Re: Add 401, 403 retries at l7
:facepalm:
Here is the good one
On 22 Nov 15:39, Tim Düsterhus wrote:
> Julien,
>
> Am 22.11.20 um 15:24 schrieb Julien Pivotto:
> > Here you go.
> >
>
> It looks like you sent the same patch again.
>
> Best regards
> Tim Düsterhus
--
(o-Julien Pivotto
//\Open-Source Consultant
V_/_ Inuits - https://www.inuits.eu
From daec1090f96ddc7c8dafce839fa847b8faee3776 Mon Sep 17 00:00:00 2001
From: Julien Pivotto
Date: Thu, 12 Nov 2020 11:14:05 +0100
Subject: [PATCH] MINOR: Add level 7 retries on http error 401, 403
Level-7 retries are only possible with a restricted number of HTTP
return codes. While it is usually not safe to retry on 401 and 403, I
came up with an authentication backend which was not synchronizing
authentication of users. While not perfect, being allowed to also retry
on those return codes is really helpful and acts as a hotfix until we
can fix the backend.
Signed-off-by: Julien Pivotto
---
doc/configuration.txt | 9 +
include/haproxy/proxy-t.h | 25 ++---
include/haproxy/proxy.h | 4
src/proxy.c | 4
4 files changed, 27 insertions(+), 15 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2a7a9a508..234002294 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -9307,10 +9307,11 @@ retry-on [list of keywords]
rejected by the server. These requests are generally
considered to be safe to retry.
-any HTTP status code among "404" (Not Found), "408"
-(Request Timeout), "425" (Too Early), "500" (Server
-Error), "501" (Not Implemented), "502" (Bad Gateway),
-"503" (Service Unavailable), "504" (Gateway Timeout).
+any HTTP status code among "401" (Unauthorized), "403"
+(Forbidden), "404" (Not Found), "408" (Request
Timeout),
+"425" (Too Early), "500" (Server Error), "501" (Not
+Implemented), "502" (Bad Gateway), "503" (Service
+Unavailable), "504" (Gateway Timeout).
all-retryable-errors
retry request for any error that are considered
diff --git a/include/haproxy/proxy-t.h b/include/haproxy/proxy-t.h
index 41aca9d39..998e210f6 100644
--- a/include/haproxy/proxy-t.h
+++ b/include/haproxy/proxy-t.h
@@ -175,17 +175,20 @@ enum PR_SRV_STATE_FILE {
#define PR_RE_CONN_FAILED 0x0001 /* Retry if we failed to connect
*/
#define PR_RE_DISCONNECTED0x0002 /* Retry if we got disconnected
with no answer */
#define PR_RE_TIMEOUT 0x0004 /* Retry if we got a server
timeout before we got any data */
-#define PR_RE_404 0x0008 /* Retry if we got a 404 */
-#define PR_RE_408 0x0010 /* Retry if we got a 408 */
-#define PR_RE_425 0x0020 /* Retry if we got a 425 */
-#define PR_RE_500 0x0040 /* Retry if we got a 500 */
-#define PR_RE_501 0x0080 /* Retry if we got a 501 */
-#define PR_RE_502 0x0100 /* Retry if we got a 502 */
-#define PR_RE_503 0x0200 /* Retry if we got a 503 */
-#define PR_RE_504 0x0400 /* Retry if we got a 504 */
-#define PR_RE_STATUS_MASK (PR_RE_404 | PR_RE_408 | PR_RE_425 | \
- PR_RE_425 | PR_RE_500 | PR_RE_501 | \
- PR_RE_502 | PR_RE_503 | PR_RE_504)
+#define PR_RE_401 0x0008 /* Retry if we got a 401 */
+#define PR_RE_403 0x0010 /* Retry if we got a 403 */
+#define PR_RE_404 0x0020 /* Retry if we got a 404 */
+#define PR_RE_408 0x0040 /* Retry if we got a 408 */
+#define PR_RE_425 0x0080 /* Retry if we got a 425 */
+#define PR_RE_500 0x0100 /* Retry if we got a 500 */
+#define PR_RE_501 0x0200 /* Retry if we got a 501 */
+#define PR_RE_502 0x0400 /* Retry if we got a 502 */
+#define PR_RE_503 0x0800 /* Retry if we got a 503 */
+#define PR_RE_504 0x1000 /* Retry if we got a 504 */
+#define PR_RE_STATUS_MASK (PR_RE_401 | PR_RE_403 | PR_RE_404 | \
+ PR_RE_408 | PR_RE_425 | PR_RE_500 | \
+ PR_RE_501 | PR_RE_502 | PR_RE_503 | \
+ PR_RE_504)
/* 0x0800, 0x1000, 0x2000, 0x4000 and 0x8000 unused,
* reserved for eventual future status codes
*/
diff --git a/include/haproxy/proxy.h b/include/haproxy/proxy.h
index fe253bf7f..f63f4a2cd 100644
--- a/include/haproxy/proxy.h
+++ b/include/haproxy/proxy.h
@@ -154,6 +154,10 @@ static inline int l7_status_match(struct proxy *p, int
status)
return 0;
Re: Add 401, 403 retries at l7
Julien, Am 22.11.20 um 15:24 schrieb Julien Pivotto: > Here you go. > It looks like you sent the same patch again. Best regards Tim Düsterhus
Re: Add 401, 403 retries at l7
Here you go.
On 20 Nov 12:51, Christopher Faulet wrote:
> Le 12/11/2020 à 11:18, Julien Pivotto a écrit :
> > Dear,
> >
> > Please find a patch to add 401 and 403 l7 retries, see
> > https://github.com/haproxy/haproxy/issues/948
> >
>
> Thanks Julien. Sorry for the delay.
>
> Sure we can add it. However could you adapt your commit message to follow
> CONTRIBUTING advises (section 11) ?
>
> --
> Christopher Faulet
--
(o-Julien Pivotto
//\Open-Source Consultant
V_/_ Inuits - https://www.inuits.eu
From f71e0b2eb69303fa59645fefda3960fb2a9eb7fb Mon Sep 17 00:00:00 2001
From: Julien Pivotto
Date: Thu, 12 Nov 2020 11:14:05 +0100
Subject: [PATCH] Add level 7 retries on http error 401, 403
Signed-off-by: Julien Pivotto
---
doc/configuration.txt | 9 +
include/haproxy/proxy-t.h | 25 ++---
include/haproxy/proxy.h | 4
src/proxy.c | 4
4 files changed, 27 insertions(+), 15 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2a7a9a508..234002294 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -9307,10 +9307,11 @@ retry-on [list of keywords]
rejected by the server. These requests are generally
considered to be safe to retry.
-any HTTP status code among "404" (Not Found), "408"
-(Request Timeout), "425" (Too Early), "500" (Server
-Error), "501" (Not Implemented), "502" (Bad Gateway),
-"503" (Service Unavailable), "504" (Gateway Timeout).
+any HTTP status code among "401" (Unauthorized), "403"
+(Forbidden), "404" (Not Found), "408" (Request
Timeout),
+"425" (Too Early), "500" (Server Error), "501" (Not
+Implemented), "502" (Bad Gateway), "503" (Service
+Unavailable), "504" (Gateway Timeout).
all-retryable-errors
retry request for any error that are considered
diff --git a/include/haproxy/proxy-t.h b/include/haproxy/proxy-t.h
index 41aca9d39..998e210f6 100644
--- a/include/haproxy/proxy-t.h
+++ b/include/haproxy/proxy-t.h
@@ -175,17 +175,20 @@ enum PR_SRV_STATE_FILE {
#define PR_RE_CONN_FAILED 0x0001 /* Retry if we failed to connect
*/
#define PR_RE_DISCONNECTED0x0002 /* Retry if we got disconnected
with no answer */
#define PR_RE_TIMEOUT 0x0004 /* Retry if we got a server
timeout before we got any data */
-#define PR_RE_404 0x0008 /* Retry if we got a 404 */
-#define PR_RE_408 0x0010 /* Retry if we got a 408 */
-#define PR_RE_425 0x0020 /* Retry if we got a 425 */
-#define PR_RE_500 0x0040 /* Retry if we got a 500 */
-#define PR_RE_501 0x0080 /* Retry if we got a 501 */
-#define PR_RE_502 0x0100 /* Retry if we got a 502 */
-#define PR_RE_503 0x0200 /* Retry if we got a 503 */
-#define PR_RE_504 0x0400 /* Retry if we got a 504 */
-#define PR_RE_STATUS_MASK (PR_RE_404 | PR_RE_408 | PR_RE_425 | \
- PR_RE_425 | PR_RE_500 | PR_RE_501 | \
- PR_RE_502 | PR_RE_503 | PR_RE_504)
+#define PR_RE_401 0x0008 /* Retry if we got a 401 */
+#define PR_RE_403 0x0010 /* Retry if we got a 403 */
+#define PR_RE_404 0x0020 /* Retry if we got a 404 */
+#define PR_RE_408 0x0040 /* Retry if we got a 408 */
+#define PR_RE_425 0x0080 /* Retry if we got a 425 */
+#define PR_RE_500 0x0100 /* Retry if we got a 500 */
+#define PR_RE_501 0x0200 /* Retry if we got a 501 */
+#define PR_RE_502 0x0400 /* Retry if we got a 502 */
+#define PR_RE_503 0x0800 /* Retry if we got a 503 */
+#define PR_RE_504 0x1000 /* Retry if we got a 504 */
+#define PR_RE_STATUS_MASK (PR_RE_401 | PR_RE_403 | PR_RE_404 | \
+ PR_RE_408 | PR_RE_425 | PR_RE_500 | \
+ PR_RE_501 | PR_RE_502 | PR_RE_503 | \
+ PR_RE_504)
/* 0x0800, 0x1000, 0x2000, 0x4000 and 0x8000 unused,
* reserved for eventual future status codes
*/
diff --git a/include/haproxy/proxy.h b/include/haproxy/proxy.h
index fe253bf7f..f63f4a2cd 100644
--- a/include/haproxy/proxy.h
+++ b/include/haproxy/proxy.h
@@ -154,6 +154,10 @@ static inline int l7_status_match(struct proxy *p, int
status)
return 0;
switch (status) {
+ case 401:
+ return (p->retry_type & PR_RE_401);
+ case 403:
+ return (p->retry_type & PR_RE_403);
case 404:
