From: Willy Tarreau Date: Thu, 17 Jan 2008 18:01:39 +0000 (+0100) Subject: [DOC] document all req* and rsp* keywords. X-Git-Tag: v1.3.15~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=303c035725bdc1b0cbb5b8c1c29f84b19988bb15;p=thirdparty%2Fhaproxy.git [DOC] document all req* and rsp* keywords. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 2d6081c55d..84ebc0e0ef 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -2238,6 +2238,350 @@ redispatch (deprecated) See also : "option redispatch" +reqadd + Add a header at the end of the HTTP request + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the complete line to be added. Any space or known delimiter + must be escaped using a backslash ('\'). Please refer to section + 2.6 about HTTP header manipulation for more information. + + A new line consisting in followed by a line feed will be added after + the last header of an HTTP request. + + Header transformations only apply to traffic which passes through HAProxy, + and not to traffic generated by HAProxy, such as health-checks or error + responses. + + See also: "rspadd" and section 2.6 about HTTP header manipulation + + +reqallow +reqiallow (ignore case) + Definitely allow an HTTP request if a line matches a regular expression + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the regular expression applied to HTTP headers and to the + request line. This is an extended regular expression. Parenthesis + grouping is supported and no preliminary backslash is required. + Any space or known delimiter must be escaped using a backslash + ('\'). The pattern applies to a full line at a time. The + "reqallow" keyword strictly matches case while "reqiallow" + ignores case. + + A request containing any line which matches extended regular expression + will mark the request as allowed, even if any later test would + result in a deny. The test applies both to the request line and to request + headers. Keep in mind that URLs in request line are case-sensitive while + header names are not. + + It is easier, faster and more powerful to use ACLs to write access policies. + Reqdeny, reqallow and reqpass should be avoided in new designs. + + Example : + # allow www.* but refuse *.local + reqiallow ^Host:\ www\. + reqideny ^Host:\ .*\.local + + See also: "reqdeny", "acl", "block" and section 2.6 about HTTP header + manipulation + + +reqdel +reqidel (ignore case) + Delete all headers matching a regular expression in an HTTP request + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the regular expression applied to HTTP headers and to the + request line. This is an extended regular expression. Parenthesis + grouping is supported and no preliminary backslash is required. + Any space or known delimiter must be escaped using a backslash + ('\'). The pattern applies to a full line at a time. The "reqdel" + keyword strictly matches case while "reqidel" ignores case. + + Any header line matching extended regular expression in the request + will be completely deleted. Most common use of this is to remove unwanted + and/or dangerous headers or cookies from a request before passing it to the + next servers. + + Header transformations only apply to traffic which passes through HAProxy, + and not to traffic generated by HAProxy, such as health-checks or error + responses. Keep in mind that header names are not case-sensitive. + + Example : + # remove X-Forwarded-For header and SERVER cookie + reqidel ^X-Forwarded-For:.* + reqidel ^Cookie:.*SERVER= + + See also: "reqadd", "reqrep", "rspdel" and section 2.6 about HTTP header + manipulation + + +reqdeny +reqideny (ignore case) + Deny an HTTP request if a line matches a regular expression + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the regular expression applied to HTTP headers and to the + request line. This is an extended regular expression. Parenthesis + grouping is supported and no preliminary backslash is required. + Any space or known delimiter must be escaped using a backslash + ('\'). The pattern applies to a full line at a time. The + "reqdeny" keyword strictly matches case while "reqideny" ignores + case. + + A request containing any line which matches extended regular expression + will mark the request as denied, even if any later test would + result in an allow. The test applies both to the request line and to request + headers. Keep in mind that URLs in request line are case-sensitive while + header names are not. + + It is easier, faster and more powerful to use ACLs to write access policies. + Reqdeny, reqallow and reqpass should be avoided in new designs. + + Example : + # refuse *.local, then allow www.* + reqideny ^Host:\ .*\.local + reqiallow ^Host:\ www\. + + See also: "reqallow", "rspdeny", "acl", "block" and section 2.6 about HTTP + header manipulation + + +reqpass +reqipass (ignore case) + Ignore any HTTP request line matching a regular expression in next rules + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the regular expression applied to HTTP headers and to the + request line. This is an extended regular expression. Parenthesis + grouping is supported and no preliminary backslash is required. + Any space or known delimiter must be escaped using a backslash + ('\'). The pattern applies to a full line at a time. The + "reqpass" keyword strictly matches case while "reqipass" ignores + case. + + A request containing any line which matches extended regular expression + will skip next rules, without assigning any deny or allow verdict. + The test applies both to the request line and to request headers. Keep in + mind that URLs in request line are case-sensitive while header names are not. + + It is easier, faster and more powerful to use ACLs to write access policies. + Reqdeny, reqallow and reqpass should be avoided in new designs. + + Example : + # refuse *.local, then allow www.*, but ignore "www.private.local" + reqipass ^Host:\ www.private\.local + reqideny ^Host:\ .*\.local + reqiallow ^Host:\ www\. + + See also: "reqallow", "reqdeny", "acl", "block" and section 2.6 about HTTP + header manipulation + + +reqrep +reqirep (ignore case) + Replace a regular expression with a string in an HTTP request line + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the regular expression applied to HTTP headers and to the + request line. This is an extended regular expression. Parenthesis + grouping is supported and no preliminary backslash is required. + Any space or known delimiter must be escaped using a backslash + ('\'). The pattern applies to a full line at a time. The "reqrep" + keyword strictly matches case while "reqirep" ignores case. + + is the complete line to be added. Any space or known delimiter + must be escaped using a backslash ('\'). References to matched + pattern groups are possible using the common \N form, with N + being a single digit between 0 and 9. Please refer to section + 2.6 about HTTP header manipulation for more information. + + Any line matching extended regular expression in the request (both + the request line and header lines) will be completely replaced with . + Most common use of this is to rewrite URLs or domain names in "Host" headers. + + Header transformations only apply to traffic which passes through HAProxy, + and not to traffic generated by HAProxy, such as health-checks or error + responses. Note that for increased readability, it is suggested to add enough + spaces between the request and the response. Keep in mind that URLs in + request line are case-sensitive while header names are not. + + Example : + # replace "/static/" with "/" at the beginning of any request path. + reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2 + # replace "www.mydomain.com" with "www" in the host name. + reqirep ^Host:\ www.mydomain.com Host:\ www + + See also: "reqadd", "reqdel", "rsprep" and section 2.6 about HTTP header + manipulation + + +reqtarpit +reqitarpit (ignore case) + Tarpit an HTTP request containing a line matching a regular expression + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the regular expression applied to HTTP headers and to the + request line. This is an extended regular expression. Parenthesis + grouping is supported and no preliminary backslash is required. + Any space or known delimiter must be escaped using a backslash + ('\'). The pattern applies to a full line at a time. The + "reqtarpit" keyword strictly matches case while "reqitarpit" + ignores case. + + A request containing any line which matches extended regular expression + will be tarpitted, which means that it will connect to nowhere, will + be kept open for a pre-defined time, then will return an HTTP error 500. The + delay is defined by "timeout tarpit", or "timeout connect" if the former is + not set. + + The goal of the tarpit is to slow down robots attacking servers with + identifiable requests. Many robots limit their outgoing number of connections + and stay connected waiting for a reply which can take several minutes to + come. Depending on the environment and attack, it may be particularly + efficient at reducing the load on the network and firewalls. + + Example : + # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but + # block all others. + reqipass ^User-Agent:\.*(Mozilla|MSIE) + reqitarpit ^User-Agent: + + See also: "reqallow", "reqdeny", "reqpass", and section 2.6 about HTTP header + manipulation + + +rspadd + Add a header at the end of the HTTP response + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the complete line to be added. Any space or known delimiter + must be escaped using a backslash ('\'). Please refer to section + 2.6 about HTTP header manipulation for more information. + + A new line consisting in followed by a line feed will be added after + the last header of an HTTP response. + + Header transformations only apply to traffic which passes through HAProxy, + and not to traffic generated by HAProxy, such as health-checks or error + responses. + + See also: "reqadd" and section 2.6 about HTTP header manipulation + + +rspdel +rspidel (ignore case) + Delete all headers matching a regular expression in an HTTP response + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the regular expression applied to HTTP headers and to the + response line. This is an extended regular expression, so + parenthesis grouping is supported and no preliminary backslash + is required. Any space or known delimiter must be escaped using + a backslash ('\'). The pattern applies to a full line at a time. + The "rspdel" keyword strictly matches case while "rspidel" + ignores case. + + Any header line matching extended regular expression in the response + will be completely deleted. Most common use of this is to remove unwanted + and/or sensible headers or cookies from a response before passing it to the + client. + + Header transformations only apply to traffic which passes through HAProxy, + and not to traffic generated by HAProxy, such as health-checks or error + responses. Keep in mind that header names are not case-sensitive. + + Example : + # remove the Server header from responses + reqidel ^Server:.* + + See also: "rspadd", "rsprep", "reqdel" and section 2.6 about HTTP header + manipulation + + +rspdeny +rspideny (ignore case) + Block an HTTP response if a line matches a regular expression + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the regular expression applied to HTTP headers and to the + response line. This is an extended regular expression, so + parenthesis grouping is supported and no preliminary backslash + is required. Any space or known delimiter must be escaped using + a backslash ('\'). The pattern applies to a full line at a time. + The "rspdeny" keyword strictly matches case while "rspideny" + ignores case. + + A response containing any line which matches extended regular expression + will mark the request as denied. The test applies both to the + response line and to response headers. Keep in mind that header names are not + case-sensitive. + + Main use of this keyword is to prevent sensitive information leak and to + block the response before it reaches the client. If a response is denied, + it will be replaced with an HTTP 502 error so that the client never gets + the sensitive data. + + It is easier, faster and more powerful to use ACLs to write access policies. + Rspdeny should be avoided in new designs. + + Example : + # Ensure that no content type matching ms-word will leak + rspideny ^Content-type:\.*/ms-word + + See also: "reqdeny", "acl", "block" and section 2.6 about HTTP header + manipulation + + +rsprep +rspirep (ignore case) + Replace a regular expression with a string in an HTTP response line + May be used in sections : defaults | frontend | listen | backend + no | yes | yes | yes + Arguments : + is the regular expression applied to HTTP headers and to the + response line. This is an extended regular expression, so + parenthesis grouping is supported and no preliminary backslash + is required. Any space or known delimiter must be escaped using + a backslash ('\'). The pattern applies to a full line at a time. + The "rsprep" keyword strictly matches case while "rspirep" + ignores case. + + is the complete line to be added. Any space or known delimiter + must be escaped using a backslash ('\'). References to matched + pattern groups are possible using the common \N form, with N + being a single digit between 0 and 9. Please refer to section + 2.6 about HTTP header manipulation for more information. + + Any line matching extended regular expression in the response (both + the response line and header lines) will be completely replaced with + . Most common use of this is to rewrite Location headers. + + Header transformations only apply to traffic which passes through HAProxy, + and not to traffic generated by HAProxy, such as health-checks or error + responses. Note that for increased readability, it is suggested to add enough + spaces between the request and the response. Keep in mind that header names + are not case-sensitive. + + Example : + # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com" + rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com + + See also: "rspadd", "rspdel", "reqrep" and section 2.6 about HTTP header + manipulation + + server
[:port] [param*] Declare a server in a backend May be used in sections : defaults | frontend | listen | backend