mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-23 23:01:24 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: http-rules: Update txn flags and status when a deny rule is executed

Browse Source 
When a deny rule is executed, the flag TX_CLDENY and the status code are set on
the HTTP transaction. Now, these steps are handled by the code executing the
deny rule. So into http_req_get_intercept_rule() for the request and
http_res_get_intercept_rule() for the response.
This commit is contained in:
Christopher Faulet 2020-01-13 16:40:13 +01:00
parent 76edc0f29c
commit b58f62b316
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/http_ana.c
View File

@ -51,7 +51,7 @@ static size_t http_fmt_req_line(const struct htx_sl *sl, char *str, size_t len);
static void http_debug_stline(const char *dir, struct stream *s, const struct htx_sl *sl); static void http_debug_stline(const char *dir, struct stream *s, const struct htx_sl *sl);
static void http_debug_hdr(const char *dir, struct stream *s, const struct ist n, const struct ist v); static void http_debug_hdr(const char *dir, struct stream *s, const struct ist n, const struct ist v);
static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status); static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s);
static enum rule_result http_res_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s); static enum rule_result http_res_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s);
static void http_manage_client_side_cookies(struct stream *s, struct channel *req); static void http_manage_client_side_cookies(struct stream *s, struct channel *req);
@ -472,7 +472,6 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
struct htx *htx; struct htx *htx;
struct redirect_rule *rule; struct redirect_rule *rule;
enum rule_result verdict; enum rule_result verdict;
int deny_status = HTTP_ERR_403;
struct connection *conn = objt_conn(sess->origin); struct connection *conn = objt_conn(sess->origin);
if (unlikely(msg->msg_state < HTTP_MSG_BODY)) { if (unlikely(msg->msg_state < HTTP_MSG_BODY)) {
@ -491,7 +490,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
/* evaluate http-request rules */ /* evaluate http-request rules */
if (!LIST_ISEMPTY(&px->http_req_rules)) { if (!LIST_ISEMPTY(&px->http_req_rules)) {
verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status); verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s);
switch (verdict) { switch (verdict) {
case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */ case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */
@ -548,7 +547,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
/* parse the whole stats request and extract the relevant information */ /* parse the whole stats request and extract the relevant information */
http_handle_stats(s, req); http_handle_stats(s, req);
verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status); verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s);
/* not all actions implemented: deny, allow, auth */ /* not all actions implemented: deny, allow, auth */
if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */ if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */
@ -640,8 +639,6 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
*/ */
channel_dont_connect(req); channel_dont_connect(req);
txn->status = http_err_codes[deny_status];
req->analysers &= AN_REQ_FLT_END; /* remove switching rules etc... */ req->analysers &= AN_REQ_FLT_END; /* remove switching rules etc... */
req->analysers |= AN_REQ_HTTP_TARPIT; req->analysers |= AN_REQ_HTTP_TARPIT;
req->analyse_exp = tick_add_ifset(now_ms, s->be->timeout.tarpit); req->analyse_exp = tick_add_ifset(now_ms, s->be->timeout.tarpit);
@ -662,8 +659,6 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
if (s->be->cookie_name || sess->fe->capture_name) if (s->be->cookie_name || sess->fe->capture_name)
http_manage_client_side_cookies(s, req); http_manage_client_side_cookies(s, req);
txn->flags |= TX_CLDENY;
txn->status = http_err_codes[deny_status];
s->logs.tv_request = now; s->logs.tv_request = now;
stream_inc_http_err_ctr(s); stream_inc_http_err_ctr(s);
_HA_ATOMIC_ADD(&sess->fe->fe_counters.denied_req, 1); _HA_ATOMIC_ADD(&sess->fe->fe_counters.denied_req, 1);
@ -2141,8 +2136,6 @@ int http_process_res_common(struct stream *s, struct channel *rep, int an_bit, s
return 1; return 1;
deny: deny:
txn->flags |= TX_CLDENY;
txn->status = 502;
_HA_ATOMIC_ADD(&sess->fe->fe_counters.denied_resp, 1); _HA_ATOMIC_ADD(&sess->fe->fe_counters.denied_resp, 1);
_HA_ATOMIC_ADD(&s->be->be_counters.denied_resp, 1); _HA_ATOMIC_ADD(&s->be->be_counters.denied_resp, 1);
if (sess->listener->counters) if (sess->listener->counters)
@ -2810,7 +2803,7 @@ int http_res_set_status(unsigned int status, struct ist reason, struct stream *s
* status. * status.
*/ */
static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct list *rules, static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct list *rules,
struct stream *s, int *deny_status) struct stream *s)
{ {
struct session *sess = strm_sess(s); struct session *sess = strm_sess(s);
struct http_txn *txn = s->txn; struct http_txn *txn = s->txn;
@ -2880,6 +2873,9 @@ static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct lis
rule_ret = HTTP_RULE_RES_DONE; rule_ret = HTTP_RULE_RES_DONE;
goto end; goto end;
case ACT_RET_DENY: case ACT_RET_DENY:
txn->flags |= TX_CLDENY;
if (txn->status == -1)
txn->status = 403;
rule_ret = HTTP_RULE_RES_DENY; rule_ret = HTTP_RULE_RES_DENY;
goto end; goto end;
case ACT_RET_ABRT: case ACT_RET_ABRT:
@ -2899,15 +2895,14 @@ static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct lis
goto end; goto end;
case ACT_ACTION_DENY: case ACT_ACTION_DENY:
if (deny_status) txn->flags |= TX_CLDENY;
*deny_status = rule->arg.http.i; txn->status = http_err_codes[rule->arg.http.i];
rule_ret = HTTP_RULE_RES_DENY; rule_ret = HTTP_RULE_RES_DENY;
goto end; goto end;
case ACT_HTTP_REQ_TARPIT: case ACT_HTTP_REQ_TARPIT:
txn->flags |= TX_CLTARPIT; txn->flags |= TX_CLTARPIT;
if (deny_status) txn->status = http_err_codes[rule->arg.http.i];
*deny_status = rule->arg.http.i;
rule_ret = HTTP_RULE_RES_DENY; rule_ret = HTTP_RULE_RES_DENY;
goto end; goto end;
@ -3055,6 +3050,9 @@ resume_execution:
rule_ret = HTTP_RULE_RES_DONE; rule_ret = HTTP_RULE_RES_DONE;
goto end; goto end;
case ACT_RET_DENY: case ACT_RET_DENY:
txn->flags |= TX_CLDENY;
if (txn->status == -1)
txn->status = 502;
rule_ret = HTTP_RULE_RES_DENY; rule_ret = HTTP_RULE_RES_DENY;
goto end; goto end;
case ACT_RET_ABRT: case ACT_RET_ABRT:
@ -3074,6 +3072,8 @@ resume_execution:
goto end; goto end;
case ACT_ACTION_DENY: case ACT_ACTION_DENY:
txn->flags |= TX_CLDENY;
txn->status = 502;
rule_ret = HTTP_RULE_RES_DENY; rule_ret = HTTP_RULE_RES_DENY;
goto end; goto end;