mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-10-26 22:20:59 +01:00
252412316e
This option had always been broken in HTX, which means that the first breakage appeared in 1.9, that it was broken by default in 2.0 and that no workaround existed starting with 2.1. The way this option works is praticularly unfit to the rest of the configuration and to the internal architecture. It had some uses when it was introduced 14 years ago but nowadays it's possible to do much better and more reliable using a set of "http-request set-dst" and "http-request set-uri" rules, which additionally are compatible with DNS resolution (via do-resolve) and are not exclusive to normal load balancing. The "option-http_proxy" example config file was updated to reflect this. The option is still parsed so that an error message gives hints about what to look for.
55 lines
1.3 KiB
INI
55 lines
1.3 KiB
INI
#
|
|
# demo config for Proxy mode
|
|
#
|
|
|
|
global
|
|
maxconn 20000
|
|
ulimit-n 16384
|
|
log 127.0.0.1 local0
|
|
uid 200
|
|
gid 200
|
|
chroot /var/empty
|
|
daemon
|
|
|
|
frontend test-proxy
|
|
bind 192.168.200.10:8080
|
|
mode http
|
|
log global
|
|
option httplog
|
|
option dontlognull
|
|
maxconn 8000
|
|
timeout client 30s
|
|
|
|
# layer3: Valid users
|
|
acl allow_host src 192.168.200.150/32
|
|
http-request deny if !allow_host
|
|
|
|
# layer7: prevent private network relaying
|
|
acl forbidden_dst url_ip 192.168.0.0/24
|
|
acl forbidden_dst url_ip 172.16.0.0/12
|
|
acl forbidden_dst url_ip 10.0.0.0/8
|
|
http-request deny if forbidden_dst
|
|
|
|
default_backend test-proxy-srv
|
|
|
|
|
|
backend test-proxy-srv
|
|
mode http
|
|
timeout connect 5s
|
|
timeout server 5s
|
|
retries 2
|
|
|
|
# layer7: Only GET method is valid
|
|
acl valid_method method GET
|
|
http-request deny if !valid_method
|
|
|
|
# take IP address from URL's authority
|
|
# and drop scheme+authority from URI
|
|
http-request set-dst url_ip
|
|
http-request set-dst-port url_port
|
|
http-request set-uri %[pathq]
|
|
server next-hop 0.0.0.0
|
|
|
|
# layer7: protect bad reply
|
|
http-response deny if { res.hdr(content-type) audio/mp3 }
|