Hi, On Fri, Mar 31, Willy Tarreau wrote: > On Fri, Mar 31, 2017 at 02:59:37PM +0300, Jarno Huuskonen wrote: > > On Fri, Mar 31, Jarno Huuskonen wrote: > > > First I'm attaching a patch that corrects ]) order for urlp_val > > > and adds 'Example:' string to > > > src_clr_gpc0,src_inc_gpc0,sc2_clr_gpc0,sc2_inc_gpc0,ssl_c_sha1 > > > (I assume that Example: is what generates the example formatting in > > > html/dconv documentation). > > > > This time with correct attachment(patch). > > Now merged, and fixed the mangled subject line / commit message : > > Subject: [PATCH] DOC: urlp_val missing ) DOC: > src_clr_gpc0,src_inc_gpc0,sc2_clr_gpc0,sc2_inc_gpc0,ssl_c_sha1 Example: > string.
I'm attaching two more patches for configuration.txt (hopefully with better subject/commit messages this time:) First one updates "block" examples to use http-request deny. Second one adds some comments to examples, and few links/cross references and adds ignore-persist example (from 7.2 Using ACLs to form conditions). -Jarno -- Jarno Huuskonen
>From 5b5e16daff85681eb11a786b8639adf1e3bdc2ae Mon Sep 17 00:00:00 2001 From: Jarno Huuskonen <[email protected]> Date: Mon, 3 Apr 2017 14:20:34 +0300 Subject: [PATCH 1/2] DOC: changed "block"(deprecated) examples to http-request deny --- doc/configuration.txt | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index e3f2b21..0c6816a 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -2510,7 +2510,9 @@ block { if | unless } <condition> (deprecated) acl invalid_src src 0.0.0.0/7 224.0.0.0/3 acl invalid_src src_port 0:1023 acl local_dst hdr(host) -i localhost - block if invalid_src || local_dst + # block is deprecated. Use http-request deny instead: + #block if invalid_src || local_dst + http-request deny if invalid_src || local_dst See section 7 about ACL usage. @@ -12187,9 +12189,9 @@ requests with a content-length greater than 0, and finally every request which is not either GET/HEAD/POST/OPTIONS ! acl missing_cl hdr_cnt(Content-length) eq 0 - block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl - block if METH_GET HTTP_CONTENT - block unless METH_GET or METH_POST or METH_OPTIONS + http-request deny if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl + http-request deny if METH_GET HTTP_CONTENT + http-request deny unless METH_GET or METH_POST or METH_OPTIONS To select a different backend for requests to static contents on the "www" site and to every request on the "img", "video", "download" and "ftp" hosts : @@ -12212,11 +12214,11 @@ the braces must be seen as independent words). Example : The following rule : acl missing_cl hdr_cnt(Content-length) eq 0 - block if METH_POST missing_cl + http-request deny if METH_POST missing_cl Can also be written that way : - block if METH_POST { hdr_cnt(Content-length) eq 0 } + http-request deny if METH_POST { hdr_cnt(Content-length) eq 0 } It is generally not recommended to use this construct because it's a lot easier to leave errors in the configuration when written that way. However, for very @@ -12234,7 +12236,8 @@ good use is the following : monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 } -See section 4.2 for detailed help on the "block" and "use_backend" keywords. +See section 4.2 for detailed help on the "http-request deny" and "use_backend" +keywords. 7.3. Fetching samples -- 1.8.3.1
>From 2a4ef45b258b241c16c79bd183c2acc2a92bff03 Mon Sep 17 00:00:00 2001 From: Jarno Huuskonen <[email protected]> Date: Mon, 3 Apr 2017 14:36:21 +0300 Subject: [PATCH 2/2] DOC: add few comments to examples. - http-check expect rstring is missing html comment closing tag. - option redis-check: See also "option tcp-check", "tcp-check expect". - ignore-persist static url example ((from 7.2 Using ACLs to form conditions) - tcp-request content: hdr(x-forwarded-for) example: added hdr_ip(x-forwarded-for) version. - tcp-request content: added comments to sc0_inc_gpc0 stick table example. - timeout tarpit: mention http-request tarpit. --- doc/configuration.txt | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 0c6816a..176a975 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -3637,7 +3637,7 @@ http-check expect [!] <match> <pattern> http-check expect ! rstatus ^5 # check that we have a correct hexadecimal tag before /html - http-check expect rstring <!--tag:[0-9a-f]*</html> + http-check expect rstring <!--tag:[0-9a-f]*--></html> See also : "option httpchk", "http-check disable-on-404" @@ -4594,6 +4594,11 @@ ignore-persist { if | unless } <condition> The persistence is ignored when an "if" condition is met, or unless an "unless" condition is met. + Example: + acl url_static path_beg /static /images /img /css + acl url_static path_end .gif .png .jpg .css .js + ignore-persist if url_static + See also : "force-persist", "cookie", and section 7 about ACL usage. load-server-state-from-file { global | local | none } @@ -6285,7 +6290,7 @@ option redis-check Example : option redis-check - See also : "option httpchk" + See also : "option httpchk", "option tcp-check", "tcp-check expect" option smtpchk @@ -9212,9 +9217,11 @@ tcp-request content <action> [{if | unless} <condition>] tcp-request content reject Example: - # Track the last IP from X-Forwarded-For + # Track the last IP(stick-table type string) from X-Forwarded-For tcp-request inspect-delay 10s tcp-request content track-sc0 hdr(x-forwarded-for,-1) + # Or track the last IP(stick-table type ip|ipv6) from X-Forwarded-For + tcp-request content track-sc0 req.hdr_ip(x-forwarded-for,-1) Example: # track request counts per "base" (concatenation of Host+URL) @@ -9222,7 +9229,7 @@ tcp-request content <action> [{if | unless} <condition>] tcp-request content track-sc0 base table req-rate Example: track per-frontend and per-backend counters, block abusers at the - frontend when the backend detects abuse. + frontend when the backend detects abuse(and marks gpc0). frontend http # Use General Purpose Couter 0 in SC0 as a global abuse counter @@ -9238,7 +9245,7 @@ tcp-request content <action> [{if | unless} <condition>] # by SC1), block it globally in the frontend. stick-table type ip size 1m expire 5m store http_req_rate(10s) acl click_too_fast sc1_http_req_rate gt 10 - acl mark_as_abuser sc0_inc_gpc0 gt 0 + acl mark_as_abuser sc0_inc_gpc0(http) gt 0 tcp-request content track-sc1 src tcp-request content reject if click_too_fast mark_as_abuser @@ -9838,9 +9845,10 @@ timeout tarpit <timeout> can be in any other unit if the number is suffixed by the unit, as explained at the top of this document. - When a connection is tarpitted using "reqtarpit", it is maintained open with - no activity for a certain amount of time, then closed. "timeout tarpit" - defines how long it will be maintained open. + When a connection is tarpitted using "http-request tarpit" or + "reqtarpit", it is maintained open with no activity for a certain + amount of time, then closed. "timeout tarpit" defines how long it will + be maintained open. The value is specified in milliseconds by default, but can be in any other unit if the number is suffixed by the unit, as specified at the top of this -- 1.8.3.1
