On Fri, Jan 25, 2019 at 3:28 PM Willy Tarreau <w...@1wt.eu> wrote:

> On Fri, Jan 25, 2019 at 03:09:52PM +0100, Baptiste wrote:
> > Hi Willy,
> >
> > Thanks for the review!!!
> > I fixed most of the problems, but I have a 3 points I'd like to discuss:
> >
> > > +  If an IP address can be found, it is stored into <var>. If any kind
> of
> > > > +  error occurs, then <var> is not set.
> > >
> > > Just to be sure, it is not set or not modified ? I guess the latter,
> which
> > > is fine.
> > >
> >
> > Yes, not set. So '-m found' can be used.
>
> So you actually *remove* the variable if you don't get a response,
> that's it ? I would have possibly found it more convenient to just
> stay on the not modified approach so that you could possibly chain
> multiple do-resolve actions and hope that at least one of them could
> pick the response. Think about environments where you have multiple
> sets of resolvers (internal, admin, internet) and for unkonwn names
> you don't know which onee to ask so you ask all of them with 3
> different rules.
>

The code let the variable untouched. I just call vars_set_by_name() if an
IP is returned.
   http-request do-resolve(txn.myip,internal_dns,ipv4) hdr(Host),lower
   http-request do-resolve(txn.myip,external_dns,ipv4) hdr(Host),lower
unless { var(txn.myip) -m found }
should work.


> > > +             struct sample *smp;
> > > > +
> > > > +             conn_get_from_addr(cli_conn);
> > > > +
> > > > +             smp = sample_fetch_as_type(px, sess, s,
> > > SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.dns.expr, SMP_T_STR);
> > > > +             if (smp) {
> > > > +                     char *fqdn;
> > > > +
> > > > +                     fqdn = smp->data.u.str.area;
> > > > +                     if (action_prepare_for_resolution(s, fqdn) ==
> -1) {
> > > > +                             ha_alert("Can't create DNS resolution
> for
> > > server 'http request action'\n");
> > >
> > > Please don't send runtime alerts. We've tried hard to clean them up so
> > > that they remain only during startup.
> > >
> >
> > In this function, I have a proxy structure. Should I use send_log() on it
> > to report the error?
>
> You could but then it'd be better to perform some form of rate-limiting.
> It is possible that the same reason causes the function to fail in loops
> for all requests and it's not very cool to spam logs with info that are
> already present in the request's failure anyway. In general an alert log
> is made so that someone can do something about it. What could be done
> however is to emit this error once if it's a matter of config, and to
> increment a counter reported in "show info". We already do this at some
> places, I just don't remember which ones :-)
>

Ok, I set up a global counter to track those errors. I call my
field INF_DORESOLVE_ERRORS and the
global varialble is called dns_doresolve_errors.
A show info shows the following line:
  DoResolveErrors: 0

Let me know if that is ok for you this way.

Also, I am planing to allow this action at the "tcp-request content" layer,
to be able to execute it using SNI information.

Baptiste

Reply via email to