From: Christopher Faulet Date: Fri, 15 Oct 2021 11:51:34 +0000 (+0200) Subject: BUG/MINOR: http-ana: Don't eval front after-response rules if stopped on back X-Git-Tag: v2.5-dev10~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=597909f4e67866c4f3ecf77f95f2cd4556c0c638;p=thirdparty%2Fhaproxy.git BUG/MINOR: http-ana: Don't eval front after-response rules if stopped on back http-after-response rules evaluation must be stopped after a "allow". It means the frontend ruleset must not be evaluated if a "allow" was performed in the backend ruleset. Internally, the evaluation must be stopped if on HTTP_RULE_RES_STOP return value. Only the "allow" action is concerned by this change. Thanks to this patch, http-response and http-after-response behave in the same way. This patch should be backported as far as 2.2. --- diff --git a/reg-tests/http-rules/http_after_response.vtc b/reg-tests/http-rules/http_after_response.vtc index af66498503..0a37daa5ff 100644 --- a/reg-tests/http-rules/http_after_response.vtc +++ b/reg-tests/http-rules/http_after_response.vtc @@ -182,11 +182,11 @@ client c4 -connect ${h1_feh1_sock} { client c5 -connect ${h1_feh1_sock} { txreq -req GET -url /deny-srv rxresp - expect resp.status == 200 - expect resp.http.be-sl1 == "" - expect resp.http.be-sl2 == "" - expect resp.http.be-hdr == "" - expect resp.http.fe-sl1-crc == 3104968915 - expect resp.http.fe-sl2-crc == 561949791 - expect resp.http.fe-hdr-crc == 623352154 + expect resp.status == 502 + expect resp.http.be-sl1 == + expect resp.http.be-sl2 == + expect resp.http.be-hdr == + expect resp.http.sl1 == + expect resp.http.sl2 == + expect resp.http.hdr == } -run diff --git a/src/http_ana.c b/src/http_ana.c index 7e32fb8ead..2033d46615 100644 --- a/src/http_ana.c +++ b/src/http_ana.c @@ -2950,7 +2950,7 @@ int http_eval_after_res_rules(struct stream *s) } ret = http_res_get_intercept_rule(s->be, &s->be->http_after_res_rules, s); - if ((ret == HTTP_RULE_RES_CONT || ret == HTTP_RULE_RES_STOP) && sess->fe != s->be) + if (ret == HTTP_RULE_RES_CONT && sess->fe != s->be) ret = http_res_get_intercept_rule(sess->fe, &sess->fe->http_after_res_rules, s); end: