From ae3c01022622da4c1733a15f3f01cb8b9e82b382 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 28 Apr 2014 23:22:08 +0200 Subject: [PATCH] MEDIUM: http: factorize the "auth" action of http-request and stats Both use exactly the same mechanism, except for the choice of the default realm to be emitted when none is selected. It can be achieved by simply comparing the ruleset with the stats' for now. This achieves a significant code reduction and further, removes the dependence on the pointer to the final rule in the caller. --- src/proto_http.c | 44 +++++++++++++++++++++----------------------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/src/proto_http.c b/src/proto_http.c index 3cfa8e2d3..8f2b99cbb 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -3186,6 +3186,7 @@ http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct session struct connection *cli_conn; struct http_req_rule *rule; struct hdr_ctx ctx; + const char *auth_realm; list_for_each_entry(rule, rules, list) { if (rule->action >= HTTP_REQ_ACT_MAX) @@ -3219,6 +3220,22 @@ http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct session return rule; case HTTP_REQ_ACT_AUTH: + /* Auth might be performed on regular http-req rules as well as on stats */ + auth_realm = rule->arg.auth.realm; + if (!auth_realm) { + if (px->uri_auth && rules == &px->uri_auth->http_req_rules) + auth_realm = STATS_DEFAULT_REALM; + else + auth_realm = px->id; + } + /* send 401/407 depending on whether we use a proxy or not. We still + * count one error, because normal browsing won't significantly + * increase the counter but brute force attempts will. + */ + chunk_printf(&trash, (txn->flags & TX_USE_PX_CONN) ? HTTP_407_fmt : HTTP_401_fmt, auth_realm); + txn->status = (txn->flags & TX_USE_PX_CONN) ? 407 : 401; + stream_int_retnclose(&s->si[0], &trash); + session_inc_http_err_ctr(s); return rule; case HTTP_REQ_ACT_REDIR: @@ -3816,7 +3833,6 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit, struct http_req_rule *http_req_last_rule = NULL; struct redirect_rule *rule; struct cond_wordlist *wl; - const char *auth_realm = NULL; if (unlikely(msg->msg_state < HTTP_MSG_BODY)) { /* we need more data */ @@ -3857,12 +3873,8 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit, goto done; /* we can be blocked here because the request needs to be authenticated. */ - if (http_req_last_rule->action == HTTP_REQ_ACT_AUTH) { - auth_realm = http_req_last_rule->arg.auth.realm; - if (!auth_realm) - auth_realm = px->id; - goto auth; - } + if (http_req_last_rule->action == HTTP_REQ_ACT_AUTH) + goto return_prx_cond; } /* OK at this stage, we know that the request was accepted according to @@ -3893,12 +3905,8 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit, goto deny; /* stats auth / stats http-request auth ? */ - if (http_req_last_rule->action == HTTP_REQ_ACT_AUTH) { - auth_realm = http_req_last_rule->arg.auth.realm; - if (!auth_realm) - auth_realm = STATS_DEFAULT_REALM; - goto auth; - } + if (http_req_last_rule->action == HTTP_REQ_ACT_AUTH) + goto return_prx_cond; } } @@ -4009,16 +4017,6 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit, s->listener->counters->denied_req++; goto done; - auth: /* send 401/407 depending on whether we use a proxy or not. We still - * count one error, because normal browsing won't significantly - * increase the counter but brute force attempts will. - */ - chunk_printf(&trash, (txn->flags & TX_USE_PX_CONN) ? HTTP_407_fmt : HTTP_401_fmt, auth_realm); - txn->status = (txn->flags & TX_USE_PX_CONN) ? 407 : 401; - stream_int_retnclose(req->prod, &trash); - session_inc_http_err_ctr(s); - goto return_prx_cond; - deny: /* this request was blocked (denied) */ txn->status = 403; s->logs.tv_request = now;