RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-25 04:17:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

DOC: tcp-rules: Refresh details about L7 matching for tcp-request content rules

Browse Source 
Because the parsing of HTTP message is now performed in the HTTP multiplexers,
the content is immediatly available when "tcp-request content" rules are
evaluated for an HTTP frontend. So, it is a good idea to make the documentation
explicit on this point. In addition, because in all cases, the parsing is
already performed, there is no reason to still use "tcp-request content" rules
based on L7 matching, although it is still valid. The recommended way is to use
"http-request" rules instead. Again, it is a good idea to update the
documentation on this point.
This commit is contained in:
Christopher Faulet 2020-10-02 11:38:46 +02:00
parent 7cea6065ac
commit 7ea509e15f
1 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
doc/configuration.txt
View File

@ -11305,13 +11305,16 @@ tcp-request content <action> [{if | unless} <condition>]
"track-sc*" actions as well as for changing the default action to a reject.
It is perfectly possible to match layer 7 contents with "tcp-request content"
rules, since HTTP-specific ACL matches are able to preliminarily parse the
contents of a buffer before extracting the required data. If the buffered
contents do not parse as a valid HTTP message, then the ACL does not match.
The parser which is involved there is exactly the same as for all other HTTP
processing, so there is no risk of parsing something differently. In an HTTP
backend connected to from an HTTP frontend, it is guaranteed that HTTP
contents will always be immediately present when the rule is evaluated first.
rules from a TCP proxy, since HTTP-specific ACL matches are able to
preliminarily parse the contents of a buffer before extracting the required
data. If the buffered contents do not parse as a valid HTTP message, then the
ACL does not match. The parser which is involved there is exactly the same
as for all other HTTP processing, so there is no risk of parsing something
differently. In an HTTP frontend or an HTTP backend, it is guaranteed that
HTTP contents will always be immediately present when the rule is evaluated
first because the HTTP parsing is performed in the early stages of the
connection processing, at the session level. But for such proxies, using
"http-request" rules is much more natural and recommended.
Tracking layer7 information is also possible provided that the information
are present when the rule is processed. The rule processing engine is able to