diff options
author | Christopher Faulet <cfaulet@haproxy.com> | 2021-11-09 16:33:25 +0100 |
---|---|---|
committer | Christopher Faulet <cfaulet@haproxy.com> | 2021-11-09 18:02:36 +0100 |
commit | 46f46df300b5258f05e3bcf72e409f8629e8b63f (patch) | |
tree | 4e043ef25bcd2cd35630c1022603c30a668ed8e0 | |
parent | 15ae22c02cff36579be13c40bac1c37acc60d352 (diff) | |
download | haproxy-46f46df300b5258f05e3bcf72e409f8629e8b63f.tar.gz |
BUG/MINOR: http-ana: Apply stop to the current section for http-response rules
A TCP/HTTP action can stop the rules evaluation. However, it should be
applied on the current section only. For instance, for http-requests rules,
an "allow" on a frontend must stop evaluation of rules defined in this
frontend. But the backend rules, if any, must still be evaluated.
For http-response rulesets, according the configuration manual, the same
must be true. Only "allow" action is concerned. However, since the
beginning, this action stops evaluation of all remaining rules, not only
those of the current section.
This patch may be backported to all supported versions. But it is not so
critical because the bug exists since a while. I doubt it will break any
existing configuration because the current behavior is
counterintuitive.
-rw-r--r-- | reg-tests/http-rules/h1or2_to_h1c.vtc | 2 | ||||
-rw-r--r-- | src/http_ana.c | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/reg-tests/http-rules/h1or2_to_h1c.vtc b/reg-tests/http-rules/h1or2_to_h1c.vtc index 182013b59..4263a2ae8 100644 --- a/reg-tests/http-rules/h1or2_to_h1c.vtc +++ b/reg-tests/http-rules/h1or2_to_h1c.vtc @@ -160,6 +160,8 @@ haproxy h1 -conf { http-response set-header sl1-crc "%[res.fhdr(sl1),crc32]" http-response set-header sl2-crc "%[res.fhdr(sl2),crc32]" http-response set-header hdr-crc "%[res.fhdr(hdr),crc32]" + http-response allow + http-response deny # must not be evaluated server s1 ${s1_addr}:${s1_port} } -start diff --git a/src/http_ana.c b/src/http_ana.c index c037261cf..341a9f870 100644 --- a/src/http_ana.c +++ b/src/http_ana.c @@ -1815,7 +1815,7 @@ int http_process_res_common(struct stream *s, struct channel *rep, int an_bit, s while (1) { /* evaluate http-response rules */ - if (ret == HTTP_RULE_RES_CONT) { + if (ret == HTTP_RULE_RES_CONT || ret == HTTP_RULE_RES_STOP) { struct list *def_rules, *rules; def_rules = ((cur_proxy->defpx && (cur_proxy == s->be || cur_proxy->defpx != s->be->defpx)) ? &cur_proxy->defpx->http_res_rules : NULL); |