[DOC] tcp-response content and inspect

This commit is contained in:
Emeric Brun 2010-09-24 15:34:53 +02:00 committed by Willy Tarreau
parent 97679e7901
commit 0a3b67fbd4

View File

@ -996,6 +996,8 @@ stick-table - - X X
tcp-request connection - X X -
tcp-request content - X X X
tcp-request inspect-delay - X X X
tcp-response content - - X X
tcp-response inspect-delay - - X X
timeout check X - X X
timeout client X X X -
timeout clitimeout (deprecated) X X X -
@ -5839,6 +5841,68 @@ tcp-request inspect-delay <timeout>
"timeout client".
tcp-response content <action> [{if | unless} <condition>]
Perform an action on a session response depending on a layer 4-7 condition
May be used in sections : defaults | frontend | listen | backend
no | no | yes | yes
Arguments :
<action> defines the action to perform if the condition applies. Valid
actions include : "accept", "reject".
See "tcp-request connection" above for their signification.
<condition> is a standard layer 4-7 ACL-based condition (see section 7).
Response contents can be analysed at an early stage of response processing
called "TCP content inspection". During this stage, ACL-based rules are
evaluated every time the response contents are updated, until either an
"accept" or a "reject" rule matches, or a TCP response inspection delay is
set and expires with no matching rule.
Most often, these decisions will consider a protocol recognition or validity.
Content-based rules are evaluated in their exact declaration order. If no
rule matches or if there is no rule, the default action is to accept the
contents. There is no specific limit to the number of rules which may be
inserted.
Two types of actions are supported :
- accept :
accepts the response if the condition is true (when used with "if")
or false (when used with "unless"). The first such rule executed ends
the rules evaluation.
- reject :
rejects the response if the condition is true (when used with "if")
or false (when used with "unless"). The first such rule executed ends
the rules evaluation. Rejected session are immediatly closed.
Note that the "if/unless" condition is optional. If no condition is set on
the action, it is simply performed unconditionally. That can be useful for
for changing the default action to a reject.
It is perfectly possible to match layer 7 contents with "tcp-reponse content"
rules, but then it is important to ensure that a full response has been
buffered, otherwise no contents will match. In order to achieve this, the
best solution involves detecting the HTTP protocol during the inspection
period.
See section 7 about ACL usage.
See also : "tcp-request content", "tcp-response inspect-delay"
tcp-response inspect-delay <timeout>
Set the maximum allowed time to wait for a response during content inspection
May be used in sections : defaults | frontend | listen | backend
no | no | yes | yes
Arguments :
<timeout> is the timeout value specified in milliseconds by default, but
can be in any other unit if the number is suffixed by the unit,
as explained at the top of this document.
See also : "tcp-response content", "tcp-request inspect-delay".
timeout check <timeout>
Set additional check timeout, but only after a connection has been already
established.