connection limit enforcement, because a DENY filter was matched,
because of a security check which detected and blocked a dangerous
error in server response which might have caused information leak
- (eg: cacheable cookie), or because the response was processed by
- the proxy (redirect, stats, etc...).
+ (eg: cacheable cookie).
+
+ L : the session was locally processed by haproxy and was not passed to
+ a server. This is what happens for stats and redirects.
R : a resource on the proxy has been exhausted (memory, sockets, source
ports, ...). Usually, this appears during the connection phase, and
closer to the average reported "Tw" timer, in order not to consume
resources for just a few attackers.
+ LR The request was intercepted and locally handled by haproxy. Generally
+ it means that this was a redirect or a stats request.
+
SC The server or an equipment between it and haproxy explicitly refused
the TCP connection (the proxy received a TCP RST or an ICMP message
in return). Under some circumstances, it can also be the network
#define SN_TUNNEL 0x00000800 /* tunnel-mode session, nothing to catch after data */
/* session termination conditions, bits values 0x1000 to 0x7000 (0-9 shift 12) */
-#define SN_ERR_NONE 0x00000000
-#define SN_ERR_CLITO 0x00001000 /* client time-out */
-#define SN_ERR_CLICL 0x00002000 /* client closed (read/write error) */
-#define SN_ERR_SRVTO 0x00003000 /* server time-out, connect time-out */
-#define SN_ERR_SRVCL 0x00004000 /* server closed (connect/read/write error) */
-#define SN_ERR_PRXCOND 0x00005000 /* the proxy decided to close (deny...) */
-#define SN_ERR_RESOURCE 0x00006000 /* the proxy encountered a lack of a local resources (fd, mem, ...) */
-#define SN_ERR_INTERNAL 0x00007000 /* the proxy encountered an internal error */
-#define SN_ERR_DOWN 0x00008000 /* the proxy killed a session because the backend became unavailable */
-#define SN_ERR_KILLED 0x00009000 /* the proxy killed a session because it was asked to do so */
-#define SN_ERR_UP 0x0000a000 /* the proxy killed a session because a preferred backend became available */
-#define SN_ERR_MASK 0x0000f000 /* mask to get only session error flags */
-#define SN_ERR_SHIFT 12 /* bit shift */
+#define SN_ERR_NONE 0x00000000 /* normal end of request */
+#define SN_ERR_LOCAL 0x00001000 /* the proxy locally processed this request => not an error */
+#define SN_ERR_CLITO 0x00002000 /* client time-out */
+#define SN_ERR_CLICL 0x00003000 /* client closed (read/write error) */
+#define SN_ERR_SRVTO 0x00004000 /* server time-out, connect time-out */
+#define SN_ERR_SRVCL 0x00005000 /* server closed (connect/read/write error) */
+#define SN_ERR_PRXCOND 0x00006000 /* the proxy decided to close (deny...) */
+#define SN_ERR_RESOURCE 0x00007000 /* the proxy encountered a lack of a local resources (fd, mem, ...) */
+#define SN_ERR_INTERNAL 0x00008000 /* the proxy encountered an internal error */
+#define SN_ERR_DOWN 0x00009000 /* the proxy killed a session because the backend became unavailable */
+#define SN_ERR_KILLED 0x0000a000 /* the proxy killed a session because it was asked to do so */
+#define SN_ERR_UP 0x0000b000 /* the proxy killed a session because a preferred backend became available */
+#define SN_ERR_MASK 0x0000f000 /* mask to get only session error flags */
+#define SN_ERR_SHIFT 12 /* bit shift */
/* session state at termination, bits values 0x10000 to 0x70000 (0-7 shift 16) */
#define SN_FINST_R 0x00010000 /* session ended during client request */
"warning", "notice", "info", "debug"
};
-const char sess_term_cond[16] = "-cCsSPRIDKUIIIII"; /* normal, CliTo, CliErr, SrvTo, SrvErr, PxErr, Resource, Internal, Down, Killed, Up, -- */
+const char sess_term_cond[16] = "-LcCsSPRIDKUIIII"; /* normal, Local, CliTo, CliErr, SrvTo, SrvErr, PxErr, Resource, Internal, Down, Killed, Up, -- */
const char sess_fin_state[8] = "-RCHDLQT"; /* cliRequest, srvConnect, srvHeader, Data, Last, Queue, Tarpit */
int size, err, level;
/* if we don't want to log normal traffic, return now */
- err = (s->flags & (SN_ERR_MASK | SN_REDISP)) ||
- (s->req->cons->conn_retries != s->be->conn_retries) ||
- ((s->fe->mode == PR_MODE_HTTP) && s->txn.status >= 500);
+ err = (s->flags & SN_REDISP) ||
+ ((s->flags & SN_ERR_MASK) > SN_ERR_LOCAL) ||
+ (((s->flags & SN_ERR_MASK) == SN_ERR_NONE) &&
+ (s->req->cons->conn_retries != s->be->conn_retries)) ||
+ ((s->fe->mode == PR_MODE_HTTP) && s->txn.status >= 500);
if (!err && (s->fe->options2 & PR_O2_NOLOGNORM))
return;
si->state = SI_ST_CLO;
/* send the message */
- http_server_error(s, si, SN_ERR_PRXCOND, SN_FINST_C, 302, &trash);
+ http_server_error(s, si, SN_ERR_LOCAL, SN_FINST_C, 302, &trash);
/* FIXME: we should increase a counter of redirects per server and per backend. */
srv_inc_sess_ctr(srv);
/* we fail this request, let's return 503 service unavail */
txn->status = 503;
stream_int_retnclose(req->prod, http_error_message(s, HTTP_ERR_503));
+ if (!(s->flags & SN_ERR_MASK))
+ s->flags |= SN_ERR_LOCAL; /* we don't want a real error here */
goto return_prx_cond;
}
}
/* nothing to fail, let's reply normaly */
txn->status = 200;
stream_int_retnclose(req->prod, http_error_message(s, HTTP_ERR_200));
+ if (!(s->flags & SN_ERR_MASK))
+ s->flags |= SN_ERR_LOCAL; /* we don't want a real error here */
goto return_prx_cond;
}
s->fe->fe_counters.intercepted_req++;
if (!(s->flags & SN_ERR_MASK)) // this is not really an error but it is
- s->flags |= SN_ERR_PRXCOND; // to mark that it comes from the proxy
+ s->flags |= SN_ERR_LOCAL; // to mark that it comes from the proxy
if (!(s->flags & SN_FINST_MASK))
s->flags |= SN_FINST_R;
req->analysers = 0;
s->fe->fe_counters.intercepted_req++;
if (!(s->flags & SN_ERR_MASK)) // this is not really an error but it is
- s->flags |= SN_ERR_PRXCOND; // to mark that it comes from the proxy
+ s->flags |= SN_ERR_LOCAL; // to mark that it comes from the proxy
if (!(s->flags & SN_FINST_MASK))
s->flags |= SN_FINST_R;
}
if (!(s->flags & SN_ERR_MASK))
- s->flags |= SN_ERR_PRXCOND;
+ s->flags |= SN_ERR_LOCAL;
if (!(s->flags & SN_FINST_MASK))
s->flags |= SN_FINST_R;
projects / thirdparty / haproxy.git / commitdiff
