From: Willy Tarreau Date: Mon, 10 Jun 2013 14:42:09 +0000 (+0200) Subject: MINOR: log: add a new flag 'L' for locally processed requests X-Git-Tag: v1.5-dev19~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=570f221cbb57566a448d29647813f4f98b68ba53;p=thirdparty%2Fhaproxy.git MINOR: log: add a new flag 'L' for locally processed requests People who use "option dontlog-normal" are bothered with redirects and stats being logged and reported as errors in the logs ("PR" = proxy blocked the request). This patch introduces a new flag 'L' for when a request is locally processed, that is not considered as an error by the log filters. That way we know a request was intercepted and processed by haproxy without logging the line when "option dontlog-normal" is in effect. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 269c1299fa..bd55745e63 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -11651,8 +11651,10 @@ each of which has a special meaning : connection limit enforcement, because a DENY filter was matched, because of a security check which detected and blocked a dangerous error in server response which might have caused information leak - (eg: cacheable cookie), or because the response was processed by - the proxy (redirect, stats, etc...). + (eg: cacheable cookie). + + L : the session was locally processed by haproxy and was not passed to + a server. This is what happens for stats and redirects. R : a resource on the proxy has been exhausted (memory, sockets, source ports, ...). Usually, this appears during the connection phase, and @@ -11837,6 +11839,9 @@ easier finding and understanding. closer to the average reported "Tw" timer, in order not to consume resources for just a few attackers. + LR The request was intercepted and locally handled by haproxy. Generally + it means that this was a redirect or a stats request. + SC The server or an equipment between it and haproxy explicitly refused the TCP connection (the proxy received a TCP RST or an ICMP message in return). Under some circumstances, it can also be the network diff --git a/include/types/session.h b/include/types/session.h index 8fbca53a3b..b6bff5753f 100644 --- a/include/types/session.h +++ b/include/types/session.h @@ -60,19 +60,20 @@ #define SN_TUNNEL 0x00000800 /* tunnel-mode session, nothing to catch after data */ /* session termination conditions, bits values 0x1000 to 0x7000 (0-9 shift 12) */ -#define SN_ERR_NONE 0x00000000 -#define SN_ERR_CLITO 0x00001000 /* client time-out */ -#define SN_ERR_CLICL 0x00002000 /* client closed (read/write error) */ -#define SN_ERR_SRVTO 0x00003000 /* server time-out, connect time-out */ -#define SN_ERR_SRVCL 0x00004000 /* server closed (connect/read/write error) */ -#define SN_ERR_PRXCOND 0x00005000 /* the proxy decided to close (deny...) */ -#define SN_ERR_RESOURCE 0x00006000 /* the proxy encountered a lack of a local resources (fd, mem, ...) */ -#define SN_ERR_INTERNAL 0x00007000 /* the proxy encountered an internal error */ -#define SN_ERR_DOWN 0x00008000 /* the proxy killed a session because the backend became unavailable */ -#define SN_ERR_KILLED 0x00009000 /* the proxy killed a session because it was asked to do so */ -#define SN_ERR_UP 0x0000a000 /* the proxy killed a session because a preferred backend became available */ -#define SN_ERR_MASK 0x0000f000 /* mask to get only session error flags */ -#define SN_ERR_SHIFT 12 /* bit shift */ +#define SN_ERR_NONE 0x00000000 /* normal end of request */ +#define SN_ERR_LOCAL 0x00001000 /* the proxy locally processed this request => not an error */ +#define SN_ERR_CLITO 0x00002000 /* client time-out */ +#define SN_ERR_CLICL 0x00003000 /* client closed (read/write error) */ +#define SN_ERR_SRVTO 0x00004000 /* server time-out, connect time-out */ +#define SN_ERR_SRVCL 0x00005000 /* server closed (connect/read/write error) */ +#define SN_ERR_PRXCOND 0x00006000 /* the proxy decided to close (deny...) */ +#define SN_ERR_RESOURCE 0x00007000 /* the proxy encountered a lack of a local resources (fd, mem, ...) */ +#define SN_ERR_INTERNAL 0x00008000 /* the proxy encountered an internal error */ +#define SN_ERR_DOWN 0x00009000 /* the proxy killed a session because the backend became unavailable */ +#define SN_ERR_KILLED 0x0000a000 /* the proxy killed a session because it was asked to do so */ +#define SN_ERR_UP 0x0000b000 /* the proxy killed a session because a preferred backend became available */ +#define SN_ERR_MASK 0x0000f000 /* mask to get only session error flags */ +#define SN_ERR_SHIFT 12 /* bit shift */ /* session state at termination, bits values 0x10000 to 0x70000 (0-7 shift 16) */ #define SN_FINST_R 0x00010000 /* session ended during client request */ diff --git a/src/log.c b/src/log.c index 020c3811d2..627351f357 100644 --- a/src/log.c +++ b/src/log.c @@ -54,7 +54,7 @@ const char *log_levels[NB_LOG_LEVELS] = { "warning", "notice", "info", "debug" }; -const char sess_term_cond[16] = "-cCsSPRIDKUIIIII"; /* normal, CliTo, CliErr, SrvTo, SrvErr, PxErr, Resource, Internal, Down, Killed, Up, -- */ +const char sess_term_cond[16] = "-LcCsSPRIDKUIIII"; /* normal, Local, CliTo, CliErr, SrvTo, SrvErr, PxErr, Resource, Internal, Down, Killed, Up, -- */ const char sess_fin_state[8] = "-RCHDLQT"; /* cliRequest, srvConnect, srvHeader, Data, Last, Queue, Tarpit */ @@ -1516,9 +1516,11 @@ void sess_log(struct session *s) int size, err, level; /* if we don't want to log normal traffic, return now */ - err = (s->flags & (SN_ERR_MASK | SN_REDISP)) || - (s->req->cons->conn_retries != s->be->conn_retries) || - ((s->fe->mode == PR_MODE_HTTP) && s->txn.status >= 500); + err = (s->flags & SN_REDISP) || + ((s->flags & SN_ERR_MASK) > SN_ERR_LOCAL) || + (((s->flags & SN_ERR_MASK) == SN_ERR_NONE) && + (s->req->cons->conn_retries != s->be->conn_retries)) || + ((s->fe->mode == PR_MODE_HTTP) && s->txn.status >= 500); if (!err && (s->fe->options2 & PR_O2_NOLOGNORM)) return; diff --git a/src/proto_http.c b/src/proto_http.c index d4e93e592a..c6ead3b312 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -830,7 +830,7 @@ void http_perform_server_redirect(struct session *s, struct stream_interface *si si->state = SI_ST_CLO; /* send the message */ - http_server_error(s, si, SN_ERR_PRXCOND, SN_FINST_C, 302, &trash); + http_server_error(s, si, SN_ERR_LOCAL, SN_FINST_C, 302, &trash); /* FIXME: we should increase a counter of redirects per server and per backend. */ srv_inc_sess_ctr(srv); @@ -2529,6 +2529,8 @@ int http_wait_for_request(struct session *s, struct channel *req, int an_bit) /* we fail this request, let's return 503 service unavail */ txn->status = 503; stream_int_retnclose(req->prod, http_error_message(s, HTTP_ERR_503)); + if (!(s->flags & SN_ERR_MASK)) + s->flags |= SN_ERR_LOCAL; /* we don't want a real error here */ goto return_prx_cond; } } @@ -2536,6 +2538,8 @@ int http_wait_for_request(struct session *s, struct channel *req, int an_bit) /* nothing to fail, let's reply normaly */ txn->status = 200; stream_int_retnclose(req->prod, http_error_message(s, HTTP_ERR_200)); + if (!(s->flags & SN_ERR_MASK)) + s->flags |= SN_ERR_LOCAL; /* we don't want a real error here */ goto return_prx_cond; } @@ -3031,7 +3035,7 @@ int http_handle_stats(struct session *s, struct channel *req) s->fe->fe_counters.intercepted_req++; if (!(s->flags & SN_ERR_MASK)) // this is not really an error but it is - s->flags |= SN_ERR_PRXCOND; // to mark that it comes from the proxy + s->flags |= SN_ERR_LOCAL; // to mark that it comes from the proxy if (!(s->flags & SN_FINST_MASK)) s->flags |= SN_FINST_R; req->analysers = 0; @@ -3060,7 +3064,7 @@ int http_handle_stats(struct session *s, struct channel *req) s->fe->fe_counters.intercepted_req++; if (!(s->flags & SN_ERR_MASK)) // this is not really an error but it is - s->flags |= SN_ERR_PRXCOND; // to mark that it comes from the proxy + s->flags |= SN_ERR_LOCAL; // to mark that it comes from the proxy if (!(s->flags & SN_FINST_MASK)) s->flags |= SN_FINST_R; @@ -3375,7 +3379,7 @@ static int http_apply_redirect_rule(struct redirect_rule *rule, struct session * } if (!(s->flags & SN_ERR_MASK)) - s->flags |= SN_ERR_PRXCOND; + s->flags |= SN_ERR_LOCAL; if (!(s->flags & SN_FINST_MASK)) s->flags |= SN_FINST_R;