Hi, On Wed, Apr 05, Willy Tarreau wrote: > On Tue, Apr 04, 2017 at 04:05:23PM +0300, Jarno Huuskonen wrote: > > Hi, > > > > On Tue, Apr 04, Aleksandar Lazic wrote: > > > @Jarno: How about to add in the comment this information? > > > Maybe some other users also assume that bloack means L4+L7 > > > > How about something like this: > (...) > > fine by me, please propose a complete patch with a commit message and > I'll apply it.
I'm attaching the patch now. The second one adds missing status codes to errorloc/errorloc302/errorloc303. -Jarno -- Jarno Huuskonen
>From 1463366655e45adc570436c2e2d4f01cbe9935b4 Mon Sep 17 00:00:00 2001 From: Jarno Huuskonen <[email protected]> Date: Thu, 6 Apr 2017 13:59:14 +0300 Subject: [PATCH 1/1] DOC: add layer 4 links/cross reference to "block" keyword. Idea from Aleksandar Lazic: add explanation/links about layer4 tcp-request connection or content reject to "block" keyword. Add http-request cross ref. to "tcp-request content". --- doc/configuration.txt | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 176a975..4244b7a 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -2501,7 +2501,9 @@ block { if | unless } <condition> (deprecated) is blocked. The condition has to reference ACLs (see section 7). This is typically used to deny access to certain sensitive resources if some conditions are met or not met. There is no fixed limit to the number of - "block" statements per instance. + "block" statements per instance. To block connections at layer 4 (without + sending a 403 error) see "tcp-request connection reject" and + "tcp-request content reject" rules. This form is deprecated, do not use it in any new configuration, use the new "http-request deny" instead. @@ -2514,8 +2516,9 @@ block { if | unless } <condition> (deprecated) #block if invalid_src || local_dst http-request deny if invalid_src || local_dst - See section 7 about ACL usage. - + See also : section 7 about ACL usage, "http-request deny", + "http-response deny", "tcp-request connection reject" and + "tcp-request content reject". capture cookie <name> len <length> Capture and log a cookie in the request and in the response. @@ -9251,8 +9254,8 @@ tcp-request content <action> [{if | unless} <condition>] See section 7 about ACL usage. - See also : "tcp-request connection", "tcp-request session", and - "tcp-request inspect-delay" + See also : "tcp-request connection", "tcp-request session", + "tcp-request inspect-delay", and "http-request". tcp-request inspect-delay <timeout> -- 1.8.3.1
>From 7d2ecd481c284d77bc6f089f9055c0e85033e126 Mon Sep 17 00:00:00 2001 From: Jarno Huuskonen <[email protected]> Date: Sat, 22 Apr 2017 11:26:50 +0300 Subject: [PATCH 1/1] DOC: errloc/errorloc302/errorloc303 missing status codes. errorloc/errorloc302/errorloc303 was missing some status codes that haproxy can generate. --- doc/configuration.txt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 4244b7a..a3afaea 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -3152,7 +3152,8 @@ errorloc302 <code> <url> yes | yes | yes | yes Arguments : <code> is the HTTP status code. Currently, HAProxy is capable of - generating codes 200, 400, 403, 408, 500, 502, 503, and 504. + generating codes 200, 400, 403, 405, 408, 429, 500, 502, 503, and + 504. <url> it is the exact contents of the "Location" header. It may contain either a relative URI to an error page hosted on the same site, @@ -3183,7 +3184,8 @@ errorloc303 <code> <url> yes | yes | yes | yes Arguments : <code> is the HTTP status code. Currently, HAProxy is capable of - generating codes 400, 403, 408, 500, 502, 503, and 504. + generating codes 200, 400, 403, 405, 408, 429, 500, 502, 503, and + 504. <url> it is the exact contents of the "Location" header. It may contain either a relative URI to an error page hosted on the same site, -- 1.8.3.1
