Re: (in)sanity check on hdr_cnt
Whether I have the rules in the backend or the front does not seem to make a difference - I tried some rules in front and back and neither worked. Maybe I am missing something obvious. Thanks. Example with config: [haproxy]# wget -S -O - http://10.1.1.251:82/blank.gif --2011-09-08 19:00:59-- http://10.1.1.251:82/blank.gif Connecting to 10.1.1.251:82... connected. HTTP request sent, awaiting response... T 10.1.1.251:12427 -> 10.1.1.251:82 [AP] GET /blank.gif HTTP/1.0..User-Agent: Wget/1.12 (linux-gnu)..Accept: */*..Host: 10.1.1.251:82..Connection: Keep-Alive HTTP/1.0 200 OK Server: thttpd Content-Type: image/gif Date: Fri, 09 Sep 2011 02:00:59 GMT Last-Modified: Wed, 07 Sep 2011 17:17:06 GMT Accept-Ranges: bytes Content-Length: 43 X-nohdrsub: 1 < the only rsp hdr added is the negation of a hdr* acl Connection: keep-alive Length: 43 [image/gif] Saving to: “STDOUT” 2011-09-08 19:00:59 (8.57 MB/s) - written to stdout [43/43] config file: defaults #option splice-auto option tcp-smart-connect option http-server-close timeout queue 27s timeout http-request 5s timeout client 33s timeout connect 8s timeout server 33s timeout http-keep-alive 77s timeout tarpit 190s global node hdr_cnt description hdr_cnt loglocalhost local1 # loglocalhost local1 err maxconn32768 uid99 gid99 chroot /var/empty pidfile/var/run/haproxy.pid stats socket /tmp/hap.sock daemon quiet spread-checks 6 frontend hdr_cnt bind 10.0.1.251:82 bind 10.0.1.252:82 bind 10.0.1.253:82 mode http log global option httplog option http-server-close option log-separate-errors maxconn 32768 capture request header Host len 32 capture request header User-Agent len 256 capture request header Content-Length len 10 capture request header Refererlen 384 capture request header Vialen 64 capture request header Cookie len 128 capture response header Content-Length len 10 default_backend www backend www modehttp balance roundrobin server www1 127.0.0.1:81 maxconn 10 option http-server-close acl hashosthdr_via_hdrcntge1 hdr_cnt(Host) ge 1 acl hashosthdr_via_hdrcntlt9 hdr_cnt(Host) lt 9 acl hashosthdr_via_hdrsub hdr_sub(host) -i 10.1 acl hasuahdr_via_hdrcntge1 hdr_cnt(User-Agent) ge 1 acl hasuahdr_via_hdrcnt1 hdr_cnt(User-Agent) 1 rspadd X-gothdrcntge1:\ 1 if hashosthdr_via_hdrcntge1 rspadd X-gothdrcntlt9:\ 1 if hashosthdr_via_hdrcntlt9 rspadd X-gothdrsub:\ 1 if hashosthdr_via_hdrsub rspadd X-nohdrsub:\ 1 if !hashosthdr_via_hdrsub rspadd X-gotuahdrcntge1:\ 1 if hasuahdr_via_hdrcntge1 rspadd X-gotuahdrcnt1:\ 1 if hasuahdr_via_hdrcnt1 On 9/8/11 6:49 AM, Baptiste wrote: hi, where are you doing your ACLs? Frontend or backend? cheers On Thu, Sep 8, 2011 at 3:06 PM, Hank A. Paulson wrote: does hdr_cnt not work or am I just completely unable to get an example that works? I can't imagine it doesn't work but I have tried _many_ - some examples and nothing seems to work (maybe it is 40+ hrs): acl hdrcnttest hdr_cnt gt 0 reqadd x-has-host:\ YES if hdrcnttest acl hdrcnttest hdr_cnt(host) gt 0 reqadd x-has-host:\ YES if hdrcnttest acl hdrcnttest hdr_cnt(Host) gt 0 reqadd x-has-host:\ YES if hdrcnttest acl hdrcnttest hdr_cnt(Host) 1 reqadd x-has-host:\ YES if hdrcnttest reqadd x-has-host:\ YES if { hdr_cnt(Host) gt 0 } reqadd x-has-host:\ YES if { hdr_cnt(Host:) gt 0 } Nothing seems to work, I tried 1.4.15, 1.4.17 and I recompiled 1.4.17 without any options at all for make except linux26 Other acl criteria seem to work as normal, just hdr_cnt... Thanks.
Re: New benchmark of HAProxy at 10 Gbps using Myricom's 10GbE NICs possible?
On Don 08.09.2011 07:51, Willy Tarreau wrote: Hi Aleks, On Thu, Sep 08, 2011 at 12:52:20AM +0200, Aleksandar Lazic wrote: Hi Willy, I have take a look about the last test on http://haproxy.1wt.eu/10g.html and thought it would be nice to see a test with the brand new 1.5 version. What do you think ;-)? I agree in principle, but you know, running benchmarks takes a *lot* of time. The main issue I'm having right now is that I don't have a 10Gb switch, so I'm running with direct-attached machines, with only one client, one proxy and one server. In such a setup, it's common to see all 3 machines at 100% CPU during some tests, and it's hard to tell the part caused by client, server or proxy. The worst case I had was to be limited to about 15 Gbps full duplex and not being able to determine which machine or NIC was causing this, as most PCI-e chipsets I've encountered in the past were not able to reach the line rate. I really need to build a lab with at least 5 machines (2 clients, 2 servers, one proxy and a switch). This is the only way to measure the impact on each component. Anyway, what I'm expecting from new 10G runs with 1.5 is to have the same data rate over the wire (since we're doing nothing for this, we just use splice() to ask the kernel to do the work for us), but see an increase in the amount of peak connections per second. This is especially important for systems dealing with DDoSes using stick-tables, as they need to get rid of a connection as soon as possible. Well you are right. I'a just a benchmark junky and haven't such a equipment her so I thought you or someone on the list maybe have the possibility. Well it was just for my curiosity. BR Aleks
Re: [PATCH] Read acl included files relative to the configuration file
On Thu, Sep 08, 2011 at 02:22:29PM +0200, Brane F. Gra??nar wrote: > On Thursday 08 of September 2011 11:21:34 Finn Arne Gangstad wrote: > > On Thu, Sep 08, 2011 at 07:43:46AM +0200, Willy Tarreau wrote: > > > Hi again, > > > > > > This morning I had an better idea : pass the "config directory" parameter > > > on the command line and have haproxy chdir() to it. That way, everything > > > specified after it is relative to this dir, and you don't need a full > > > path > > > > > > for config files. Eg : > > > haproxy -C /etc/haproxy -f haproxy.cfg > > > > > > I think it's easier to explain and to understand than previous proposal, > > > and it can completely solve your multi-machine issue (well doing "cd" > > > before starting haproxy also does, but I agree it can be less convenient, > > > especially when copy-pasting a command line from "ps"). > > What about settings this varible by itself, for example, setting it by > dirname(config_file) inside haproxy? Because it's all but obvious for someone who doesn't know the product and has to manage it. And BTW, we have as many config files as we want, to that becomes impossible to sort out when they lie into different dirs. Regards, Willy
Re: [PATCH v2] *_dom matching header functions now also split on ":"
Heh. Too many different versions of this now, so faulty version was sent. Stripping delimiters at the end of the pattern was broken. The following needs to be applied on top: diff --git a/src/acl.c b/src/acl.c index cb49b43..1e8468e 100644 --- a/src/acl.c +++ b/src/acl.c @@ -591,7 +591,7 @@ static int match_word(struct acl_test *test, struct acl_pattern *pattern, delimi ps++; } - while (pl > 0 && IS_DELIMITER(*ps)) + while (pl > 0 && IS_DELIMITER(ps[pl - 1])) pl--; if (pl > test->len) - Finn Arne
Re: Increase log size in config.
By the way, haproxy could be configured with default max size at 1024 and if we want to increase it by config it may be available (as long as we are not using a real syslog server). My concern is about network device with UDP frame bigger than 1024 if anybody is aware of potential probleme that could occure 2011/9/8 Graeme Donaldson > Hi Damien > > I may be wrong, but as far as I can gather the 1024-byte limitation is > imposed by the syslog protocol RFC (http://www.faqs.org/rfcs/rfc3164.html) > and not HAproxy itself. > > Regards, > Graeme. > > On 8 September 2011 16:09, Damien Hardy wrote: > >> Hello there. >> >> We are working on our realtime statistics of consultation platform based >> on haproxy logs. >> Our probleme is that logs can capture HTTP headers but are limited to a >> 1024 length string witch is very short if Host: Referer: and User-Agent: are >> captured as we are doing. >> >> Is it planned to set the max log size by config parameter. >> >> Do you now if there is any side effects increasing this value and rebuild >> a package ? >> The syslog server is a cloudera flume node located on the same server with >> haproxy (flume is not able to read in a Unix socket as far as I know). >> >> Thank you. >> >> Best regards, >> >> -- >> Damien >> >> >> >
Re: Increase log size in config.
Hi Graeme, You are rigth so maybe it could be great that haproxy could log the full entry by other way than syslog Using the Unix socket allready existing could be tailed by any external program I suppose, and shouldn't be limited by a 1024 string maybe. Regards, -- Damien 2011/9/8 Graeme Donaldson > Hi Damien > > I may be wrong, but as far as I can gather the 1024-byte limitation is > imposed by the syslog protocol RFC (http://www.faqs.org/rfcs/rfc3164.html) > and not HAproxy itself. > > Regards, > Graeme. > > On 8 September 2011 16:09, Damien Hardy wrote: > >> Hello there. >> >> We are working on our realtime statistics of consultation platform based >> on haproxy logs. >> Our probleme is that logs can capture HTTP headers but are limited to a >> 1024 length string witch is very short if Host: Referer: and User-Agent: are >> captured as we are doing. >> >> Is it planned to set the max log size by config parameter. >> >> Do you now if there is any side effects increasing this value and rebuild >> a package ? >> The syslog server is a cloudera flume node located on the same server with >> haproxy (flume is not able to read in a Unix socket as far as I know). >> >> Thank you. >> >> Best regards, >> >> -- >> Damien >> >> >> >
Can HAProxy behave like NginX with option proxy_next_upstream?
Hi Everyone! We move from nginx to haproxy for load balancing and all have been great! All we do with nginx (as balancer) we have been able to do it using haproxy, except for reprocessing a request on http error 5* from upstream servers as we did with nginx using option proxy_next_upstream. Is there any way to archive with haproxy the same that with nginx proxy_next_upstream [1]? Best regards, [1] http://wiki.nginx.org/HttpProxyModule#proxy_next_upstream -- Ernesto Rodriguez Reina
Re: Increase log size in config.
Hi Damien I may be wrong, but as far as I can gather the 1024-byte limitation is imposed by the syslog protocol RFC (http://www.faqs.org/rfcs/rfc3164.html) and not HAproxy itself. Regards, Graeme. On 8 September 2011 16:09, Damien Hardy wrote: > Hello there. > > We are working on our realtime statistics of consultation platform based on > haproxy logs. > Our probleme is that logs can capture HTTP headers but are limited to a > 1024 length string witch is very short if Host: Referer: and User-Agent: are > captured as we are doing. > > Is it planned to set the max log size by config parameter. > > Do you now if there is any side effects increasing this value and rebuild a > package ? > The syslog server is a cloudera flume node located on the same server with > haproxy (flume is not able to read in a Unix socket as far as I know). > > Thank you. > > Best regards, > > -- > Damien > > >
Increase log size in config.
Hello there. We are working on our realtime statistics of consultation platform based on haproxy logs. Our probleme is that logs can capture HTTP headers but are limited to a 1024 length string witch is very short if Host: Referer: and User-Agent: are captured as we are doing. Is it planned to set the max log size by config parameter. Do you now if there is any side effects increasing this value and rebuild a package ? The syslog server is a cloudera flume node located on the same server with haproxy (flume is not able to read in a Unix socket as far as I know). Thank you. Best regards, -- Damien
Re: Error 504
Yes ... Is it possible to improve my config? Le 08/09/11 15:50, « Baptiste » a écrit : >I can't see anything weird here. >are the backend status "OK" on the haproxy http stat page? > >cheers > >On Thu, Sep 8, 2011 at 2:28 PM, Christophe Rahier > wrote: >> Hi, >> >> Here's my config. Webservers are IIS. >> >> global >> log 192.168.0.2 local0 >> log 127.0.0.1 local1 notice >> maxconn 10240 >> defaults >> logglobal >> option dontlognull >> retries2 >> clitimeout 5 >> srvtimeout 5 >> contimeout 5 >> timeout server 60s >> >> listen WebPlayer-Farm 192.168.0.2:80 >> mode http >> option httplog >> balance source >> #balance leastconn >> option forwardfor >> stats enable >> option http-server-close >> server Player1 192.168.0.10:80 check >> server Player2 192.168.0.11:80 check >> server Player3 192.168.0.12:80 check >> server Player4 192.168.0.13:80 check >> >> listen WebPlayer-Farm-SSL 192.168.0.2:443 >> mode tcp >> option ssl-hello-chk >> balance source >> server Player1 192.168.0.10:443 check >> server Player2 192.168.0.11:443 check >> server Player3 192.168.0.12:443 check >> server Player4 192.168.0.13:443 check >> >> listen Manager-Farm192.168.0.2:81 >> mode http >> option httplog >> balance source >> option forwardfor >> stats enable >> option http-server-close >> server Manager1 192.168.0.60:80 check >> server Manager2 192.168.0.61:80 check >> >> listen Manager-Farm-SSL 192.168.0.2:444 >> mode tcp >> option ssl-hello-chk >> balance source >> server Manager1 192.168.0.60:443 check >> server Manager2 192.168.0.61:443 check >> >> listen info 192.168.0.2:90 >> mode http >> balance source >> stats uri / >> >> >> >> Thanks for your help! >> >> Christophe >> >> >> >> >> Le 08/09/11 14:16, « Baptiste » a écrit : >> >>>Hello, >>> >>>you server might be very slow or your server timeout in your conf >>>might be too low. >>> >>>If you can copy/paste your conf and tell us which version you're using >>>and the underlying OS. >>> >>>cheers >>> >>> >>>On Thu, Sep 8, 2011 at 1:35 PM, Christophe Rahier >>> wrote: Hi, I've a question about this error : 504 Gateway Time-out The server didn't respond in time. What could I check in my config ? I created 2 LB with a virtual IP and all request are coming from the firewall to this IP. I think it's possible, if needed, I can copy my configuration file. Thanks for your help, I'm lost. Regards, Christophe >>> >>> >> >> >> > >
Re: Error 504
I can't see anything weird here. are the backend status "OK" on the haproxy http stat page? cheers On Thu, Sep 8, 2011 at 2:28 PM, Christophe Rahier wrote: > Hi, > > Here's my config. Webservers are IIS. > > global > log 192.168.0.2 local0 > log 127.0.0.1 local1 notice > maxconn 10240 > defaults > log global > option dontlognull > retries 2 > clitimeout 5 > srvtimeout 5 > contimeout 5 > timeout server 60s > > listen WebPlayer-Farm 192.168.0.2:80 > mode http > option httplog > balance source > #balance leastconn > option forwardfor > stats enable > option http-server-close > server Player1 192.168.0.10:80 check > server Player2 192.168.0.11:80 check > server Player3 192.168.0.12:80 check > server Player4 192.168.0.13:80 check > > listen WebPlayer-Farm-SSL 192.168.0.2:443 > mode tcp > option ssl-hello-chk > balance source > server Player1 192.168.0.10:443 check > server Player2 192.168.0.11:443 check > server Player3 192.168.0.12:443 check > server Player4 192.168.0.13:443 check > > listen Manager-Farm 192.168.0.2:81 > mode http > option httplog > balance source > option forwardfor > stats enable > option http-server-close > server Manager1 192.168.0.60:80 check > server Manager2 192.168.0.61:80 check > > listen Manager-Farm-SSL 192.168.0.2:444 > mode tcp > option ssl-hello-chk > balance source > server Manager1 192.168.0.60:443 check > server Manager2 192.168.0.61:443 check > > listen info 192.168.0.2:90 > mode http > balance source > stats uri / > > > > Thanks for your help! > > Christophe > > > > > Le 08/09/11 14:16, « Baptiste » a écrit : > >>Hello, >> >>you server might be very slow or your server timeout in your conf >>might be too low. >> >>If you can copy/paste your conf and tell us which version you're using >>and the underlying OS. >> >>cheers >> >> >>On Thu, Sep 8, 2011 at 1:35 PM, Christophe Rahier >> wrote: >>> Hi, >>> I've a question about this error : >>> >>> 504 Gateway Time-out >>> >>> The server didn't respond in time. >>> >>> What could I check in my config ? I created 2 LB with a virtual IP and >>>all >>> request are coming from the firewall to this IP. >>> I think it's possible, if needed, I can copy my configuration file. >>> Thanks for your help, I'm lost. >>> Regards, Christophe >> >> > > >
Deadwood: The Complete Series" on DVD or Blu-ray
Please click here if the e-mail below is not displayed correctly. Follow us: Free Two-Day Shipping with › Amazon Prime Your Amazon.com Today's Deals See All Departments "Deadwood: The Complete Series" on DVD or Blu-ray This critically acclaimed HBO Western can be yours in its entirety: All 36 episodes on 19 discs. Choose from either the DVD or Blu-ray version. Explore Other Gold Box Deals Buy A Game, Get One 50% Off Panasonic All-in-One Laser Machine $299.95 $225.95 (25% off) 10k Yellow Gold Created Ruby and Diamond-Accent Flower Pendant, 18" $169.00 $49.99 (70% off) 18k Gold Plated Sterling Silver Multi "0" Bracelet $119.99 $34.99 (71% off)
(in)sanity check on hdr_cnt
does hdr_cnt not work or am I just completely unable to get an example that works? I can't imagine it doesn't work but I have tried _many_ - some examples and nothing seems to work (maybe it is 40+ hrs): acl hdrcnttest hdr_cnt gt 0 reqadd x-has-host:\ YES if hdrcnttest acl hdrcnttest hdr_cnt(host) gt 0 reqadd x-has-host:\ YES if hdrcnttest acl hdrcnttest hdr_cnt(Host) gt 0 reqadd x-has-host:\ YES if hdrcnttest acl hdrcnttest hdr_cnt(Host) 1 reqadd x-has-host:\ YES if hdrcnttest reqadd x-has-host:\ YES if { hdr_cnt(Host) gt 0 } reqadd x-has-host:\ YES if { hdr_cnt(Host:) gt 0 } Nothing seems to work, I tried 1.4.15, 1.4.17 and I recompiled 1.4.17 without any options at all for make except linux26 Other acl criteria seem to work as normal, just hdr_cnt... Thanks.
Re: Error 504
Hi, Here's my config. Webservers are IIS. global log 192.168.0.2 local0 log 127.0.0.1 local1 notice maxconn 10240 defaults logglobal option dontlognull retries2 clitimeout 5 srvtimeout 5 contimeout 5 timeout server 60s listen WebPlayer-Farm 192.168.0.2:80 mode http option httplog balance source #balance leastconn option forwardfor stats enable option http-server-close server Player1 192.168.0.10:80 check server Player2 192.168.0.11:80 check server Player3 192.168.0.12:80 check server Player4 192.168.0.13:80 check listen WebPlayer-Farm-SSL 192.168.0.2:443 mode tcp option ssl-hello-chk balance source server Player1 192.168.0.10:443 check server Player2 192.168.0.11:443 check server Player3 192.168.0.12:443 check server Player4 192.168.0.13:443 check listen Manager-Farm192.168.0.2:81 mode http option httplog balance source option forwardfor stats enable option http-server-close server Manager1 192.168.0.60:80 check server Manager2 192.168.0.61:80 check listen Manager-Farm-SSL 192.168.0.2:444 mode tcp option ssl-hello-chk balance source server Manager1 192.168.0.60:443 check server Manager2 192.168.0.61:443 check listen info 192.168.0.2:90 mode http balance source stats uri / Thanks for your help! Christophe Le 08/09/11 14:16, « Baptiste » a écrit : >Hello, > >you server might be very slow or your server timeout in your conf >might be too low. > >If you can copy/paste your conf and tell us which version you're using >and the underlying OS. > >cheers > > >On Thu, Sep 8, 2011 at 1:35 PM, Christophe Rahier > wrote: >> Hi, >> I've a question about this error : >> >> 504 Gateway Time-out >> >> The server didn't respond in time. >> >> What could I check in my config ? I created 2 LB with a virtual IP and >>all >> request are coming from the firewall to this IP. >> I think it's possible, if needed, I can copy my configuration file. >> Thanks for your help, I'm lost. >> Regards, Christophe > >
Re: [PATCH] Read acl included files relative to the configuration file
On Thursday 08 of September 2011 11:21:34 Finn Arne Gangstad wrote: > On Thu, Sep 08, 2011 at 07:43:46AM +0200, Willy Tarreau wrote: > > Hi again, > > > > This morning I had an better idea : pass the "config directory" parameter > > on the command line and have haproxy chdir() to it. That way, everything > > specified after it is relative to this dir, and you don't need a full > > path > > > > for config files. Eg : > > haproxy -C /etc/haproxy -f haproxy.cfg > > > > I think it's easier to explain and to understand than previous proposal, > > and it can completely solve your multi-machine issue (well doing "cd" > > before starting haproxy also does, but I agree it can be less convenient, > > especially when copy-pasting a command line from "ps"). What about settings this varible by itself, for example, setting it by dirname(config_file) inside haproxy? Brane
Re: Error 504
Hello, you server might be very slow or your server timeout in your conf might be too low. If you can copy/paste your conf and tell us which version you're using and the underlying OS. cheers On Thu, Sep 8, 2011 at 1:35 PM, Christophe Rahier wrote: > Hi, > I've a question about this error : > > 504 Gateway Time-out > > The server didn't respond in time. > > What could I check in my config ? I created 2 LB with a virtual IP and all > request are coming from the firewall to this IP. > I think it's possible, if needed, I can copy my configuration file. > Thanks for your help, I'm lost. > Regards, Christophe
Error 504
Hi, I've a question about this error : 504 Gateway Time-out The server didn't respond in time. What could I check in my config ? I created 2 LB with a virtual IP and all request are coming from the firewall to this IP. I think it's possible, if needed, I can copy my configuration file. Thanks for your help, I'm lost. Regards, Christophe
[PATCH v2] *_dom matching header functions now also split on ":"
*_dom is mostly used for matching Host headers, and host headers may include port numbers. To avoid having to create multiple rules with and without : in hdr_dom rules, change the *_dom matching functions to also handle : as a delimiter. Typically there are rules like this in haproxy.cfg: acl is_foo hdr_dom(host) www.foo.com Most clients send "Host: www.foo.com" in their HTTP header, but some send "Host: www.foo.com:80" (which is allowed), and the above rule will now work for those clients as well. --- There are two versions here, one straightforward version which is more or less identical to the existing code in performance, and one optimized version which is significantly faster (at least on a 2 year old core2 and a i7-2600, all I have to test on). src/acl.c | 55 --- 1 files changed, 40 insertions(+), 15 deletions(-) diff --git a/src/acl.c b/src/acl.c index 9d9a746..cb49b43 100644 --- a/src/acl.c +++ b/src/acl.c @@ -546,12 +546,38 @@ int acl_match_sub(struct acl_test *test, struct acl_pattern *pattern) return ACL_PAT_FAIL; } +#if 0 +/* Straightforward implementation first - resaonably quick, but + can do better. */ +typedef const char *delimiter_mask_t; +#define DELIMITER_MASK(a,b,c,d) a b c d +#define IS_DELIMITER(c) (delimiter[0] == (c) || delimiter[1] == (c) || delimiter[2] == (c) || delimiter[3] == (c)) + +#else + +/* Fast version. Background: Fast way to find a zero byte in a word + * http://graphics.stanford.edu/~seander/bithacks.html#ZeroInWord + * hasZeroByte = (v - 0x01010101UL) & ~v & 0x80808080UL; + * + * To look for 4 different byte values, xor the word with those bytes and + * then check for zero bytes: + * + * v = (((unsigned char)c * 0x1010101U) ^ delimiter) + * where is the 4 byte values to look for (as an uint) + * and is the character that is being tested + */ +typedef unsigned int delimiter_mask_t; +#define DELIMITER_MASK(a,b,c,d) ((unsigned char)(*a) | (unsigned char)(*b) << 8 | (unsigned char)(*c) << 16 | (unsigned char)(*d) << 24) +#define IS_DELIMITER(c) (unsigned char)c * 0x1010101U) ^ delimiter) - 0x01010101) & ~(((unsigned char)c * 0x1010101U) ^ delimiter) & 0x80808080U) + +#endif + /* This one is used by other real functions. It checks that the pattern is * included inside the tested string, but enclosed between the specified - * delimitor, or a '/' or a '?' or at the beginning or end of the string. - * The delimitor is stripped at the beginning or end of the pattern. + * delimiters or at the beginning or end of the string. + * Delimiters are stripped at the beginning and end of the pattern. */ -static int match_word(struct acl_test *test, struct acl_pattern *pattern, char delim) +static int match_word(struct acl_test *test, struct acl_pattern *pattern, delimiter_mask_t delimiter) { int may_match, icase; char *c, *end; @@ -560,13 +586,12 @@ static int match_word(struct acl_test *test, struct acl_pattern *pattern, char d pl = pattern->len; ps = pattern->ptr.str; - while (pl > 0 && (*ps == delim || *ps == '/' || *ps == '?')) { + while (pl > 0 && IS_DELIMITER(*ps)) { pl--; ps++; } - while (pl > 0 && - (ps[pl - 1] == delim || ps[pl - 1] == '/' || ps[pl - 1] == '?')) + while (pl > 0 && IS_DELIMITER(*ps)) pl--; if (pl > test->len) @@ -576,7 +601,7 @@ static int match_word(struct acl_test *test, struct acl_pattern *pattern, char d icase = pattern->flags & ACL_PAT_F_IGNORE_CASE; end = test->ptr + test->len - pl; for (c = test->ptr; c <= end; c++) { - if (*c == '/' || *c == delim || *c == '?') { + if (IS_DELIMITER(*c)) { may_match = 1; continue; } @@ -587,12 +612,12 @@ static int match_word(struct acl_test *test, struct acl_pattern *pattern, char d if (icase) { if ((tolower(*c) == tolower(*ps)) && (strncasecmp(ps, c, pl) == 0) && - (c == end || c[pl] == '/' || c[pl] == delim || c[pl] == '?')) + (c == end || IS_DELIMITER(c[pl]))) return ACL_PAT_PASS; } else { if ((*c == *ps) && (strncmp(ps, c, pl) == 0) && - (c == end || c[pl] == '/' || c[pl] == delim || c[pl] == '?')) + (c == end || IS_DELIMITER(c[pl]))) return ACL_PAT_PASS; } may_match = 0; @@ -601,21 +626,21 @@ static int match_word(struct acl_test *test, struct acl_pattern *pattern, char d } /* Checks that the pattern is included inside the tested string, but enclosed - * between slashes or at the beginning or end of the string. Slashes at the - *
scope of acls
I was wondering if acls that I create in the frontend should be available in backends, too? I was getting errors when I tried but the error disappeared when I either moved the reqadd/rspadd to the frontend or if I used a predefined acl like LOCALHOST. Thanks.
Re: [PATCH] Read acl included files relative to the configuration file
On Thu, Sep 08, 2011 at 07:43:46AM +0200, Willy Tarreau wrote: > Hi again, > > This morning I had an better idea : pass the "config directory" parameter > on the command line and have haproxy chdir() to it. That way, everything > specified after it is relative to this dir, and you don't need a full path > for config files. Eg : > > haproxy -C /etc/haproxy -f haproxy.cfg > > I think it's easier to explain and to understand than previous proposal, > and it can completely solve your multi-machine issue (well doing "cd" > before starting haproxy also does, but I agree it can be less convenient, > especially when copy-pasting a command line from "ps"). Nice! That would be perfect, and also not make problems with any existing configuration. I'm making a new version of the other patch I sent right now, can look at this afterwards. - Finn Arne