Hi,
Willy Tarreau <[email protected]> wrote:
> Hi Maik,
>
> On Tue, May 12, 2009 at 01:36:46AM +0200, Maik Broemme wrote:
> > Hi,
> >
> > attached is a patch which fixes a configuration mistake regarding the
> > 'tcp-request' option. If you have the following in your configuration
> > file:
> >
> > acl localnet dst 10.0.0.0/8
> > tcp-request content reject if localnet
> >
> > This will work fine, but if you change the 'tcp-request' line and remove
> > the 'if' haproxy-1.3.17 will segfault, I think the following changelog
> > entry in 1.3.18 addresses this problem:
> >
> > [BUG] fix parser crash on unconditional tcp content rules
>
> yes precisely.
>
> > But now in 1.3.18 the default behaviour is a bit weird. If you remove
> > the 'if' statement the haproxy will reject every connection, regardless
> > of matching to 'localnet' or not and the configuration seems to be valid,
> > but which is definetly not what expected.
>
> I can't reproduce the issue here. For me, what happens is the right thing :
>
> - the following config rejects everything :
>
> tcp-request content reject
>
> - the following config rejects everything which was not accepted :
>
> tcp-request content accept if <cond>
> tcp-request content reject
>
> - the following config rejects only everything which matches the condition :
>
> tcp-request content reject if <cond>
>
> The second case above was precisely what led me to discover the segfault
> bug, which was introduced in 1.3.17 with the refinement of the config
> warnings. But the behaviour has not changed since 1.3.16.
>
You have missed the non-working case. :-)
- the following config seems to be ok, but didn't work as expected.
tcp-request content reject <cond>
This is just because of the missing 'if' and in 1.3.17 this missing 'if'
result in a crash. A crash isn't better, but in case of crash you know
that something was misconfigured.
> > I have changed this to the following behaviour: If nothing is specified
> > after accept or reject the default condition will apply (like source and
> > documentation says) and if there is some parameter after accept or
> > reject it has to be 'if' or 'unless' anything else will result in:
> >
> > [ALERT] 131/012555 (27042) : parsing [/etc/haproxy/haproxy.cfg:94] :
> > 'tcp-request content reject' expects 'if', 'unless' or nothing, but
> > found 'localnet'
> > [ALERT] 131/012555 (27042) : Error reading configuration file :
> > /etc/haproxy/haproxy.cfg
> >
> > I think this is much more accurate. At least it took me some time to
> > verify why the hell my configuration file is valid, but did not work as
> > expected. :)
>
> in fact not, that's precisely what I don't want. To workaround the bug
> I encountered, I had to write that :
>
> tcp-request content accept if <cond>
> tcp-request content reject if TRUE
>
> That's pretty annoying. All conditionnal actions support either
> "if/unless cond" or inconditional execution if no condition is
> specified.
>
> Are you sure your config was OK ? Can you post the example which
> causes you trouble ? Maybe your example is right and the doc is
> wrong ;-)
>
Sure I have attached the file. If you remove the 'if' in the
'tcp-request' the config file is ok, haproxy starts but every request
from everywhere is dropped.
> Regards,
> Willy
>
--Maik
# global configuration section.
global
maxconn 32768
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
quiet
# default configuration and timeouts.
defaults
log global
retries 10
maxconn 32768
timeout connect 60s
timeout server 60s
timeout client 60s
timeout queue 60s
timeout tarpit 60s
# service and balance configuration.
listen client-filter 10.0.1.7:10080
mode http
cookie SERVERID nocache
balance roundrobin
acl localnet-1 dst 192.168.0.0/16
acl localnet-2 dst 172.16.0.0/12
acl localnet-3 dst 10.0.0.0/8
tcp-request content reject if localnet-1
tcp-request content reject if localnet-2
tcp-request content reject if localnet-3
option forwardfor header X-Forwarded-For
option originalto header X-Original-To
option httpclose
server squid1 10.0.3.10:3128 cookie squid1 check inter 10s
rise 1 fall 10
server squid2 10.0.3.11:3128 cookie squid2 check inter 10s
rise 1 fall 10
server squid3 10.0.3.12:3128 cookie squid3 check inter 10s
rise 1 fall 10
# service for client login.
listen client-login 10.0.1.7:10081
mode http
cookie SERVERID nocache
balance roundrobin
acl localnet-1 dst 192.168.0.0/16
acl localnet-2 dst 172.16.0.0/12
acl localnet-3 dst 10.0.0.0/8
tcp-request content reject if localnet-1
tcp-request content reject if localnet-2
tcp-request content reject if localnet-3
option forwardfor header X-Forwarded-For
option originalto header X-Original-To
option httpclose
server client1 217.172.174.165:80 cookie client1 check inter
10s rise 1 fall 10
# service for smtp redirect.
listen smtp-filter 10.0.1.7:10025
mode tcp
balance roundrobin
acl localnet-1 dst 192.168.0.0/16
acl localnet-2 dst 172.16.0.0/12
acl localnet-3 dst 10.0.0.0/8
tcp-request content reject if localnet-1
tcp-request content reject if localnet-2
tcp-request content reject if localnet-3
server smtp1 10.0.2.101:25
# service for pop3 redirect.
listen pop3-filter 10.0.1.7:10110
mode tcp
balance roundrobin
acl localnet-1 dst 192.168.0.0/16
acl localnet-2 dst 172.16.0.0/12
acl localnet-3 dst 10.0.0.0/8
tcp-request content reject if localnet-1
tcp-request content reject if localnet-2
tcp-request content reject if localnet-3
server pop31 10.0.2.101:110
# service for imap redirect.
listen imap-filter 10.0.1.7:10143
mode tcp
balance roundrobin
acl localnet-1 dst 192.168.0.0/16
acl localnet-2 dst 172.16.0.0/12
acl localnet-3 dst 10.0.0.0/8
tcp-request content reject if localnet-1
tcp-request content reject if localnet-2
tcp-request content reject if localnet-3
server imap1 10.0.2.101:143
