From 0a3b67fbd4ea955e09dcdbda8ddab4acc49c65b1 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Fri, 24 Sep 2010 15:34:53 +0200 Subject: [PATCH] [DOC] tcp-response content and inspect --- doc/configuration.txt | 64 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt index a05644d75..d42933962 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -996,6 +996,8 @@ stick-table - - X X tcp-request connection - X X - tcp-request content - X X X tcp-request inspect-delay - X X X +tcp-response content - - X X +tcp-response inspect-delay - - X X timeout check X - X X timeout client X X X - timeout clitimeout (deprecated) X X X - @@ -5839,6 +5841,68 @@ tcp-request inspect-delay "timeout client". +tcp-response content [{if | unless} ] + Perform an action on a session response depending on a layer 4-7 condition + May be used in sections : defaults | frontend | listen | backend + no | no | yes | yes + Arguments : + defines the action to perform if the condition applies. Valid + actions include : "accept", "reject". + See "tcp-request connection" above for their signification. + + is a standard layer 4-7 ACL-based condition (see section 7). + + Response contents can be analysed at an early stage of response processing + called "TCP content inspection". During this stage, ACL-based rules are + evaluated every time the response contents are updated, until either an + "accept" or a "reject" rule matches, or a TCP response inspection delay is + set and expires with no matching rule. + + Most often, these decisions will consider a protocol recognition or validity. + + Content-based rules are evaluated in their exact declaration order. If no + rule matches or if there is no rule, the default action is to accept the + contents. There is no specific limit to the number of rules which may be + inserted. + + Two types of actions are supported : + - accept : + accepts the response if the condition is true (when used with "if") + or false (when used with "unless"). The first such rule executed ends + the rules evaluation. + + - reject : + rejects the response if the condition is true (when used with "if") + or false (when used with "unless"). The first such rule executed ends + the rules evaluation. Rejected session are immediatly closed. + + Note that the "if/unless" condition is optional. If no condition is set on + the action, it is simply performed unconditionally. That can be useful for + for changing the default action to a reject. + + It is perfectly possible to match layer 7 contents with "tcp-reponse content" + rules, but then it is important to ensure that a full response has been + buffered, otherwise no contents will match. In order to achieve this, the + best solution involves detecting the HTTP protocol during the inspection + period. + + See section 7 about ACL usage. + + See also : "tcp-request content", "tcp-response inspect-delay" + + +tcp-response inspect-delay + Set the maximum allowed time to wait for a response during content inspection + May be used in sections : defaults | frontend | listen | backend + no | no | yes | yes + Arguments : + is the timeout value specified in milliseconds by default, but + can be in any other unit if the number is suffixed by the unit, + as explained at the top of this document. + + See also : "tcp-response content", "tcp-request inspect-delay". + + timeout check Set additional check timeout, but only after a connection has been already established.