces all advanced data type aliases on stktable_data_cast calls by standard types. This way we could call the same stktable_data_cast regardless of the used advanced data type as long they are using the same std type. It also removes all the advanced data type aliases.
2021-06-30 11:18:28 -04:00
stktable_data_cast(ptr1, std_t_uint)++;
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
if (ptr2)
MINOR: stick-table: make skttable_data_cast to use only std types This patch replaces all advanced data type aliases on stktable_data_cast calls by standard types. This way we could call the same stktable_data_cast regardless of the used advanced data type as long they are using the same std type. It also removes all the advanced data type aliases.
2021-06-30 11:18:28 -04:00
update_freq_ctr_period(&stktable_data_cast(ptr2, std_t_frqp),
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
t->data_arg[STKTABLE_DT_HTTP_REQ_RATE].u, 1);
if (ptr3)
MINOR: stick-table: make skttable_data_cast to use only std types This patch replaces all advanced data type aliases on stktable_data_cast calls by standard types. This way we could call the same stktable_data_cast regardless of the used advanced data type as long they are using the same std type. It also removes all the advanced data type aliases.
2021-06-30 11:18:28 -04:00
stktable_data_cast(ptr3, std_t_uint)++;
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
if (ptr4)
MINOR: stick-table: make skttable_data_cast to use only std types This patch replaces all advanced data type aliases on stktable_data_cast calls by standard types. This way we could call the same stktable_data_cast regardless of the used advanced data type as long they are using the same std type. It also removes all the advanced data type aliases.
2021-06-30 11:18:28 -04:00
update_freq_ctr_period(&stktable_data_cast(ptr4, std_t_frqp),
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
t->data_arg[STKTABLE_DT_HTTP_ERR_RATE].u, 1);
MINOR: stick-tables/counters: add http_fail_cnt and http_fail_rate data types Historically we've been counting lots of client-triggered events in stick tables to help detect misbehaving ones, but we've been missing the same on the server side, and there's been repeated requests for being able to count the server errors per URL in order to precisely monitor the quality of service or even to avoid routing requests to certain dead services, which is also called "circuit breaking" nowadays. This commit introduces http_fail_cnt and http_fail_rate, which work like http_err_cnt and http_err_rate in that they respectively count events and their frequency, but they only consider server-side issues such as network errors, unparsable and truncated responses, and 5xx status codes other than 501 and 505 (since these ones are usually triggered by the client). Note that retryable errors are purposely not accounted for, so that only what the client really sees is considered. With this it becomes very simple to put some protective measures in place to perform a redirect or return an excuse page when the error rate goes beyond a certain threshold for a given URL, and give more chances to the server to recover from this condition. Typically it could look like this to bypass a URL causing more than 10 requests per second: stick-table type string len 80 size 4k expire 1m store http_fail_rate(1m) http-request track-sc0 base # track host+path, ignore query string http-request return status 503 content-type text/html \ lf-file excuse.html if { sc0_http_fail_rate gt 10 } A more advanced mechanism using gpt0 could even implement high/low rates to disable/enable the service. Reg-test converteers_ref_cnt_never_dec.vtc was updated to test it.
2021-02-10 06:07:15 -05:00
if (ptr5)
MINOR: stick-table: make skttable_data_cast to use only std types This patch replaces all advanced data type aliases on stktable_data_cast calls by standard types. This way we could call the same stktable_data_cast regardless of the used advanced data type as long they are using the same std type. It also removes all the advanced data type aliases.
2021-06-30 11:18:28 -04:00
stktable_data_cast(ptr5, std_t_uint)++;
MINOR: stick-tables/counters: add http_fail_cnt and http_fail_rate data types Historically we've been counting lots of client-triggered events in stick tables to help detect misbehaving ones, but we've been missing the same on the server side, and there's been repeated requests for being able to count the server errors per URL in order to precisely monitor the quality of service or even to avoid routing requests to certain dead services, which is also called "circuit breaking" nowadays. This commit introduces http_fail_cnt and http_fail_rate, which work like http_err_cnt and http_err_rate in that they respectively count events and their frequency, but they only consider server-side issues such as network errors, unparsable and truncated responses, and 5xx status codes other than 501 and 505 (since these ones are usually triggered by the client). Note that retryable errors are purposely not accounted for, so that only what the client really sees is considered. With this it becomes very simple to put some protective measures in place to perform a redirect or return an excuse page when the error rate goes beyond a certain threshold for a given URL, and give more chances to the server to recover from this condition. Typically it could look like this to bypass a URL causing more than 10 requests per second: stick-table type string len 80 size 4k expire 1m store http_fail_rate(1m) http-request track-sc0 base # track host+path, ignore query string http-request return status 503 content-type text/html \ lf-file excuse.html if { sc0_http_fail_rate gt 10 } A more advanced mechanism using gpt0 could even implement high/low rates to disable/enable the service. Reg-test converteers_ref_cnt_never_dec.vtc was updated to test it.
2021-02-10 06:07:15 -05:00
if (ptr6)
MINOR: stick-table: make skttable_data_cast to use only std types This patch replaces all advanced data type aliases on stktable_data_cast calls by standard types. This way we could call the same stktable_data_cast regardless of the used advanced data type as long they are using the same std type. It also removes all the advanced data type aliases.
2021-06-30 11:18:28 -04:00
update_freq_ctr_period(&stktable_data_cast(ptr6, std_t_frqp),
MINOR: stick-tables/counters: add http_fail_cnt and http_fail_rate data types Historically we've been counting lots of client-triggered events in stick tables to help detect misbehaving ones, but we've been missing the same on the server side, and there's been repeated requests for being able to count the server errors per URL in order to precisely monitor the quality of service or even to avoid routing requests to certain dead services, which is also called "circuit breaking" nowadays. This commit introduces http_fail_cnt and http_fail_rate, which work like http_err_cnt and http_err_rate in that they respectively count events and their frequency, but they only consider server-side issues such as network errors, unparsable and truncated responses, and 5xx status codes other than 501 and 505 (since these ones are usually triggered by the client). Note that retryable errors are purposely not accounted for, so that only what the client really sees is considered. With this it becomes very simple to put some protective measures in place to perform a redirect or return an excuse page when the error rate goes beyond a certain threshold for a given URL, and give more chances to the server to recover from this condition. Typically it could look like this to bypass a URL causing more than 10 requests per second: stick-table type string len 80 size 4k expire 1m store http_fail_rate(1m) http-request track-sc0 base # track host+path, ignore query string http-request return status 503 content-type text/html \ lf-file excuse.html if { sc0_http_fail_rate gt 10 } A more advanced mechanism using gpt0 could even implement high/low rates to disable/enable the service. Reg-test converteers_ref_cnt_never_dec.vtc was updated to test it.
2021-02-10 06:07:15 -05:00
t->data_arg[STKTABLE_DT_HTTP_FAIL_RATE].u, 1);
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock);
/* If data was modified, we need to touch to re-schedule sync */
stktable_touch_local(t, ts, 0);
}
stkctr_set_flags(&s->stkctr[rule->action], STKCTR_TRACK_CONTENT);
if (sess->fe != s->be)
stkctr_set_flags(&s->stkctr[rule->action], STKCTR_TRACK_BACKEND);
end:
return ACT_RET_CONT;
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
static void release_http_track_sc(struct act_rule *rule)
{
release_sample_expr(rule->arg.trk_ctr.expr);
}
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
/* Parse a "track-sc*" actions. It returns ACT_RET_PRS_OK on success,
* ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_track_sc(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
struct sample_expr *expr;
unsigned int where;
unsigned int tsc_num;
const char *tsc_num_str;
int cur_arg;
tsc_num_str = &args[*orig_arg-1][8];
if (cfg_parse_track_sc_num(&tsc_num, tsc_num_str, tsc_num_str + strlen(tsc_num_str), err) == -1)
return ACT_RET_PRS_ERR;
cur_arg = *orig_arg;
expr = sample_parse_expr((char **)args, &cur_arg, px->conf.args.file, px->conf.args.line,
MINOR: sample: make sample_parse_expr() able to return an end pointer When an end pointer is passed, instead of complaining that a comma is missing after a keyword, sample_parse_expr() will silently return the pointer to the current location into this return pointer so that the caller can continue its parsing. This will be used by more complex expressions which embed sample expressions, and may even permit to embed sample expressions into arguments of other expressions.
2020-02-14 10:50:14 -05:00
err, &px->conf.args, NULL);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
if (!expr)
return ACT_RET_PRS_ERR;
where = 0;
if (px->cap & PR_CAP_FE)
where |= (rule->from == ACT_F_HTTP_REQ ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_FE_HRS_HDR);
if (px->cap & PR_CAP_BE)
where |= (rule->from == ACT_F_HTTP_REQ ? SMP_VAL_BE_HRQ_HDR : SMP_VAL_BE_HRS_HDR);
if (!(expr->fetch->val & where)) {
memprintf(err, "fetch method '%s' extracts information from '%s', none of which is available here",
args[cur_arg-1], sample_src_names(expr->fetch->use));
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
return ACT_RET_PRS_ERR;
}
if (strcmp(args[cur_arg], "table") == 0) {
cur_arg++;
if (!*args[cur_arg]) {
memprintf(err, "missing table name");
BUG/MINOR: http-rules: Fix memory releases on error path during action parsing When an error occurred during the parsing of an HTTP action, if some memory was allocated, it should be released before exiting. Sometime a call to free() is used on a sample expression instead of a call to release_sample_expr(). Other time, it is just a string or a regex that should be released. There is no real reason to backport this patch. Especially because this part was highly modified recentely in 2.2-DEV.
2020-01-14 08:50:55 -05:00
release_sample_expr(expr);
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
return ACT_RET_PRS_ERR;
}
/* we copy the table name for now, it will be resolved later */
rule->arg.trk_ctr.table.n = strdup(args[cur_arg]);
cur_arg++;
}
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
rule->action = tsc_num;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
rule->arg.trk_ctr.expr = expr;
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
rule->action_ptr = http_action_track_sc;
MINOR: http-rules: Add release functions for existing HTTP actions HTTP actions allocating memory during configuration parsing now use dedicated functions to release it.
2020-01-14 08:47:34 -05:00
rule->release_ptr = release_http_track_sc;
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
rule->check_ptr = check_trk_action;
*orig_arg = cur_arg;
return ACT_RET_PRS_OK;
}
MEDIUM: http_act: define set-timeout server/tunnel action Add a new http-request action 'set-timeout [server/tunnel]'. This action can be used to update the server or tunnel timeout of a stream. It takes two parameters, the timeout name to update and the new timeout value. This rule is only valid for a proxy with backend capabilities. The timeout value cannot be null. A sample expression can also be used instead of a plain value.
2020-12-10 07:43:54 -05:00
static enum act_return action_timeout_set_stream_timeout(struct act_rule *rule,
struct proxy *px,
struct session *sess,
struct stream *s,
int flags)
{
struct sample *key;
if (rule->arg.timeout.expr) {
key = sample_fetch_as_type(px, sess, s, SMP_OPT_FINAL, rule->arg.timeout.expr, SMP_T_SINT);
if (!key)
return ACT_RET_CONT;
stream_set_timeout(s, rule->arg.timeout.type, MS_TO_TICKS(key->data.u.sint));
}
else {
stream_set_timeout(s, rule->arg.timeout.type, MS_TO_TICKS(rule->arg.timeout.value));
}
return ACT_RET_CONT;
}
/* Parse a "set-timeout" action. Returns ACT_RET_PRS_ERR if parsing error.
*/
static enum act_parse_ret parse_http_set_timeout(const char **args,
int *orig_arg,
struct proxy *px,
struct act_rule *rule, char **err)
{
int cur_arg;
rule->action = ACT_CUSTOM;
rule->action_ptr = action_timeout_set_stream_timeout;
rule->release_ptr = release_timeout_action;
cur_arg = *orig_arg;
if (!*args[cur_arg] || !*args[cur_arg + 1]) {
memprintf(err, "expects exactly 2 arguments");
return ACT_RET_PRS_ERR;
}
MINOR: support for http-request set-timeout client Added set-timeout for frontend side of session, so it can be used to set custom per-client timeouts if needed. Added cur_client_timeout to fetch client timeout samples.
2023-09-27 10:43:07 -04:00
if (cfg_parse_rule_set_timeout(args, cur_arg, rule, px, err) == -1) {
MEDIUM: http_act: define set-timeout server/tunnel action Add a new http-request action 'set-timeout [server/tunnel]'. This action can be used to update the server or tunnel timeout of a stream. It takes two parameters, the timeout name to update and the new timeout value. This rule is only valid for a proxy with backend capabilities. The timeout value cannot be null. A sample expression can also be used instead of a plain value.
2020-12-10 07:43:54 -05:00
return ACT_RET_PRS_ERR;
}
*orig_arg = cur_arg + 2;
return ACT_RET_PRS_OK;
}
MINOR: http-rules: Add a rule to enable or disable the strict rewriting mode It is now possible to explicitly instruct rewriting rules to be strict or not towards errors. It means that in this mode, an internal error is trigger if a rewrite rule fails. The HTTP action "strict-mode" can be used to enable or disable the strict rewriting mode. It can be used in an http-request and an http-response ruleset. For now, by default the strict rewriting mode is disabled. Because it is the current behavior. But it will be changed in another patch.
2019-12-20 04:07:22 -05:00
/* This function executes a strict-mode actions. On success, it always returns
* ACT_RET_CONT
*/
static enum act_return http_action_strict_mode(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct http_msg *msg = ((rule->from == ACT_F_HTTP_REQ) ? &s->txn->req : &s->txn->rsp);
if (rule->action == 0) // strict-mode on
msg->flags &= ~HTTP_MSGF_SOFT_RW;
else // strict-mode off
msg->flags |= HTTP_MSGF_SOFT_RW;
return ACT_RET_CONT;
}
/* Parse a "strict-mode" action. It returns ACT_RET_PRS_OK on success,
* ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_strict_mode(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
int cur_arg;
cur_arg = *orig_arg;
if (!*args[cur_arg]) {
memprintf(err, "expects exactly 1 arguments");
return ACT_RET_PRS_ERR;
}
if (strcasecmp(args[cur_arg], "on") == 0)
rule->action = 0; // strict-mode on
else if (strcasecmp(args[cur_arg], "off") == 0)
rule->action = 1; // strict-mode off
else {
memprintf(err, "Unexpected value '%s'. Only 'on' and 'off' are supported", args[cur_arg]);
return ACT_RET_PRS_ERR;
}
rule->action_ptr = http_action_strict_mode;
*orig_arg = cur_arg + 1;
return ACT_RET_PRS_OK;
}
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
/* This function executes a return action. It builds an HTX message from an
* errorfile, an raw file or a log-format string, depending on <.action>
* value. On success, it returns ACT_RET_ABRT. If an error occurs ACT_RET_ERR is
* returned.
*/
static enum act_return http_action_return(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct channel *req = &s->req;
BUG/MINOR: http-rules: Always replace the response status on a return action When a HTTP return action is triggered, HAProxy is responsible to return the response, based on the configured status code. On the request side, there is no problem because there is no server response to replace. But on the response side, we must take care to override the server response status code, if any, to be sure to use the rigth status code to get the http reply message. In short, we must always set the configured status code of the HTTP return action before returning the http reply to be sure to get the right reply, the one base on the http return action status code and not a reply based on the server response status code.. This patch should fix the issue #1139. It must be backported as far as 2.2.
2021-02-19 05:41:01 -05:00
s->txn->status = rule->arg.http_reply->status;
MEDIUM: http-ana: Set termination state before returning haproxy response When, for any reason and at any step, HAProxy decides to interrupt an HTTP transaction, it returns a dedicated responses to the client (possibly empty) and it sets the stream flags used to produce the session termination state. These both operation were performed in any order, depending on the code path. Most of time, the HAPRoxy response is produced first. With this patch, the stream flags for the termination state are now set first. This way, these flags become visible from http-after-reponse rule sets. Only errors when the HAProxy response is generated are reported later.
2023-11-28 02:38:45 -05:00
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_LOCAL;
if (!(s->flags & SF_FINST_MASK))
s->flags |= ((rule->from == ACT_F_HTTP_REQ) ? SF_FINST_R : SF_FINST_H);
MINOR: http-ana: Use a dedicated function to send a response from an http reply The http_reply_message() function may be used to send an http reply to a client. This function is responsile to convert the reply in HTX, to push it in the response buffer and to forward it to the client. It is also responsible to terminate the transaction. This function is used during evaluation of http return rules.
2020-05-13 10:38:37 -04:00
if (http_reply_message(s, rule->arg.http_reply) == -1)
return ACT_RET_ERR;
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
if (rule->from == ACT_F_HTTP_REQ) {
/* let's log the request time */
MEDIUM: clock: replace timeval "now" with integer "now_ns" This puts an end to the occasional confusion between the "now" date that is internal, monotonic and not synchronized with the system's date, and "date" which is the system's date and not necessarily monotonic. Variable "now" was removed and replaced with a 64-bit integer "now_ns" which is a counter of nanoseconds. It wraps every 585 years, so if all goes well (i.e. if humanity does not need haproxy anymore in 500 years), it will just never wrap. This implies that now_ns is never nul and that the zero value can reliably be used as "not set yet" for a timestamp if needed. This will also simplify date checks where it becomes possible again to do "date1<date2". All occurrences of "tv_to_ns(&now)" were simply replaced by "now_ns". Due to the intricacies between now, global_now and now_offset, all 3 had to be turned to nanoseconds at once. It's not a problem since all of them were solely used in 3 functions in clock.c, but they make the patch look bigger than it really is. The clock_update_local_date() and clock_update_global_date() functions are now much simpler as there's no need anymore to perform conversions nor to round the timeval up or down. The wrapping continues to happen by presetting the internal offset in the short future so that the 32-bit now_ms continues to wrap 20 seconds after boot. The start_time used to calculate uptime can still be turned to nanoseconds now. One interrogation concerns global_now_ms which is used only for the freq counters. It's unclear whether there's more value in using two variables that need to be synchronized sequentially like today or to just use global_now_ns divided by 1 million. Both approaches will work equally well on modern systems, the difference might come from smaller ones. Better not change anyhting for now. One benefit of the new approach is that we now have an internal date with a resolution of the nanosecond and the precision of the microsecond, which can be useful to extend some measurements given that timestamps also have this resolution.
2023-04-28 03:16:15 -04:00
s->logs.request_ts = now_ns;
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
req->analysers &= AN_REQ_FLT_END;
if (s->sess->fe == s->be) /* report it if the request was intercepted by the frontend */
CLEANUP: atomic/tree-wide: replace single increments/decrements with inc/dec This patch replaces roughly all occurrences of an HA_ATOMIC_ADD(&foo, 1) or HA_ATOMIC_SUB(&foo, 1) with the equivalent HA_ATOMIC_INC(&foo) and HA_ATOMIC_DEC(&foo) respectively. These are 507 changes over 45 files.
2021-04-06 07:53:36 -04:00
_HA_ATOMIC_INC(&s->sess->fe->fe_counters.intercepted_req);
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
}
MINOR: http-ana: Use a dedicated function to send a response from an http reply The http_reply_message() function may be used to send an http reply to a client. This function is responsile to convert the reply in HTX, to push it in the response buffer and to forward it to the client. It is also responsible to terminate the transaction. This function is used during evaluation of http return rules.
2020-05-13 10:38:37 -04:00
return ACT_RET_ABRT;
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
}
/* Parse a "return" action. It returns ACT_RET_PRS_OK on success,
MINOR: http-htx: Use a dedicated function to parse http reply arguments A dedicated function to parse arguments and create an http_reply object is added. It is used to parse http return rule. Thus, following arguments are parsed by this function : ... [status <code>] [content-type <type>] [ { default-errorfiles | errorfile <file> | errorfiles <name> | file <file> | lf-file <file> | string <str> | lf-string <fmt> } ] [ hdr <name> <fmt> ]* Because the status code argument is optional, a default status code must be defined when this function is called.
2020-05-13 08:36:55 -04:00
* ACT_RET_PRS_ERR on error. It relies on http_parse_http_reply() to set
* <.arg.http_reply>.
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
*/
static enum act_parse_ret parse_http_return(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
MINOR: http-htx: Use a dedicated function to parse http reply arguments A dedicated function to parse arguments and create an http_reply object is added. It is used to parse http return rule. Thus, following arguments are parsed by this function : ... [status <code>] [content-type <type>] [ { default-errorfiles | errorfile <file> | errorfiles <name> | file <file> | lf-file <file> | string <str> | lf-string <fmt> } ] [ hdr <name> <fmt> ]* Because the status code argument is optional, a default status code must be defined when this function is called.
2020-05-13 08:36:55 -04:00
/* Prepare parsing of log-format strings */
px->conf.args.ctx = ((rule->from == ACT_F_HTTP_REQ) ? ARGC_HRQ : ARGC_HRS);
rule->arg.http_reply = http_parse_http_reply(args, orig_arg, px, 200, err);
if (!rule->arg.http_reply)
return ACT_RET_PRS_ERR;
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
BUG/MINOR: http-rules: Mark http return rules as final For HTTP rules, this flag is only used to trigger a warning during HAProxy startup when a final rule without ACL is not the last one. So this patch is marked as a bug, but its impact is really limited. No backport needed because http return rules were introduced in the 2.2.
2020-05-13 02:50:07 -04:00
rule->flags |= ACT_FLAG_FINAL;
MINOR: http-rules: Use http_reply structure for http return rules No real change here. Instead of using an internal structure to the action rule, the http return rules are now stored as an http reply. The main change is about the action type. It is now always set to ACT_CUSTOM. The http reply type is used to know how to evaluate the rule.
2020-05-12 12:33:37 -04:00
rule->action = ACT_CUSTOM;
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
rule->check_ptr = check_act_http_reply;
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
rule->action_ptr = http_action_return;
MEDIUM: http-rules: Rely on http reply for http deny/tarpit rules "http-request deny", "http-request tarpit" and "http-response deny" rules now use the same syntax than http return rules and internally rely on the http replies. The behaviour is not the same when no argument is specified (or only the status code). For http replies, a dummy response is produced, with no payload. For old deny/tarpit rules, the proxy's error messages are used. Thus, to be compatible with existing configuration, the "default-errorfiles" parameter is implied. For instance : http-request deny deny_status 404 is now an alias of http-request deny status 404 default-errorfiles
2020-05-13 11:56:56 -04:00
rule->release_ptr = release_act_http_reply;
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
return ACT_RET_PRS_OK;
}
MEDIUM: http-rules: Add wait-for-body action on request and response side Historically, an option was added to wait for the request payload (option http-buffer-request). This option has 2 drawbacks. First, it is an ON/OFF option for the whole proxy. It cannot be enabled on demand depending on the message. Then, as its name suggests, it only works on the request side. The only option to wait for the response payload was to write a dedicated filter. While it is an acceptable solution for complex applications, it is a bit overkill to simply match strings in the body. To make everyone happy, this patch adds a dedicated HTTP action to wait for the message payload, for the request or the response depending it is used in an http-request or an http-response ruleset. The time to wait is configurable and, optionally, the minimum payload size to have before stop to wait. Both the http action and the old http analyzer rely on the same internal function.
2021-03-29 04:46:38 -04:00
/* This function executes a wait-for-body action. It waits for the message
* payload for a max configured time (.arg.p[0]) and eventually for only first
* <arg.p[1]> bytes (0 means no limit). It relies on http_wait_for_msg_body()
* function. it returns ACT_RET_CONT when conditions are met to stop to wait.
* Otherwise ACT_RET_YIELD is returned to wait for more data. ACT_RET_INV is
* returned if a parsing error is raised by lower level and ACT_RET_ERR if an
CLEANUP: assorted typo fixes in the code and comments This is 22nd iteration of typo fixes
2021-04-24 04:25:42 -04:00
* internal error occurred. Finally ACT_RET_ABRT is returned when a timeout
* occurred.
MEDIUM: http-rules: Add wait-for-body action on request and response side Historically, an option was added to wait for the request payload (option http-buffer-request). This option has 2 drawbacks. First, it is an ON/OFF option for the whole proxy. It cannot be enabled on demand depending on the message. Then, as its name suggests, it only works on the request side. The only option to wait for the response payload was to write a dedicated filter. While it is an acceptable solution for complex applications, it is a bit overkill to simply match strings in the body. To make everyone happy, this patch adds a dedicated HTTP action to wait for the message payload, for the request or the response depending it is used in an http-request or an http-response ruleset. The time to wait is configurable and, optionally, the minimum payload size to have before stop to wait. Both the http action and the old http analyzer rely on the same internal function.
2021-03-29 04:46:38 -04:00
*/
static enum act_return http_action_wait_for_body(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct channel *chn = ((rule->from == ACT_F_HTTP_REQ) ? &s->req : &s->res);
unsigned int time = (uintptr_t)rule->arg.act.p[0];
unsigned int bytes = (uintptr_t)rule->arg.act.p[1];
switch (http_wait_for_msg_body(s, chn, time, bytes)) {
case HTTP_RULE_RES_CONT:
return ACT_RET_CONT;
case HTTP_RULE_RES_YIELD:
return ACT_RET_YIELD;
case HTTP_RULE_RES_BADREQ:
return ACT_RET_INV;
case HTTP_RULE_RES_ERROR:
return ACT_RET_ERR;
case HTTP_RULE_RES_ABRT:
return ACT_RET_ABRT;
default:
return ACT_RET_ERR;
}
}
/* Parse a "wait-for-body" action. It returns ACT_RET_PRS_OK on success,
* ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_wait_for_body(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
int cur_arg;
unsigned int time, bytes;
const char *res;
cur_arg = *orig_arg;
if (!*args[cur_arg]) {
memprintf(err, "expects time <time> [ at-least <bytes> ]");
return ACT_RET_PRS_ERR;
}
time = UINT_MAX; /* To be sure it is set */
bytes = 0; /* Default value, wait all the body */
while (*(args[cur_arg])) {
if (strcmp(args[cur_arg], "time") == 0) {
if (!*args[cur_arg + 1]) {
memprintf(err, "missing argument for '%s'", args[cur_arg]);
return ACT_RET_PRS_ERR;
}
res = parse_time_err(args[cur_arg+1], &time, TIME_UNIT_MS);
if (res == PARSE_TIME_OVER) {
memprintf(err, "time overflow (maximum value is 2147483647 ms or ~24.8 days)");
return ACT_RET_PRS_ERR;
}
if (res == PARSE_TIME_UNDER) {
memprintf(err, "time underflow (minimum non-null value is 1 ms)");
return ACT_RET_PRS_ERR;
}
if (res) {
memprintf(err, "unexpected character '%c'", *res);
return ACT_RET_PRS_ERR;
}
cur_arg++;
}
else if (strcmp(args[cur_arg], "at-least") == 0) {
if (!*args[cur_arg + 1]) {
memprintf(err, "missing argument for '%s'", args[cur_arg]);
return ACT_RET_PRS_ERR;
}
res = parse_size_err(args[cur_arg+1], &bytes);
if (res) {
memprintf(err, "unexpected character '%c'", *res);
return ACT_RET_PRS_ERR;
}
cur_arg++;
}
else
break;
cur_arg++;
}
if (time == UINT_MAX) {
memprintf(err, "expects time <time> [ at-least <bytes> ]");
return ACT_RET_PRS_ERR;
}
rule->arg.act.p[0] = (void *)(uintptr_t)time;
rule->arg.act.p[1] = (void *)(uintptr_t)bytes;
*orig_arg = cur_arg;
rule->action = ACT_CUSTOM;
rule->action_ptr = http_action_wait_for_body;
return ACT_RET_PRS_OK;
}
MINOR: action: add do-log action Thanks to the two previous commits, we can now expose the do-log action on all available action contexts, including the new quic-init context. Each context is responsible for exposing the do-log action by registering the relevant log steps, saving the idendifier, and then store it in the rule's context so that do_log_action() automatically uses it to produce the log during runtime. To use the feature, it is simply needed to use "do-log" (without argument) on an action directive, example: tcp-request connection do-log As mentioned before, each context where the action is exposed has its own log step identifier. Currently known identifiers are: quic-initial: quic-init tcp-request connection: tcp-req-conn tcp-request session: tcp-req-sess tcp-request content: tcp-req-cont tcp-response content: tcp-res-cont http-request: http-req http-response: http-res http-after-response: http-after-res Thus, these "additional" logging steps can be used as-is under log-profile section (after "on" keyword). However, although the parser will accept them, it makes no sense to use them with the "log-steps" proxy keyword, since the only path for these origins to trigger a log generation is through the explicit use of "do-log" action. This need was described in GH #401, it should help to conditionally trigger logs using ACL at specific key points.. and may either be used alone or combined with "log-steps" to add additional log "trackers" during transaction handling. Documentation was updated and some examples were added.
2024-09-20 03:34:13 -04:00
static enum log_orig_id do_log_http_req;
static enum log_orig_id do_log_http_res;
static enum log_orig_id do_log_http_after_res;
static void init_do_log(void)
{
do_log_http_req = log_orig_register("http-req");
BUG_ON(do_log_http_req == LOG_ORIG_UNSPEC);
do_log_http_res = log_orig_register("http-res");
BUG_ON(do_log_http_res == LOG_ORIG_UNSPEC);
do_log_http_after_res = log_orig_register("http-after-res");
BUG_ON(do_log_http_after_res == LOG_ORIG_UNSPEC);
}
INITCALL0(STG_PREPARE, init_do_log);
static enum act_parse_ret parse_http_req_do_log(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
return do_log_parse_act(do_log_http_req, args, orig_arg, px, rule, err);
}
static enum act_parse_ret parse_http_res_do_log(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
return do_log_parse_act(do_log_http_res, args, orig_arg, px, rule, err);
}
static enum act_parse_ret parse_http_after_res_do_log(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
return do_log_parse_act(do_log_http_after_res, args, orig_arg, px, rule, err);
}
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
/************************************************************************/
/* All supported http-request action keywords must be declared here. */
/************************************************************************/
static struct action_kw_list http_req_actions = {
.kw = {
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
{ "add-acl", parse_http_set_map, KWF_MATCH_PREFIX },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "add-header", parse_http_set_header, 0 },
{ "allow", parse_http_allow, 0 },
{ "auth", parse_http_auth, 0 },
{ "capture", parse_http_req_capture, 0 },
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
{ "del-acl", parse_http_set_map, KWF_MATCH_PREFIX },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "del-header", parse_http_del_header, 0 },
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
{ "del-map", parse_http_set_map, KWF_MATCH_PREFIX },
MINOR: http-rules: Use same function to parse request and response deny actions Because there is no more difference between http-request and http-response rules, the same function is now used to parse them.
2020-01-13 15:49:03 -05:00
{ "deny", parse_http_deny, 0 },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "disable-l7-retry", parse_http_req_disable_l7_retry, 0 },
MINOR: action: add do-log action Thanks to the two previous commits, we can now expose the do-log action on all available action contexts, including the new quic-init context. Each context is responsible for exposing the do-log action by registering the relevant log steps, saving the idendifier, and then store it in the rule's context so that do_log_action() automatically uses it to produce the log during runtime. To use the feature, it is simply needed to use "do-log" (without argument) on an action directive, example: tcp-request connection do-log As mentioned before, each context where the action is exposed has its own log step identifier. Currently known identifiers are: quic-initial: quic-init tcp-request connection: tcp-req-conn tcp-request session: tcp-req-sess tcp-request content: tcp-req-cont tcp-response content: tcp-res-cont http-request: http-req http-response: http-res http-after-response: http-after-res Thus, these "additional" logging steps can be used as-is under log-profile section (after "on" keyword). However, although the parser will accept them, it makes no sense to use them with the "log-steps" proxy keyword, since the only path for these origins to trigger a log generation is through the explicit use of "do-log" action. This need was described in GH #401, it should help to conditionally trigger logs using ACL at specific key points.. and may either be used alone or combined with "log-steps" to add additional log "trackers" during transaction handling. Documentation was updated and some examples were added.
2024-09-20 03:34:13 -04:00
{ "do-log", parse_http_req_do_log, 0 },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "early-hint", parse_http_set_header, 0 },
MINOR: http_act: mark normalize-uri as experimental normalize-uri http rule is marked as experimental, so it cannot be activated without the global 'expose-experimental-directives'. The associated vtc is updated to be able to use it.
2021-05-06 09:50:12 -04:00
{ "normalize-uri", parse_http_normalize_uri, KWF_EXPERIMENTAL },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "redirect", parse_http_redirect, 0 },
{ "reject", parse_http_action_reject, 0 },
{ "replace-header", parse_http_replace_header, 0 },
{ "replace-path", parse_replace_uri, 0 },
MINOR: http-rules: Add set-pathq and replace-pathq actions These actions do the same as corresponding "-path" versions except the query-string is included to the manipulated request path. This means set-pathq action replaces the path and the query-string and replace-pathq action matches and replace the path including the query-string. This patch may be backported to 2.2.
2020-09-02 11:17:44 -04:00
{ "replace-pathq", parse_replace_uri, 0 },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "replace-uri", parse_replace_uri, 0 },
{ "replace-value", parse_http_replace_header, 0 },
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
{ "return", parse_http_return, 0 },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "set-header", parse_http_set_header, 0 },
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
{ "set-map", parse_http_set_map, KWF_MATCH_PREFIX },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "set-method", parse_set_req_line, 0 },
{ "set-path", parse_set_req_line, 0 },
MINOR: http-rules: Add set-pathq and replace-pathq actions These actions do the same as corresponding "-path" versions except the query-string is included to the manipulated request path. This means set-pathq action replaces the path and the query-string and replace-pathq action matches and replace the path including the query-string. This patch may be backported to 2.2.
2020-09-02 11:17:44 -04:00
{ "set-pathq", parse_set_req_line, 0 },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "set-query", parse_set_req_line, 0 },
{ "set-uri", parse_set_req_line, 0 },
MINOR: http-rules: Add a rule to enable or disable the strict rewriting mode It is now possible to explicitly instruct rewriting rules to be strict or not towards errors. It means that in this mode, an internal error is trigger if a rewrite rule fails. The HTTP action "strict-mode" can be used to enable or disable the strict rewriting mode. It can be used in an http-request and an http-response ruleset. For now, by default the strict rewriting mode is disabled. Because it is the current behavior. But it will be changed in another patch.
2019-12-20 04:07:22 -05:00
{ "strict-mode", parse_http_strict_mode, 0 },
MINOR: http-rules: Use same function to parse request and response deny actions Because there is no more difference between http-request and http-response rules, the same function is now used to parse them.
2020-01-13 15:49:03 -05:00
{ "tarpit", parse_http_deny, 0 },
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
{ "track-sc", parse_http_track_sc, KWF_MATCH_PREFIX },
MEDIUM: http_act: define set-timeout server/tunnel action Add a new http-request action 'set-timeout [server/tunnel]'. This action can be used to update the server or tunnel timeout of a stream. It takes two parameters, the timeout name to update and the new timeout value. This rule is only valid for a proxy with backend capabilities. The timeout value cannot be null. A sample expression can also be used instead of a plain value.
2020-12-10 07:43:54 -05:00
{ "set-timeout", parse_http_set_timeout, 0 },
MEDIUM: http-rules: Add wait-for-body action on request and response side Historically, an option was added to wait for the request payload (option http-buffer-request). This option has 2 drawbacks. First, it is an ON/OFF option for the whole proxy. It cannot be enabled on demand depending on the message. Then, as its name suggests, it only works on the request side. The only option to wait for the response payload was to write a dedicated filter. While it is an acceptable solution for complex applications, it is a bit overkill to simply match strings in the body. To make everyone happy, this patch adds a dedicated HTTP action to wait for the message payload, for the request or the response depending it is used in an http-request or an http-response ruleset. The time to wait is configurable and, optionally, the minimum payload size to have before stop to wait. Both the http action and the old http analyzer rely on the same internal function.
2021-03-29 04:46:38 -04:00
{ "wait-for-body", parse_http_wait_for_body, 0 },
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
{ NULL, NULL }
}
};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
static struct action_kw_list http_res_actions = {
.kw = {
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
{ "add-acl", parse_http_set_map, KWF_MATCH_PREFIX },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "add-header", parse_http_set_header, 0 },
{ "allow", parse_http_allow, 0 },
{ "capture", parse_http_res_capture, 0 },
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
{ "del-acl", parse_http_set_map, KWF_MATCH_PREFIX },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "del-header", parse_http_del_header, 0 },
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
{ "del-map", parse_http_set_map, KWF_MATCH_PREFIX },
MINOR: http-rules: Use same function to parse request and response deny actions Because there is no more difference between http-request and http-response rules, the same function is now used to parse them.
2020-01-13 15:49:03 -05:00
{ "deny", parse_http_deny, 0 },
MINOR: action: add do-log action Thanks to the two previous commits, we can now expose the do-log action on all available action contexts, including the new quic-init context. Each context is responsible for exposing the do-log action by registering the relevant log steps, saving the idendifier, and then store it in the rule's context so that do_log_action() automatically uses it to produce the log during runtime. To use the feature, it is simply needed to use "do-log" (without argument) on an action directive, example: tcp-request connection do-log As mentioned before, each context where the action is exposed has its own log step identifier. Currently known identifiers are: quic-initial: quic-init tcp-request connection: tcp-req-conn tcp-request session: tcp-req-sess tcp-request content: tcp-req-cont tcp-response content: tcp-res-cont http-request: http-req http-response: http-res http-after-response: http-after-res Thus, these "additional" logging steps can be used as-is under log-profile section (after "on" keyword). However, although the parser will accept them, it makes no sense to use them with the "log-steps" proxy keyword, since the only path for these origins to trigger a log generation is through the explicit use of "do-log" action. This need was described in GH #401, it should help to conditionally trigger logs using ACL at specific key points.. and may either be used alone or combined with "log-steps" to add additional log "trackers" during transaction handling. Documentation was updated and some examples were added.
2024-09-20 03:34:13 -04:00
{ "do-log", parse_http_res_do_log, 0 },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "redirect", parse_http_redirect, 0 },
{ "replace-header", parse_http_replace_header, 0 },
{ "replace-value", parse_http_replace_header, 0 },
MEDIUM: http-rules: Add the return action to HTTP rules Thanks to this new action, it is now possible to return any responses from HAProxy, with any status code, based on an errorfile, a file or a string. Unlike the other internal messages generated by HAProxy, these ones are not interpreted as errors. And it is not necessary to use a file containing a full HTTP response, although it is still possible. In addition, using a log-format string or a log-format file, it is possible to have responses with a dynamic content. This action can be used on the request path or the response path. The only constraint is to have a responses smaller than a buffer. And to avoid any warning the buffer space reserved to the headers rewritting should also be free. When a response is returned with a file or a string as payload, it only contains the content-length header and the content-type header, if applicable. Here are examples: http-request return content-type image/x-icon file /var/www/favicon.ico \ if { path /favicon.ico } http-request return status 403 content-type text/plain \ lf-string "Access denied. IP %[src] is blacklisted." \ if { src -f /etc/haproxy/blacklist.lst }
2020-01-24 11:44:23 -05:00
{ "return", parse_http_return, 0 },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "set-header", parse_http_set_header, 0 },
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
{ "set-map", parse_http_set_map, KWF_MATCH_PREFIX },
MEDIUM: http-rules: Register an action keyword for all http rules There are many specific http actions that don't use the action registration mechanism (allow, deny, set-header...). Instead, the parsing of these actions is inlined in the functions responsible to parse the http-request/http-response rules. There is no reason to not register an action keyword for all these actions. It it the purpose of this patch. The new functions responsible to parse these http actions are defined in http_act.c
2019-12-12 10:40:30 -05:00
{ "set-status", parse_http_set_status, 0 },
MINOR: http-rules: Add a rule to enable or disable the strict rewriting mode It is now possible to explicitly instruct rewriting rules to be strict or not towards errors. It means that in this mode, an internal error is trigger if a rewrite rule fails. The HTTP action "strict-mode" can be used to enable or disable the strict rewriting mode. It can be used in an http-request and an http-response ruleset. For now, by default the strict rewriting mode is disabled. Because it is the current behavior. But it will be changed in another patch.
2019-12-20 04:07:22 -05:00
{ "strict-mode", parse_http_strict_mode, 0 },
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
{ "track-sc", parse_http_track_sc, KWF_MATCH_PREFIX },
MINOR: support for http-response set-timeout Added set-timeout action for http-response. Adapted reg-tests and documentation.
2023-10-16 10:09:13 -04:00
{ "set-timeout", parse_http_set_timeout, 0 },
MEDIUM: http-rules: Add wait-for-body action on request and response side Historically, an option was added to wait for the request payload (option http-buffer-request). This option has 2 drawbacks. First, it is an ON/OFF option for the whole proxy. It cannot be enabled on demand depending on the message. Then, as its name suggests, it only works on the request side. The only option to wait for the response payload was to write a dedicated filter. While it is an acceptable solution for complex applications, it is a bit overkill to simply match strings in the body. To make everyone happy, this patch adds a dedicated HTTP action to wait for the message payload, for the request or the response depending it is used in an http-request or an http-response ruleset. The time to wait is configurable and, optionally, the minimum payload size to have before stop to wait. Both the http action and the old http analyzer rely on the same internal function.
2021-03-29 04:46:38 -04:00
{ "wait-for-body", parse_http_wait_for_body, 0 },
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
{ NULL, NULL }
}
};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
INITCALL1(STG_REGISTER, http_res_keywords_register, &http_res_actions);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
MEDIUM: http: Add a ruleset evaluated on all responses just before forwarding This patch introduces the 'http-after-response' rules. These rules are evaluated at the end of the response analysis, just before the data forwarding, on ALL HTTP responses, the server ones but also all responses generated by HAProxy. Thanks to this ruleset, it is now possible for instance to add some headers to the responses generated by the stats applet. Following actions are supported : * allow * add-header * del-header * replace-header * replace-value * set-header * set-status * set-var * strict-mode * unset-var
2020-01-22 03:26:35 -05:00
static struct action_kw_list http_after_res_actions = {
.kw = {
{ "add-header", parse_http_set_header, 0 },
{ "allow", parse_http_allow, 0 },
MINOR: http-rules: Add capture action to http-after-response ruleset It is now possible to perform captures on the response when http-after-response rules are evaluated. It may be handy to capture headers from responses generated by HAProxy. This patch is trivial, it may be backported if necessary.
2021-12-06 02:43:22 -05:00
{ "capture", parse_http_res_capture, 0 },
MINOR: http-rules: Add missing actions in http-after-response ruleset This patch adds the support of following actions in the http-after-response ruleset: * set-map, del-map and del-acl * set-log-level * sc-inc-gpc, sc-inc-gpc0 and set-inc-gpc1 * sc-inc-gpt and sc-set-gpt0 This patch should solve the issue #1980.
2023-01-05 05:17:38 -05:00
{ "del-acl", parse_http_set_map, KWF_MATCH_PREFIX },
MEDIUM: http: Add a ruleset evaluated on all responses just before forwarding This patch introduces the 'http-after-response' rules. These rules are evaluated at the end of the response analysis, just before the data forwarding, on ALL HTTP responses, the server ones but also all responses generated by HAProxy. Thanks to this ruleset, it is now possible for instance to add some headers to the responses generated by the stats applet. Following actions are supported : * allow * add-header * del-header * replace-header * replace-value * set-header * set-status * set-var * strict-mode * unset-var
2020-01-22 03:26:35 -05:00
{ "del-header", parse_http_del_header, 0 },
MINOR: http-rules: Add missing actions in http-after-response ruleset This patch adds the support of following actions in the http-after-response ruleset: * set-map, del-map and del-acl * set-log-level * sc-inc-gpc, sc-inc-gpc0 and set-inc-gpc1 * sc-inc-gpt and sc-set-gpt0 This patch should solve the issue #1980.
2023-01-05 05:17:38 -05:00
{ "del-map", parse_http_set_map, KWF_MATCH_PREFIX },
MINOR: action: add do-log action Thanks to the two previous commits, we can now expose the do-log action on all available action contexts, including the new quic-init context. Each context is responsible for exposing the do-log action by registering the relevant log steps, saving the idendifier, and then store it in the rule's context so that do_log_action() automatically uses it to produce the log during runtime. To use the feature, it is simply needed to use "do-log" (without argument) on an action directive, example: tcp-request connection do-log As mentioned before, each context where the action is exposed has its own log step identifier. Currently known identifiers are: quic-initial: quic-init tcp-request connection: tcp-req-conn tcp-request session: tcp-req-sess tcp-request content: tcp-req-cont tcp-response content: tcp-res-cont http-request: http-req http-response: http-res http-after-response: http-after-res Thus, these "additional" logging steps can be used as-is under log-profile section (after "on" keyword). However, although the parser will accept them, it makes no sense to use them with the "log-steps" proxy keyword, since the only path for these origins to trigger a log generation is through the explicit use of "do-log" action. This need was described in GH #401, it should help to conditionally trigger logs using ACL at specific key points.. and may either be used alone or combined with "log-steps" to add additional log "trackers" during transaction handling. Documentation was updated and some examples were added.
2024-09-20 03:34:13 -04:00
{ "do-log", parse_http_after_res_do_log, 0 },
MEDIUM: http: Add a ruleset evaluated on all responses just before forwarding This patch introduces the 'http-after-response' rules. These rules are evaluated at the end of the response analysis, just before the data forwarding, on ALL HTTP responses, the server ones but also all responses generated by HAProxy. Thanks to this ruleset, it is now possible for instance to add some headers to the responses generated by the stats applet. Following actions are supported : * allow * add-header * del-header * replace-header * replace-value * set-header * set-status * set-var * strict-mode * unset-var
2020-01-22 03:26:35 -05:00
{ "replace-header", parse_http_replace_header, 0 },
{ "replace-value", parse_http_replace_header, 0 },
{ "set-header", parse_http_set_header, 0 },
MINOR: http-rules: Add missing actions in http-after-response ruleset This patch adds the support of following actions in the http-after-response ruleset: * set-map, del-map and del-acl * set-log-level * sc-inc-gpc, sc-inc-gpc0 and set-inc-gpc1 * sc-inc-gpt and sc-set-gpt0 This patch should solve the issue #1980.
2023-01-05 05:17:38 -05:00
{ "set-map", parse_http_set_map, KWF_MATCH_PREFIX },
MEDIUM: http: Add a ruleset evaluated on all responses just before forwarding This patch introduces the 'http-after-response' rules. These rules are evaluated at the end of the response analysis, just before the data forwarding, on ALL HTTP responses, the server ones but also all responses generated by HAProxy. Thanks to this ruleset, it is now possible for instance to add some headers to the responses generated by the stats applet. Following actions are supported : * allow * add-header * del-header * replace-header * replace-value * set-header * set-status * set-var * strict-mode * unset-var
2020-01-22 03:26:35 -05:00
{ "set-status", parse_http_set_status, 0 },
{ "strict-mode", parse_http_strict_mode, 0 },
{ NULL, NULL }
}
};
INITCALL1(STG_REGISTER, http_after_res_keywords_register, &http_after_res_actions);
REORG: http: move the code to different files The current proto_http.c file is huge and contains different processing domains making it very difficult to work on an alternative representation. This commit moves some parts to other files : - ACL registration code => http_acl.c This code only creates some ACL mappings and doesn't know anything about HTTP nor about the representation. This code could even have moved to acl.c but it was not worth polluting it again. - HTTP sample conversion => http_conv.c This code doesn't depend on the internal representation but definitely manipulates some HTTP elements, such as dates. It also has access to captures. - HTTP sample fetching => http_fetch.c This code does depend entirely on the internal representation but is totally independent on the analysers. Placing it into a different file will ease the transition to the new representation and the creation of a wrapper if required. An include file was created due to CHECK_HTTP_MESSAGE_FIRST() being used at various places. - HTTP action registration => http_act.c This code doesn't directly interact with the messages nor the transaction but it does so via some exported http functions like http_replace_req_line() or http_set_status() so it will be easier to change only this after the conversion. - a few very generic parts were found and moved to http.{c,h} as relevant. It is worth noting that the functions moved to these new files are not referenced anywhere outside of the files and are only called as registered callbacks, so these files do not even require associated include files.
2018-10-02 10:01:16 -04:00
/*
* Local variables:
* c-indent-level: 8
* c-basic-offset: 8
* End:
*/
Reference in a new issue Copy permalink