mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-09-22 14:21:25 +02:00
MEDIUM: Make 'block' directive fatal
It was deprecated with HAProxy 1.5. Time to remove it.
This commit is contained in:
Tim Duesterhus
Willy Tarreau
parent
a2913bed6b
commit
7b7c47f05c
@ -2342,7 +2342,6 @@ backlog X X X -
|
|||||||
balance X - X X
|
balance X - X X
|
||||||
bind - X X -
|
bind - X X -
|
||||||
bind-process X X X X
|
bind-process X X X X
|
||||||
block (deprecated) - X X X
|
|
||||||
capture cookie - X X -
|
capture cookie - X X -
|
||||||
capture request header - X X -
|
capture request header - X X -
|
||||||
capture response header - X X -
|
capture response header - X X -
|
||||||
@ -2993,35 +2992,6 @@ bind-process [ all | odd | even | <process_num>[-[<process_num>]] ] ...
|
|||||||
See also : "nbproc" in global section, and "process" in section 5.1.
|
See also : "nbproc" in global section, and "process" in section 5.1.
|
||||||
|
|
||||||
|
|
||||||
block { if | unless } <condition> (deprecated)
|
|
||||||
Block a layer 7 request if/unless a condition is matched
|
|
||||||
May be used in sections : defaults | frontend | listen | backend
|
|
||||||
no | yes | yes | yes
|
|
||||||
|
|
||||||
The HTTP request will be blocked very early in the layer 7 processing
|
|
||||||
if/unless <condition> is matched. A 403 error will be returned if the request
|
|
||||||
is blocked. The condition has to reference ACLs (see section 7). This is
|
|
||||||
typically used to deny access to certain sensitive resources if some
|
|
||||||
conditions are met or not met. There is no fixed limit to the number of
|
|
||||||
"block" statements per instance. To block connections at layer 4 (without
|
|
||||||
sending a 403 error) see "tcp-request connection reject" and
|
|
||||||
"tcp-request content reject" rules.
|
|
||||||
|
|
||||||
This form is deprecated, do not use it in any new configuration, use the new
|
|
||||||
"http-request deny" instead.
|
|
||||||
|
|
||||||
Example:
|
|
||||||
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
|
|
||||||
acl invalid_src src_port 0:1023
|
|
||||||
acl local_dst hdr(host) -i localhost
|
|
||||||
# block is deprecated. Use http-request deny instead:
|
|
||||||
#block if invalid_src || local_dst
|
|
||||||
http-request deny if invalid_src || local_dst
|
|
||||||
|
|
||||||
See also : section 7 about ACL usage, "http-request deny",
|
|
||||||
"http-response deny", "tcp-request connection reject" and
|
|
||||||
"tcp-request content reject".
|
|
||||||
|
|
||||||
capture cookie <name> len <length>
|
capture cookie <name> len <length>
|
||||||
Capture and log a cookie in the request and in the response.
|
Capture and log a cookie in the request and in the response.
|
||||||
May be used in sections : defaults | frontend | listen | backend
|
May be used in sections : defaults | frontend | listen | backend
|
||||||
|
|||||||
@ -249,7 +249,7 @@ extern unsigned int rlim_fd_max_at_boot;
|
|||||||
extern int atexit_flag;
|
extern int atexit_flag;
|
||||||
|
|
||||||
/* bit values to go with "warned" above */
|
/* bit values to go with "warned" above */
|
||||||
#define WARN_BLOCK_DEPRECATED 0x00000001
|
/* unassigned : 0x00000001 (previously: WARN_BLOCK_DEPRECATED) */
|
||||||
/* unassigned : 0x00000002 */
|
/* unassigned : 0x00000002 */
|
||||||
#define WARN_REDISPATCH_DEPRECATED 0x00000004
|
#define WARN_REDISPATCH_DEPRECATED 0x00000004
|
||||||
#define WARN_CLITO_DEPRECATED 0x00000008
|
#define WARN_CLITO_DEPRECATED 0x00000008
|
||||||
|
|||||||
@ -1546,33 +1546,11 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
|
|||||||
curproxy->server_id_hdr_name = strdup(args[1]);
|
curproxy->server_id_hdr_name = strdup(args[1]);
|
||||||
curproxy->server_id_hdr_len = strlen(curproxy->server_id_hdr_name);
|
curproxy->server_id_hdr_len = strlen(curproxy->server_id_hdr_name);
|
||||||
}
|
}
|
||||||
else if (!strcmp(args[0], "block")) { /* early blocking based on ACLs */
|
else if (!strcmp(args[0], "block")) {
|
||||||
struct act_rule *rule;
|
ha_alert("parsing [%s:%d] : The '%s' directive is not supported anymore since HAProxy 2.1. Use 'http-request deny' which uses the exact same syntax.\n", file, linenum, args[0]);
|
||||||
|
|
||||||
if (curproxy == &defproxy) {
|
|
||||||
ha_alert("parsing [%s:%d] : '%s' not allowed in 'defaults' section.\n", file, linenum, args[0]);
|
|
||||||
err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* emulate "block" using "http-request block". Since these rules are supposed to
|
|
||||||
* be processed before all http-request rules, we put them into their own list
|
|
||||||
* and will insert them at the end.
|
|
||||||
*/
|
|
||||||
rule = parse_http_req_cond((const char **)args, file, linenum, curproxy);
|
|
||||||
if (!rule) {
|
|
||||||
err_code |= ERR_ALERT | ERR_ABORT;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
err_code |= warnif_misplaced_block(curproxy, file, linenum, args[0]);
|
|
||||||
err_code |= warnif_cond_conflicts(rule->cond,
|
|
||||||
(curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR,
|
|
||||||
file, linenum);
|
|
||||||
LIST_ADDQ(&curproxy->block_rules, &rule->list);
|
|
||||||
|
|
||||||
if (!already_warned(WARN_BLOCK_DEPRECATED))
|
|
||||||
ha_warning("parsing [%s:%d] : The '%s' directive is now deprecated in favor of 'http-request deny' which uses the exact same syntax. The rules are translated but support might disappear in a future version.\n", file, linenum, args[0]);
|
|
||||||
|
|
||||||
|
err_code |= ERR_ALERT | ERR_FATAL;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
else if (!strcmp(args[0], "redirect")) {
|
else if (!strcmp(args[0], "redirect")) {
|
||||||
struct redirect_rule *rule;
|
struct redirect_rule *rule;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user