From: Willy Tarreau <w@1wt.eu>
Date: Fri, 6 Jan 2017 11:21:38 +0000 (+0100)
Subject: BUG/MINOR: config: emit a warning if http-reuse is enabled with incompatible options
X-Git-Tag: v1.8-dev1~178
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c18346c0f18e8ac470bd0cb40b1b895e9345e26;p=thirdparty%2Fhaproxy.git

BUG/MINOR: config: emit a warning if http-reuse is enabled with incompatible options

http-reuse should normally not be used in conjunction with the proxy
protocol or with "usesrc clientip". While there's nothing fundamentally
wrong with this, whenever these options are used, the server expects the
IP address to be the source address for all requests, which doesn't make
sense with http-reuse.
---

diff --git a/src/cfgparse.c b/src/cfgparse.c
index bf43b2cfbe..8e42163ce8 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -8545,6 +8545,25 @@ out_uri_auth_compat:
 				err_code |= ERR_WARN;
 			}
 #endif
+
+			if ((curproxy->options & PR_O_REUSE_MASK) != PR_O_REUSE_NEVR) {
+				if ((curproxy->conn_src.opts & CO_SRC_TPROXY_MASK) == CO_SRC_TPROXY_CLI ||
+				    (curproxy->conn_src.opts & CO_SRC_TPROXY_MASK) == CO_SRC_TPROXY_CIP ||
+				    (newsrv->conn_src.opts & CO_SRC_TPROXY_MASK) == CO_SRC_TPROXY_CLI ||
+				    (newsrv->conn_src.opts & CO_SRC_TPROXY_MASK) == CO_SRC_TPROXY_CIP) {
+					Warning("config : %s '%s' : connections to server '%s' use the client's IP address as the source while http-reuse is enabled and allows the same connection to be shared between multiple clients. It is strongly advised to disable 'usesrc' and to use the 'forwardfor' option instead.\n",
+						proxy_type_str(curproxy), curproxy->id, newsrv->id);
+					err_code |= ERR_WARN;
+				}
+
+
+				if (newsrv->pp_opts & (SRV_PP_V1|SRV_PP_V2)) {
+					Warning("config : %s '%s' : connections to server '%s' will have a PROXY protocol header announcing the first client's IP address while http-reuse is enabled and allows the same connection to be shared between multiple clients. It is strongly advised to disable 'send-proxy' and to use the 'forwardfor' option instead.\n",
+						proxy_type_str(curproxy), curproxy->id, newsrv->id);
+					err_code |= ERR_WARN;
+				}
+			}
+
 			newsrv = newsrv->next;
 		}