diff --git a/doc/configuration.txt b/doc/configuration.txt index b55a8077e..8b165f88a 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -2985,7 +2985,6 @@ max-keep-alive-queue X - X X maxconn X X X - mode X X X X monitor fail - X X - -monitor-net X X X - monitor-uri X X X - option abortonclose (*) X - X X option accept-invalid-http-request (*) X X X - @@ -7158,48 +7157,7 @@ monitor fail { if | unless } monitor-uri /site_alive monitor fail if site_dead - See also : "monitor-net", "monitor-uri", "errorfile", "errorloc" - - -monitor-net - Declare a source network which is limited to monitor requests - May be used in sections : defaults | frontend | listen | backend - yes | yes | yes | no - Arguments : - is the source IPv4 address or network which will only be able to - get monitor responses to any request. It can be either an IPv4 - address, a host name, or an address followed by a slash ('/') - followed by a mask. - - In TCP mode, any connection coming from a source matching will cause - the connection to be immediately closed without any log. This allows another - equipment to probe the port and verify that it is still listening, without - forwarding the connection to a remote server. - - In HTTP mode, a connection coming from a source matching will be - accepted, the following response will be sent without waiting for a request, - then the connection will be closed : "HTTP/1.0 200 OK". This is normally - enough for any front-end HTTP probe to detect that the service is UP and - running without forwarding the request to a backend server. Note that this - response is sent in raw format, without any transformation. This is important - as it means that it will not be SSL-encrypted on SSL listeners. - - Monitor requests are processed very early, just after tcp-request connection - ACLs which are the only ones able to block them. These connections are short - lived and never wait for any data from the client. They cannot be logged, and - it is the intended purpose. They are only used to report HAProxy's health to - an upper component, nothing more. Please note that "monitor fail" rules do - not apply to connections intercepted by "monitor-net". - - Last, please note that only one "monitor-net" statement can be specified in - a frontend. If more than one is found, only the last one will be considered. - - Example : - # addresses .252 and .253 are just probing us. - frontend www - monitor-net 192.168.0.252/31 - - See also : "monitor fail", "monitor-uri" + See also : "monitor-uri", "errorfile", "errorloc" monitor-uri @@ -7238,7 +7196,7 @@ monitor-uri mode http monitor-uri /haproxy_test - See also : "monitor fail", "monitor-net" + See also : "monitor fail" option abortonclose @@ -7555,7 +7513,7 @@ no option dontlognull If this option has been enabled in a "defaults" section, it can be disabled in a specific instance by prepending the "no" keyword before it. - See also : "log", "http-ignore-probes", "monitor-net", "monitor-uri", and + See also : "log", "http-ignore-probes", "monitor-uri", and section 8 about logging. @@ -19321,11 +19279,8 @@ ask how to disable logging for those checks. There are three possibilities : setting "option dontlognull" in the frontend. It also disables logging of port scans, which may or may not be desired. - - if the connection come from a known source network, use "monitor-net" to - declare this network as monitoring only. Any host in this network will then - only be able to perform health checks, and their requests will not be - logged. This is generally appropriate to designate a list of equipment - such as other load-balancers. + - it is possible to use the "http-request set-log-level silent" action using + a variety of conditions (source networks, paths, user-agents, etc). - if the tests are performed on a known URI, use "monitor-uri" to declare this URI as dedicated to monitoring. Any host sending this request will diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h index 2181c811f..c29328c8c 100644 --- a/include/haproxy/listener-t.h +++ b/include/haproxy/listener-t.h @@ -90,7 +90,7 @@ enum li_state { #define LI_O_DEF_ACCEPT 0x0008 /* wait up to 1 second for data before accepting */ #define LI_O_TCP_L4_RULES 0x0010 /* run TCP L4 rules checks on the incoming connection */ #define LI_O_TCP_L5_RULES 0x0020 /* run TCP L5 rules checks on the incoming session */ -#define LI_O_CHK_MONNET 0x0040 /* check the source against a monitor-net rule */ +/* unused 0x0040 */ #define LI_O_ACC_PROXY 0x0080 /* find the proxied address in the first request line */ #define LI_O_UNLIMITED 0x0100 /* listener not subject to global limits (peers & stats socket) */ #define LI_O_TCP_FO 0x0200 /* enable TCP Fast Open (linux >= 3.7) */ diff --git a/include/haproxy/proxy-t.h b/include/haproxy/proxy-t.h index 18f6d554f..09eb9bc16 100644 --- a/include/haproxy/proxy-t.h +++ b/include/haproxy/proxy-t.h @@ -253,7 +253,6 @@ struct proxy { int options; /* PR_O_REDISP, PR_O_TRANSP, ... */ int options2; /* PR_O2_* */ int max_out_conns; /* Max number of idling connections we keep for a session */ - struct in_addr mon_net, mon_mask; /* don't forward connections from this net (network order) FIXME: should support IPv6 */ unsigned int ck_opts; /* PR_CK_* (cookie options) */ unsigned int fe_req_ana, be_req_ana; /* bitmap of common request protocol analysers for the frontend and backend */ unsigned int fe_rsp_ana, be_rsp_ana; /* bitmap of common response protocol analysers for the frontend and backend */ diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c index 211c4b605..97a97e746 100644 --- a/src/cfgparse-listen.c +++ b/src/cfgparse-listen.c @@ -369,8 +369,6 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) curproxy->timeout.tarpit = defproxy.timeout.tarpit; curproxy->timeout.httpreq = defproxy.timeout.httpreq; curproxy->timeout.httpka = defproxy.timeout.httpka; - curproxy->mon_net = defproxy.mon_net; - curproxy->mon_mask = defproxy.mon_mask; if (defproxy.monitor_uri) curproxy->monitor_uri = strdup(defproxy.monitor_uri); curproxy->monitor_uri_len = defproxy.monitor_uri_len; @@ -662,17 +660,8 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) goto out; } else if (!strcmp(args[0], "monitor-net")) { /* set the range of IPs to ignore */ - if (!*args[1] || !str2net(args[1], 1, &curproxy->mon_net, &curproxy->mon_mask)) { - ha_alert("parsing [%s:%d] : '%s' expects address[/mask].\n", - file, linenum, args[0]); - err_code |= ERR_ALERT | ERR_FATAL; - goto out; - } - if (warnifnotcap(curproxy, PR_CAP_FE, file, linenum, args[0], NULL)) - err_code |= ERR_WARN; - - /* flush useless bits */ - curproxy->mon_net.s_addr &= curproxy->mon_mask.s_addr; + ha_alert("parsing [%s:%d] : 'monitor-net' doesn't exist anymore. Please use 'http-request return status 200 if { src %s }' instead.\n", file, linenum, args[1]); + err_code |= ERR_ALERT | ERR_FATAL; goto out; } else if (!strcmp(args[0], "monitor-uri")) { /* set the URI to intercept */ diff --git a/src/cfgparse.c b/src/cfgparse.c index 902fc0e14..cda259094 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -3726,9 +3726,6 @@ out_uri_auth_compat: if (!LIST_ISEMPTY(&curproxy->tcp_req.l5_rules)) listener->options |= LI_O_TCP_L5_RULES; - if (curproxy->mon_mask.s_addr) - listener->options |= LI_O_CHK_MONNET; - /* smart accept mode is automatic in HTTP mode */ if ((curproxy->options2 & PR_O2_SMARTACC) || ((curproxy->mode == PR_MODE_HTTP || listener->bind_conf->is_ssl) && diff --git a/src/session.c b/src/session.c index ab023b448..da271cf87 100644 --- a/src/session.c +++ b/src/session.c @@ -190,30 +190,6 @@ int session_accept_fd(struct listener *l, int cfd, struct sockaddr_storage *addr goto out_free_sess; } - /* monitor-net and health mode are processed immediately after TCP - * connection rules. This way it's possible to block them, but they - * never use the lower data layers, they send directly over the socket, - * as they were designed for. We first flush the socket receive buffer - * in order to avoid emission of an RST by the system. We ignore any - * error. - */ - if (unlikely(((l->options & LI_O_CHK_MONNET) && - addr->ss_family == AF_INET && - (((struct sockaddr_in *)addr)->sin_addr.s_addr & p->mon_mask.s_addr) == p->mon_net.s_addr))) { - /* we have 4 possibilities here : - * - HTTP mode, from monitoring address => send "HTTP/1.0 200 OK" - * - HEALTH mode with HTTP check => send "HTTP/1.0 200 OK" - * - HEALTH mode without HTTP check => just send "OK" - * - TCP mode from monitoring address => just close - */ - if (l->rx.proto->drain) - l->rx.proto->drain(cfd); - if (p->mode == PR_MODE_HTTP) - send(cfd, "HTTP/1.0 200 OK\r\n\r\n", 19, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_MORE); - ret = 0; - goto out_free_sess; - } - /* Adjust some socket options */ if (l->rx.addr.ss_family == AF_INET || l->rx.addr.ss_family == AF_INET6) { setsockopt(cfd, IPPROTO_TCP, TCP_NODELAY, (char *) &one, sizeof(one));