[MINOR] acl: add HTTP protocol detection (req_proto_http)

Now that we can perform TCP-based content switching, it makes sense
to be able to detect HTTP traffic and act accordingly. We already
have an HTTP decoder, we just have to call it in order to detect HTTP
protocol. Note that since the decoder will automatically fill in the
interesting fields of the HTTP transaction, it would make sense to
use this parsing to extend HTTP matching to TCP.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index bcd7c27fa1a3926cc03c456ccca5f1e4d17c598f..6f267be58d13931dbbbeb3d352d5653ad168dd4b 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -4822,6 +4822,13 @@ req_len <integer>
   return false only when haproxy is certain that no more data will come in.
   This test was designed to be used with TCP request content inspection.
 
+req_proto_http
+  Returns true when data in the request buffer look like HTTP and correctly
+  parses as such. It is the same parser as the common HTTP request parser which
+  is used so there should be no surprizes. This test can be used for instance
+  to direct HTTP traffic to a given port and HTTPS traffic to another one
+  using TCP request content inspection rules.
+
 req_ssl_ver <decimal>
   Returns true when data in the request buffer look like SSL, with a protocol
   version matching the specified range. Both SSLv2 hello messages and SSLv3
@@ -5027,6 +5034,7 @@ ACL name          Equivalent to                Usage
 TRUE             always_true                   always match
 FALSE            always_false                  never match
 LOCALHOST        src 127.0.0.1/8               match connection from local host
+HTTP             req_proto_http                match if protocol is valid HTTP
 HTTP_1.0         req_ver 1.0                   match HTTP version 1.0
 HTTP_1.1         req_ver 1.1                   match HTTP version 1.1
 METH_CONNECT     method  CONNECT               match HTTP CONNECT method

diff --git a/src/acl.c b/src/acl.c
index ed41e91ed07f3fc269aa4f89105423d850bf9210..a5f030238c2f4125db2426b3418970bb0c91dbdc 100644 (file)
--- a/src/acl.c
+++ b/src/acl.c
@@ -797,6 +797,7 @@ const struct {
        { .name = "TRUE",           .expr = {"always_true",""}},
        { .name = "FALSE",          .expr = {"always_false",""}},
        { .name = "LOCALHOST",      .expr = {"src","127.0.0.1/8",""}},
+       { .name = "HTTP",           .expr = {"req_proto_http",""}},
        { .name = "HTTP_1.0",       .expr = {"req_ver","1.0",""}},
        { .name = "HTTP_1.1",       .expr = {"req_ver","1.1",""}},
        { .name = "METH_CONNECT",   .expr = {"method","CONNECT",""}},

diff --git a/src/client.c b/src/client.c
index cfd41e0e41061469fc66902b6e32002d4e68571f..6210cdbe06ba603e2d64cf38ffd3723d40ace907 100644 (file)
--- a/src/client.c
+++ b/src/client.c
@@ -252,21 +252,23 @@ int event_accept(int fd) {
                txn->hdr_idx.v = NULL;
                txn->hdr_idx.size = txn->hdr_idx.used = 0;
 
-               if (p->mode == PR_MODE_HTTP) {
-                       txn->status = -1;
-                       txn->req.hdr_content_len = 0LL;
-                       txn->rsp.hdr_content_len = 0LL;
-                       txn->req.msg_state = HTTP_MSG_RQBEFORE; /* at the very beginning of the request */
-                       txn->rsp.msg_state = HTTP_MSG_RPBEFORE; /* at the very beginning of the response */
-                       txn->req.sol = txn->req.eol = NULL;
-                       txn->req.som = txn->req.eoh = 0; /* relative to the buffer */
-                       txn->rsp.sol = txn->rsp.eol = NULL;
-                       txn->rsp.som = txn->rsp.eoh = 0; /* relative to the buffer */
-                       txn->req.err_pos = txn->rsp.err_pos = -2; /* block buggy requests/responses */
-                       if (p->options2 & PR_O2_REQBUG_OK)
-                               txn->req.err_pos = -1; /* let buggy requests pass */
-                       txn->auth_hdr.len = -1;
+               /* we always initialize the HTTP structure because we may use it later */
+               txn->status = -1;
+               txn->req.hdr_content_len = 0LL;
+               txn->rsp.hdr_content_len = 0LL;
+               txn->req.msg_state = HTTP_MSG_RQBEFORE; /* at the very beginning of the request */
+               txn->rsp.msg_state = HTTP_MSG_RPBEFORE; /* at the very beginning of the response */
+               txn->req.sol = txn->req.eol = NULL;
+               txn->req.som = txn->req.eoh = 0; /* relative to the buffer */
+               txn->rsp.sol = txn->rsp.eol = NULL;
+               txn->rsp.som = txn->rsp.eoh = 0; /* relative to the buffer */
+               txn->req.err_pos = txn->rsp.err_pos = -2; /* block buggy requests/responses */
+               txn->auth_hdr.len = -1;
+               if (p->options2 & PR_O2_REQBUG_OK)
+                       txn->req.err_pos = -1; /* let buggy requests pass */
 
+               if (p->mode == PR_MODE_HTTP) {
+                       /* the captures are only used in HTTP frontends */
                        if (p->nb_req_cap > 0) {
                                if ((txn->req.cap = pool_alloc2(p->req_cap_pool)) == NULL)
                                        goto out_fail_reqcap;   /* no memory */
@@ -274,7 +276,6 @@ int event_accept(int fd) {
                                memset(txn->req.cap, 0, p->nb_req_cap*sizeof(char *));
                        }
 
-
                        if (p->nb_rsp_cap > 0) {
                                if ((txn->rsp.cap = pool_alloc2(p->rsp_cap_pool)) == NULL)
                                        goto out_fail_rspcap;   /* no memory */

diff --git a/src/proto_http.c b/src/proto_http.c
index 64e93d3eed5a229cd9660be41e47ed3b0a60d756..be31c488017f849daaf36450c8f027c62b34b9e5 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -1498,6 +1498,46 @@ void http_msg_analyzer(struct buffer *buf, struct http_msg *msg, struct hdr_idx
        return;
 }
 
+/* convert an HTTP/0.9 request into an HTTP/1.0 request. Returns 1 if the
+ * conversion succeeded, 0 in case of error. If the request was already 1.X,
+ * nothing is done and 1 is returned.
+ */
+static int http_upgrade_v09_to_v10(struct buffer *req, struct http_msg *msg, struct http_txn *txn)
+{
+       int delta;
+       char *cur_end;
+
+       if (msg->sl.rq.v_l != 0)
+               return 1;
+
+       msg->sol = req->data + msg->som;
+       cur_end = msg->sol + msg->sl.rq.l;
+       delta = 0;
+
+       if (msg->sl.rq.u_l == 0) {
+               /* if no URI was set, add "/" */
+               delta = buffer_replace2(req, cur_end, cur_end, " /", 2);
+               cur_end += delta;
+               msg->eoh += delta;
+       }
+       /* add HTTP version */
+       delta = buffer_replace2(req, cur_end, cur_end, " HTTP/1.0\r\n", 11);
+       msg->eoh += delta;
+       cur_end += delta;
+       cur_end = (char *)http_parse_reqline(msg, req->data,
+                                            HTTP_MSG_RQMETH,
+                                            msg->sol, cur_end + 1,
+                                            NULL, NULL);
+       if (unlikely(!cur_end))
+               return 0;
+
+       /* we have a full HTTP/1.0 request now and we know that
+        * we have either a CR or an LF at <ptr>.
+        */
+       hdr_idx_set_start(&txn->hdr_idx, msg->sl.rq.l, *cur_end == '\r');
+       return 1;
+}
+
 /* This stream analyser waits for a complete HTTP request. It returns 1 if the
  * processing can continue on next analysers, or zero if it either needs more
  * data or wants to immediately abort the request (eg: timeout, error, ...). It
@@ -1739,36 +1779,8 @@ int http_wait_for_request(struct session *s, struct buffer *req, int an_bit)
        }
 
        /* 4. We may have to convert HTTP/0.9 requests to HTTP/1.0 */
-       if (unlikely(msg->sl.rq.v_l == 0)) {
-               int delta;
-               char *cur_end;
-               msg->sol = req->data + msg->som;
-               cur_end = msg->sol + msg->sl.rq.l;
-               delta = 0;
-
-               if (msg->sl.rq.u_l == 0) {
-                       /* if no URI was set, add "/" */
-                       delta = buffer_replace2(req, cur_end, cur_end, " /", 2);
-                       cur_end += delta;
-                       msg->eoh += delta;
-               }
-               /* add HTTP version */
-               delta = buffer_replace2(req, cur_end, cur_end, " HTTP/1.0\r\n", 11);
-               msg->eoh += delta;
-               cur_end += delta;
-               cur_end = (char *)http_parse_reqline(msg, req->data,
-                                                    HTTP_MSG_RQMETH,
-                                                    msg->sol, cur_end + 1,
-                                                    NULL, NULL);
-               if (unlikely(!cur_end))
-                       goto return_bad_req;
-
-               /* we have a full HTTP/1.0 request now and we know that
-                * we have either a CR or an LF at <ptr>.
-                */
-               hdr_idx_set_start(&txn->hdr_idx, msg->sl.rq.l, *cur_end == '\r');
-       }
-
+       if (unlikely(msg->sl.rq.v_l == 0) && !http_upgrade_v09_to_v10(req, msg, txn))
+               goto return_bad_req;
 
        /* 5: we may need to capture headers */
        if (unlikely((s->logs.logwait & LW_REQHDR) && s->fe->req_cap))
@@ -4900,6 +4912,57 @@ acl_fetch_path(struct proxy *px, struct session *l4, void *l7, int dir,
        return 1;
 }
 
+static int
+acl_fetch_proto_http(struct proxy *px, struct session *s, void *l7, int dir,
+                    struct acl_expr *expr, struct acl_test *test)
+{
+       struct buffer *req = s->req;
+       struct http_txn *txn = &s->txn;
+       struct http_msg *msg = &txn->req;
+
+       /* Note: hdr_idx.v cannot be NULL in this ACL because the ACL is tagged
+        * as a layer7 ACL, which involves automatic allocation of hdr_idx.
+        */
+
+       if (!s || !req)
+               return 0;
+
+       if (unlikely(msg->msg_state == HTTP_MSG_BODY)) {
+               /* Already decoded as OK */
+               test->flags |= ACL_TEST_F_SET_RES_PASS;
+               return 1;
+       }
+
+       /* Try to decode HTTP request */
+       if (likely(req->lr < req->r))
+               http_msg_analyzer(req, msg, &txn->hdr_idx);
+
+       if (unlikely(msg->msg_state != HTTP_MSG_BODY)) {
+               if ((msg->msg_state == HTTP_MSG_ERROR) || (req->flags & BF_FULL)) {
+                       test->flags |= ACL_TEST_F_SET_RES_FAIL;
+                       return 1;
+               }
+               /* wait for final state */
+               test->flags |= ACL_TEST_F_MAY_CHANGE;
+               return 0;
+       }
+
+       /* OK we got a valid HTTP request. We have some minor preparation to
+        * perform so that further checks can rely on HTTP tests.
+        */
+       msg->sol = req->data + msg->som;
+       txn->meth = find_http_meth(&req->data[msg->som], msg->sl.rq.m_l);
+       if (txn->meth == HTTP_METH_GET || txn->meth == HTTP_METH_HEAD)
+               s->flags |= SN_REDIRECTABLE;
+
+       if (unlikely(msg->sl.rq.v_l == 0) && !http_upgrade_v09_to_v10(req, msg, txn)) {
+               test->flags |= ACL_TEST_F_SET_RES_FAIL;
+               return 1;
+       }
+
+       test->flags |= ACL_TEST_F_SET_RES_PASS;
+       return 1;
+}
 
 
 /************************************************************************/
@@ -4908,6 +4971,8 @@ acl_fetch_path(struct proxy *px, struct session *l4, void *l7, int dir,
 
 /* Note: must not be declared <const> as its list will be overwritten */
 static struct acl_kw_list acl_kws = {{ },{
+       { "req_proto_http", acl_parse_nothing, acl_fetch_proto_http, acl_match_nothing, ACL_USE_L7REQ_PERMANENT },
+
        { "method",     acl_parse_meth,  acl_fetch_meth,   acl_match_meth, ACL_USE_L7REQ_PERMANENT },
        { "req_ver",    acl_parse_ver,   acl_fetch_rqver,  acl_match_str,  ACL_USE_L7REQ_VOLATILE  },
        { "resp_ver",   acl_parse_ver,   acl_fetch_stver,  acl_match_str,  ACL_USE_L7RTR_VOLATILE  },