mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

[BUG] tarpit did not work anymore

Browse Source 
Tarpit was broken by recent splitting of analysers. It would still
let the connection go to the server due to a missing buffer_write_dis().
Also, it was performed too late (after content switching rules).
This commit is contained in:
Willy Tarreau 2009-08-31 00:17:18 +02:00
parent caf58986fb
commit c465fd7836
2 changed files with 26 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
src/proto_http.c
View File

@ -2092,6 +2092,25 @@ int http_process_req_common(struct session *s, struct buffer *req, int an_bit, s
stream_int_retnclose(req->prod, error_message(s, HTTP_ERR_403));
goto return_prx_cond;
}
/* When a connection is tarpitted, we use the tarpit timeout,
* which may be the same as the connect timeout if unspecified.
* If unset, then set it to zero because we really want it to
* eventually expire. We build the tarpit as an analyser.
*/
if (txn->flags & TX_CLTARPIT) {
buffer_erase(s->req);
/* wipe the request out so that we can drop the connection early
* if the client closes first.
*/
buffer_write_dis(req);
req->analysers = 0; /* remove switching rules etc... */
req->analysers |= AN_REQ_HTTP_TARPIT;
req->analyse_exp = tick_add_ifset(now_ms, s->be->timeout.tarpit);
if (!req->analyse_exp)
req->analyse_exp = tick_add(now_ms, 0);
return 1;
}
}
/* We might have to check for "Connection:" */
@ -2579,23 +2598,6 @@ int http_process_request(struct session *s, struct buffer *req, int an_bit)
buffer_set_rlim(req, req->size); /* no more rewrite needed */
s->logs.tv_request = now;
/* When a connection is tarpitted, we use the tarpit timeout,
* which may be the same as the connect timeout if unspecified.
* If unset, then set it to zero because we really want it to
* eventually expire. We build the tarpit as an analyser.
*/
if (txn->flags & TX_CLTARPIT) {
buffer_erase(s->req);
/* wipe the request out so that we can drop the connection early
* if the client closes first.
*/
buffer_write_dis(req);
req->analysers |= AN_REQ_HTTP_TARPIT;
req->analyse_exp = tick_add_ifset(now_ms, s->be->timeout.tarpit);
if (!req->analyse_exp)
req->analyse_exp = tick_add(now_ms, 0);
}
/* OK let's go on with the BODY now */
return 1;
@ -2633,6 +2635,7 @@ int http_process_tarpit(struct session *s, struct buffer *req, int an_bit)
* timeout. We just have to check that the client is still
* there and that the timeout has not expired.
*/
buffer_write_dis(req);
if ((req->flags & (BF_SHUTR|BF_READ_ERROR)) == 0 &&
!tick_is_expired(req->analyse_exp, now_ms))
return 0;

12
src/session.c
View File

@ -823,18 +823,18 @@ resync_stream_interface:
break;
}
if (s->req->analysers & AN_REQ_HTTP_INNER) {
last_ana |= AN_REQ_HTTP_INNER;
if (!http_process_request(s, s->req, AN_REQ_HTTP_INNER))
break;
}
if (s->req->analysers & AN_REQ_HTTP_TARPIT) {
last_ana |= AN_REQ_HTTP_TARPIT;
if (!http_process_tarpit(s, s->req, AN_REQ_HTTP_TARPIT))
break;
}
if (s->req->analysers & AN_REQ_HTTP_INNER) {
last_ana |= AN_REQ_HTTP_INNER;
if (!http_process_request(s, s->req, AN_REQ_HTTP_INNER))
break;
}
if (s->req->analysers & AN_REQ_HTTP_BODY) {
last_ana |= AN_REQ_HTTP_BODY;
if (!http_process_request_body(s, s->req, AN_REQ_HTTP_BODY))