1berry/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

DOC: Fix usage/examples of deprecated ACLs

Browse Source 
Some examples or references were still using deprecated ACL variants.

Signed-off-by: Christian Ruppert <idl0r@qasl.de>
This commit is contained in:
Christian Ruppert 2022-02-20 22:54:01 +01:00 committed by Willy Tarreau
parent a0a6911bde
commit 59e66e30c2
1 changed files with 48 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
doc/configuration.txt
View File

@ -4056,7 +4056,7 @@ balance url_param <param> [check_post]
rdp-cookie(<name>) rdp-cookie(<name>)
The RDP cookie <name> (or "mstshash" if omitted) will be The RDP cookie <name> (or "mstshash" if omitted) will be
looked up and hashed for each incoming TCP request. Just as looked up and hashed for each incoming TCP request. Just as
with the equivalent ACL 'req_rdp_cookie()' function, the name with the equivalent ACL 'req.rdp_cookie()' function, the name
is not case-sensitive. This mechanism is useful as a degraded is not case-sensitive. This mechanism is useful as a degraded
persistence mode, as it makes it possible to always send the persistence mode, as it makes it possible to always send the
same user (or the same session ID) to the same server. If the same user (or the same session ID) to the same server. If the
@ -4066,14 +4066,12 @@ balance url_param <param> [check_post]
Note that for this to work, the frontend must ensure that an Note that for this to work, the frontend must ensure that an
RDP cookie is already present in the request buffer. For this RDP cookie is already present in the request buffer. For this
you must use 'tcp-request content accept' rule combined with you must use 'tcp-request content accept' rule combined with
a 'req_rdp_cookie_cnt' ACL. a 'req.rdp_cookie_cnt' ACL.
This algorithm is static by default, which means that This algorithm is static by default, which means that
changing a server's weight on the fly will have no effect, changing a server's weight on the fly will have no effect,
but this can be changed using "hash-type". but this can be changed using "hash-type".
See also the rdp_cookie pattern fetch function.
<arguments> is an optional list of arguments which may be needed by some <arguments> is an optional list of arguments which may be needed by some
algorithms. Right now, only "url_param" and "uri" support an algorithms. Right now, only "url_param" and "uri" support an
optional argument. optional argument.
@ -9985,8 +9983,7 @@ persist rdp-cookie(<name>)
server srv1 1.1.1.1:3389 server srv1 1.1.1.1:3389
server srv2 1.1.1.2:3389 server srv2 1.1.1.2:3389
See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and See also : "balance rdp-cookie", "tcp-request" and the "req.rdp_cookie" ACL.
the rdp_cookie pattern fetch function.
rate-limit sessions <rate> rate-limit sessions <rate>
@ -11607,8 +11604,8 @@ stick store-response <pattern> [table <table>] [{if | unless} <condition>]
# maximum SSL session ID length is 32 bytes. # maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1 acl clienthello req.ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2 acl serverhello rep.ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello. # use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s tcp-request inspect-delay 5s
@ -11622,10 +11619,10 @@ stick store-response <pattern> [table <table>] [{if | unless} <condition>]
# at offset 44. # at offset 44.
# Match and learn on request if client hello. # Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello stick on req.payload_lv(43,1) if clienthello
# Learn on response if server hello. # Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello stick store-response resp.payload_lv(43,1) if serverhello
server s1 192.168.1.1:443 server s1 192.168.1.1:443
server s2 192.168.1.1:443 server s2 192.168.1.1:443
@ -12349,12 +12346,12 @@ tcp-request content <action> [{if | unless} <condition>]
Example: Example:
# reject SMTP connection if client speaks first # reject SMTP connection if client speaks first
tcp-request inspect-delay 30s tcp-request inspect-delay 30s
acl content_present req_len gt 0 acl content_present req.len gt 0
tcp-request content reject if content_present tcp-request content reject if content_present
# Forward HTTPS connection only if client speaks # Forward HTTPS connection only if client speaks
tcp-request inspect-delay 30s tcp-request inspect-delay 30s
acl content_present req_len gt 0 acl content_present req.len gt 0
tcp-request content accept if content_present tcp-request content accept if content_present
tcp-request content reject tcp-request content reject
@ -15882,17 +15879,17 @@ be placed first. The pattern matching method must be one of the following :
For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP
request, it is possible to do : request, it is possible to do :
acl jsess_present cook(JSESSIONID) -m found acl jsess_present req.cook(JSESSIONID) -m found
In order to apply a regular expression on the 500 first bytes of data in the In order to apply a regular expression on the 500 first bytes of data in the
buffer, one would use the following acl : buffer, one would use the following acl :
acl script_tag payload(0,500) -m reg -i <script> acl script_tag req.payload(0,500) -m reg -i <script>
On systems where the regex library is much slower when using "-i", it is On systems where the regex library is much slower when using "-i", it is
possible to convert the sample to lowercase before matching, like this : possible to convert the sample to lowercase before matching, like this :
acl script_tag payload(0,500),lower -m reg <script> acl script_tag req.payload(0,500),lower -m reg <script>
All ACL-specific criteria imply a default matching method. Most often, these All ACL-specific criteria imply a default matching method. Most often, these
criteria are composed by concatenating the name of the original sample fetch criteria are composed by concatenating the name of the original sample fetch
@ -15998,11 +15995,11 @@ Available operators for integer matching are :
For instance, the following ACL matches any negative Content-Length header : For instance, the following ACL matches any negative Content-Length header :
acl negative-length hdr_val(content-length) lt 0 acl negative-length req.hdr_val(content-length) lt 0
This one matches SSL versions between 3.0 and 3.1 (inclusive) : This one matches SSL versions between 3.0 and 3.1 (inclusive) :
acl sslv3 req_ssl_ver 3:3.1 acl sslv3 req.ssl_ver 3:3.1
7.1.3. Matching strings 7.1.3. Matching strings
@ -16070,7 +16067,7 @@ digits may be used upper or lower case.
Example : Example :
# match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a) # match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a)
acl hello payload(0,6) -m bin 48656c6c6f0a acl hello req.payload(0,6) -m bin 48656c6c6f0a
7.1.6. Matching IPv4 and IPv6 addresses 7.1.6. Matching IPv4 and IPv6 addresses
@ -16141,7 +16138,7 @@ For instance, to block HTTP requests to the "*" URL with methods other than
requests with a content-length greater than 0, and finally every request which requests with a content-length greater than 0, and finally every request which
is not either GET/HEAD/POST/OPTIONS ! is not either GET/HEAD/POST/OPTIONS !
acl missing_cl hdr_cnt(Content-length) eq 0 acl missing_cl req.hdr_cnt(Content-length) eq 0
http-request deny if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl http-request deny if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
http-request deny if METH_GET HTTP_CONTENT http-request deny if METH_GET HTTP_CONTENT
http-request deny unless METH_GET or METH_POST or METH_OPTIONS http-request deny unless METH_GET or METH_POST or METH_OPTIONS
@ -16166,12 +16163,12 @@ the braces must be seen as independent words). Example :
The following rule : The following rule :
acl missing_cl hdr_cnt(Content-length) eq 0 acl missing_cl req.hdr_cnt(Content-length) eq 0
http-request deny if METH_POST missing_cl http-request deny if METH_POST missing_cl
Can also be written that way : Can also be written that way :
http-request deny if METH_POST { hdr_cnt(Content-length) eq 0 } http-request deny if METH_POST { req.hdr_cnt(Content-length) eq 0 }
It is generally not recommended to use this construct because it's a lot easier It is generally not recommended to use this construct because it's a lot easier
to leave errors in the configuration when written that way. However, for very to leave errors in the configuration when written that way. However, for very
@ -17799,7 +17796,7 @@ env(<name>) : string
http-request add-header Via 1.1\ %[env(HOSTNAME)] http-request add-header Via 1.1\ %[env(HOSTNAME)]
# reject cookie-less requests when the STOP environment variable is set # reject cookie-less requests when the STOP environment variable is set
http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found } http-request deny if !{ req.cook(SESSIONID) -m found } { env(STOP) -m found }
fe_conn([<frontend>]) : integer fe_conn([<frontend>]) : integer
Returns the number of currently established connections on the frontend, Returns the number of currently established connections on the frontend,
@ -19711,8 +19708,8 @@ req.payload(<offset>,<length>) : binary
with ACLs in order to check for the presence of some content in a buffer at with ACLs in order to check for the presence of some content in a buffer at
any location. any location.
ACL alternatives : ACL derivatives :
payload(<offset>,<length>) : hex binary match req.payload(<offset>,<length>) : hex binary match
req.payload_lv(<offset1>,<length>[,<offset2>]) : binary req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
This extracts a binary block whose size is specified at <offset1> for <length> This extracts a binary block whose size is specified at <offset1> for <length>
@ -19720,8 +19717,8 @@ req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
the request buffer. The <offset2> parameter also supports relative offsets if the request buffer. The <offset2> parameter also supports relative offsets if
prepended with a '+' or '-' sign. prepended with a '+' or '-' sign.
ACL alternatives : ACL derivatives :
payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match req.payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
Example : please consult the example from the "stick store-response" keyword. Example : please consult the example from the "stick store-response" keyword.
@ -19759,7 +19756,7 @@ rdp_cookie([<name>]) : string (deprecated)
rdp-cookie". rdp-cookie".
ACL derivatives : ACL derivatives :
req_rdp_cookie([<name>]) : exact string match req.rdp_cookie([<name>]) : exact string match
Example : Example :
listen tse-farm listen tse-farm
@ -19778,7 +19775,7 @@ rdp_cookie([<name>]) : string (deprecated)
server srv1 1.1.1.2:3389 server srv1 1.1.1.2:3389
See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the
"req_rdp_cookie" ACL. "req.rdp_cookie" ACL.
req.rdp_cookie_cnt([name]) : integer req.rdp_cookie_cnt([name]) : integer
rdp_cookie_cnt([name]) : integer (deprecated) rdp_cookie_cnt([name]) : integer (deprecated)
@ -19788,7 +19785,7 @@ rdp_cookie_cnt([name]) : integer (deprecated)
used in ACL. used in ACL.
ACL derivatives : ACL derivatives :
req_rdp_cookie_cnt([<name>]) : integer match req.rdp_cookie_cnt([<name>]) : integer match
req.ssl_alpn : string req.ssl_alpn : string
Returns a string containing the values of the Application-Layer Protocol Returns a string containing the values of the Application-Layer Protocol
@ -19802,7 +19799,7 @@ req.ssl_alpn : string
Examples : Examples :
# Wait for a client hello for at most 5 seconds # Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 } tcp-request content accept if { req.ssl_hello_type 1 }
use_backend bk_acme if { req.ssl_alpn acme-tls/1 } use_backend bk_acme if { req.ssl_alpn acme-tls/1 }
default_backend bk_default default_backend bk_default
@ -19848,7 +19845,7 @@ req_ssl_sni : string (deprecated)
Examples : Examples :
# Wait for a client hello for at most 5 seconds # Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 } tcp-request content accept if { req.ssl_hello_type 1 }
use_backend bk_allow if { req.ssl_sni -f allowed_sites } use_backend bk_allow if { req.ssl_sni -f allowed_sites }
default_backend bk_sorry_page default_backend bk_sorry_page
@ -19876,7 +19873,7 @@ req_ssl_ver : integer (deprecated)
fetch is mostly used in ACL. fetch is mostly used in ACL.
ACL derivatives : ACL derivatives :
req_ssl_ver : decimal match req.ssl_ver : decimal match
res.len : integer res.len : integer
Returns an integer value corresponding to the number of bytes present in the Returns an integer value corresponding to the number of bytes present in the
@ -20071,14 +20068,14 @@ cook([<name>]) : string (deprecated)
presence. Use the res.cook() variant for response cookies sent by the server. presence. Use the res.cook() variant for response cookies sent by the server.
ACL derivatives : ACL derivatives :
cook([<name>]) : exact string match req.cook([<name>]) : exact string match
cook_beg([<name>]) : prefix match req.cook_beg([<name>]) : prefix match
cook_dir([<name>]) : subdir match req.cook_dir([<name>]) : subdir match
cook_dom([<name>]) : domain match req.cook_dom([<name>]) : domain match
cook_end([<name>]) : suffix match req.cook_end([<name>]) : suffix match
cook_len([<name>]) : length match req.cook_len([<name>]) : length match
cook_reg([<name>]) : regex match req.cook_reg([<name>]) : regex match
cook_sub([<name>]) : substring match req.cook_sub([<name>]) : substring match
req.cook_cnt([<name>]) : integer req.cook_cnt([<name>]) : integer
cook_cnt([<name>]) : integer (deprecated) cook_cnt([<name>]) : integer (deprecated)
@ -20331,7 +20328,7 @@ req_ver : string (deprecated)
check for versions 1.0 and 1.1. check for versions 1.0 and 1.1.
ACL derivatives : ACL derivatives :
req_ver : exact string match req.ver : exact string match
res.body : binary res.body : binary
This returns the HTTP response's available body as a block of data. Unlike This returns the HTTP response's available body as a block of data. Unlike
@ -20384,7 +20381,7 @@ scook([<name>]) : string (deprecated)
It may be used in tcp-check based expect rules. It may be used in tcp-check based expect rules.
ACL derivatives : ACL derivatives :
scook([<name>] : exact string match res.scook([<name>] : exact string match
res.cook_cnt([<name>]) : integer res.cook_cnt([<name>]) : integer
scook_cnt([<name>]) : integer (deprecated) scook_cnt([<name>]) : integer (deprecated)
@ -20433,14 +20430,14 @@ shdr([<name>[,<occ>]]) : string (deprecated)
It may be used in tcp-check based expect rules. It may be used in tcp-check based expect rules.
ACL derivatives : ACL derivatives :
shdr([<name>[,<occ>]]) : exact string match res.hdr([<name>[,<occ>]]) : exact string match
shdr_beg([<name>[,<occ>]]) : prefix match res.hdr_beg([<name>[,<occ>]]) : prefix match
shdr_dir([<name>[,<occ>]]) : subdir match res.hdr_dir([<name>[,<occ>]]) : subdir match
shdr_dom([<name>[,<occ>]]) : domain match res.hdr_dom([<name>[,<occ>]]) : domain match
shdr_end([<name>[,<occ>]]) : suffix match res.hdr_end([<name>[,<occ>]]) : suffix match
shdr_len([<name>[,<occ>]]) : length match res.hdr_len([<name>[,<occ>]]) : length match
shdr_reg([<name>[,<occ>]]) : regex match res.hdr_reg([<name>[,<occ>]]) : regex match
shdr_sub([<name>[,<occ>]]) : substring match res.hdr_sub([<name>[,<occ>]]) : substring match
res.hdr_cnt([<name>]) : integer res.hdr_cnt([<name>]) : integer
shdr_cnt([<name>]) : integer (deprecated) shdr_cnt([<name>]) : integer (deprecated)
@ -20508,7 +20505,7 @@ resp_ver : string (deprecated)
It may be used in tcp-check based expect rules. It may be used in tcp-check based expect rules.
ACL derivatives : ACL derivatives :
resp_ver : exact string match resp.ver : exact string match
set-cookie([<name>]) : string (deprecated) set-cookie([<name>]) : string (deprecated)
This extracts the last occurrence of the cookie name <name> on a "Set-Cookie" This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"