diff --git a/doc/configuration.txt b/doc/configuration.txt index 9442c2491..3ecca8593 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -11304,6 +11304,13 @@ tcp-request content [{if | unless} ] the action, it is simply performed unconditionally. That can be useful for "track-sc*" actions as well as for changing the default action to a reject. + Note also that it is recommended to use a "tcp-request session" rule to track + information that does *not* depend on Layer 7 contents, especially for HTTP + frontends. Some HTTP processing are performed at the session level and may + lead to an early rejection of the requests. Thus, the tracking at the content + level may be disturbed in such case. A warning is emitted during startup to + prevent, as far as possible, such unreliable usage. + It is perfectly possible to match layer 7 contents with "tcp-request content" rules from a TCP proxy, since HTTP-specific ACL matches are able to preliminarily parse the contents of a buffer before extracting the required diff --git a/src/action.c b/src/action.c index 6c4aa62a8..870a8393a 100644 --- a/src/action.c +++ b/src/action.c @@ -68,13 +68,30 @@ int check_trk_action(struct act_rule *rule, struct proxy *px, char **err) */ } - if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE) && !px->tcp_req.inspect_delay && - !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) { - ha_warning("config : %s '%s' : a 'tcp-request content track-sc*' rule explicitly depending on request" - " contents without any 'tcp-request inspect-delay' setting." - " This means that this rule will randomly find its contents. This can be fixed by" - " setting the tcp-request inspect-delay.\n", - proxy_type_str(px), px->id); + if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE)) { + if (!px->tcp_req.inspect_delay && !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) { + ha_warning("config : %s '%s' : a 'tcp-request content track-sc*' rule explicitly depending on request" + " contents without any 'tcp-request inspect-delay' setting." + " This means that this rule will randomly find its contents. This can be fixed by" + " setting the tcp-request inspect-delay.\n", + proxy_type_str(px), px->id); + } + + /* The following warning is emitted because HTTP multiplexers are able to catch errors + * or timeouts at the session level, before instantiating any stream. + * Thus the tcp-request content ruleset will not be evaluated in such case. It means, + * http_req and http_err counters will not be incremented as expected, even if the tracked + * counter does not use the request content. To track invalid requests it should be + * performed at the session level using a tcp-request session rule. + */ + if (px->mode == PR_MODE_HTTP && + !(rule->arg.trk_ctr.expr->fetch->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)) && + (!rule->cond || !(rule->cond->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)))) { + ha_warning("config : %s '%s' : a 'tcp-request content track-sc*' rule not depending on request" + " contents for an HTTP frontend should be executed at the session level, using a" + " 'tcp-request session' rule (mandatory to track invalid HTTP requests).\n", + proxy_type_str(px), px->id); + } } return 1;