On Wed, Dec 08, 2010 at 10:42:42AM -0800, Dmitri Smirnov wrote:
> I think it is a bug. The manual said that monitor requests are responded
> to before ACLs are evaluated. By ACLs I mean the acls like this:
>
> monitor-uri /status
> acl valid_src1 hdr_ip(X-Forwarded-For) xxxxxx
> acl valid_src2 hdr_ip(X-Forwarded-For) xxxxxx
> tcp-request content reject unless valid_src1 or valid_src2
>
> As soon as I remove ACL check monitor-uri starts responding.
That's expected, but the doc needs to be updated then. Monitor-uri
is handled before any other HTTP processing. But the tcp-request
ACLs are processed before HTTP, thus before monitor-uri. Also,
it's dangerous to put your tcp-request rules that way, because
they involve some HTTP. I hope you have an inspect-delay and a
rule that ensures you don't accept the request until the request
is completely parsed ("accept if HTTP or WAIT_END").
Regards,
Willy
