A TCP/HTTP action can stop the rules evaluation. However, it should be
applied on the current section only. For instance, for http-requests rules,
an "allow" on a frontend must stop evaluation of rules defined in this
frontend. But the backend rules, if any, must still be evaluated.
For http-response rulesets, according the configuration manual, the same
must be true. Only "allow" action is concerned. However, since the
beginning, this action stops evaluation of all remaining rules, not only
those of the current section.
This patch may be backported to all supported versions. But it is not so
critical because the bug exists since a while. I doubt it will break any
existing configuration because the current behavior is
counterintuitive.
(cherry picked from commit
46f46df300b5258f05e3bcf72e409f8629e8b63f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit
b4c4a977eb8be158f6735b53861d2530e4ad41b5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
http-response set-header sl1-crc "%[res.fhdr(sl1),crc32]"
http-response set-header sl2-crc "%[res.fhdr(sl2),crc32]"
http-response set-header hdr-crc "%[res.fhdr(hdr),crc32]"
+ http-response allow
+ http-response deny # must not be evaluated
server s1 ${s1_addr}:${s1_port}
} -start
cur_proxy = s->be;
while (1) {
/* evaluate http-response rules */
- if (ret == HTTP_RULE_RES_CONT) {
+ if (ret == HTTP_RULE_RES_CONT || ret == HTTP_RULE_RES_STOP) {
ret = http_res_get_intercept_rule(cur_proxy, &cur_proxy->http_res_rules, s);
switch (ret) {
projects / haproxy-2.3.git / commitdiff