From: Amaury Denoyelle Date: Thu, 30 Nov 2023 13:28:47 +0000 (+0100) Subject: MINOR: rhttp: mark reverse HTTP as experimental X-Git-Tag: v2.9-dev12~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86e5c607d1b8b353314c9c0b63cd2f9da3ab048f;p=thirdparty%2Fhaproxy.git MINOR: rhttp: mark reverse HTTP as experimental Mark the reverse HTTP feature as experimental. This will allow to adjust if needed the configuration mechanism with future developments without maintaining retro-compatibility. Concretely, each config directives linked to it now requires to specify first global expose-experimental-directives before. This is the case for the following directives : - rhttp@ prefix uses in bind and server lines - nbconn bind keyword - attach-srv tcp rule Each documentation section refering to these keywords are updated to highlight this new requirement. Note that this commit has duplicated on several places the code from the global function check_kw_experimental(). This is because the latter only work with cfg_keyword type. This is not adapted with bind_kw or action_kw types. This should be improve in a future patch. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 2c7ada20f6..324cce1325 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -5085,11 +5085,14 @@ bind / [, ...] [param*] - 'quic6@' -> address is resolved as IPv6 and protocol UDP is used. The performance note for QUIC over IPv4 applies as well. - - 'rhttp@' -> used for reverse HTTP. Address must be a - server with the format '/'. The server - will be used to instantiate connections to a remote - address. The listener will try to maintain "nbconn" - connections. + - 'rhttp@' [ EXPERIMENTAL ] -> used for reverse HTTP. + Address must be a server with the format + '/'. The server will be used to + instantiate connections to a remote address. The listener + will try to maintain "nbconn" connections. This is an + experimental features which requires + "expose-experimental-directives" on a line before this + bind. You may want to reference some environment variables in the address parameter, see section 2.3 about environment @@ -9980,8 +9983,11 @@ server
[:[port]] [param*] one of them over the FD. The bind part will use the received socket as the client FD. Should be used carefully. - - 'rhttp@' -> custom address family for a passive server in - HTTP reverse context. + - 'rhttp@' [ EXPERIMENTAL ] -> custom address family for a + passive server in HTTP reverse context. This is an + experimental features which requires + "expose-experimental-directives" on a line before this + server. You may want to reference some environment variables in the address parameter, see section 2.3 about environment variables. The "init-addr" setting can be used to modify the way @@ -12904,7 +12910,7 @@ allow above. -attach-srv [name ] +attach-srv [name ] [ EXPERIMENTAL ] Usable in: TCP RqCon| RqSes| RqCnt| RsCnt| HTTP Req| Res| Aft - | X | - | - | - | - | - @@ -12922,6 +12928,10 @@ attach-srv [name ] This rule is only valid for frontend in HTTP mode. Also all listeners must not require a protocol different from HTTP/2. + Reverse HTTP is currently still in active development. Configuration + mechanism may change in the future. For this reason it is internally marked + as experimental, meaning that "expose-experimental-directives" must appear on + a line before this directive. auth [realm ] Usable in: TCP RqCon| RqSes| RqCnt| RsCnt| HTTP Req| Res| Aft @@ -14750,11 +14760,16 @@ namespace a namespace different from the default one. Please refer to your operating system's documentation to find more details about network namespaces. -nbconn +nbconn [ EXPERIMENTAL ] This setting is only valid for listener instances which uses reverse HTTP. This will define the count of connections which will be mounted in parallel. If not specified, a default value of 1 is used. + Reverse HTTP is currently still in active development. Configuration + mechanism may change in the future. For this reason it is internally marked + as expirmental, meaning that "expose-experimental-directives" must appear on + a line before this directive. + nice Sets the 'niceness' of connections initiated from the socket. Value must be in the range -1024..1024 inclusive, and defaults to zero. Positive values diff --git a/reg-tests/connection/reverse_connect_full.vtc b/reg-tests/connection/reverse_connect_full.vtc index 95dd399f10..18536e081f 100644 --- a/reg-tests/connection/reverse_connect_full.vtc +++ b/reg-tests/connection/reverse_connect_full.vtc @@ -9,6 +9,9 @@ server s1 { } -start haproxy h_edge -conf { +global + expose-experimental-directives + defaults log global timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" @@ -29,6 +32,9 @@ frontend priv } -start haproxy h_dev -conf { +global + expose-experimental-directives + defaults log global timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" diff --git a/reg-tests/connection/reverse_server.vtc b/reg-tests/connection/reverse_server.vtc index ec631f6e2c..50fe8ceb80 100644 --- a/reg-tests/connection/reverse_server.vtc +++ b/reg-tests/connection/reverse_server.vtc @@ -6,6 +6,9 @@ feature ignore_unknown_macro barrier b1 cond 2 haproxy h_edge -conf { +global + expose-experimental-directives + defaults log global timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" diff --git a/reg-tests/connection/reverse_server_name.vtc b/reg-tests/connection/reverse_server_name.vtc index 667b15f844..0fd850fe8f 100644 --- a/reg-tests/connection/reverse_server_name.vtc +++ b/reg-tests/connection/reverse_server_name.vtc @@ -7,6 +7,9 @@ feature ignore_unknown_macro barrier b1 cond 2 haproxy h_edge -conf { +global + expose-experimental-directives + defaults log global timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" diff --git a/src/listener.c b/src/listener.c index 6ce5deaa81..86d0945daf 100644 --- a/src/listener.c +++ b/src/listener.c @@ -2259,6 +2259,14 @@ static int bind_parse_nbconn(char **args, int cur_arg, struct proxy *px, struct int val; const struct listener *l; + /* TODO duplicated code from check_kw_experimental() */ + if (!experimental_directives_allowed) { + memprintf(err, "'%s' is experimental, must be allowed via a global 'expose-experimental-directives'", + args[cur_arg]); + return ERR_ALERT | ERR_FATAL; + } + mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED); + l = LIST_NEXT(&conf->listeners, struct listener *, by_bind); if (l->rx.addr.ss_family != AF_CUST_RHTTP_SRV) { memprintf(err, "'%s' : only valid for reverse HTTP listeners.", args[cur_arg]); diff --git a/src/tcp_act.c b/src/tcp_act.c index a6898cb4a2..8b44047d5b 100644 --- a/src/tcp_act.c +++ b/src/tcp_act.c @@ -468,6 +468,14 @@ static enum act_parse_ret tcp_parse_attach_srv(const char **args, int *cur_arg, char *srvname; struct sample_expr *expr; + /* TODO duplicated code from check_kw_experimental() */ + if (!experimental_directives_allowed) { + memprintf(err, "parsing [%s:%d] : '%s' action is experimental, must be allowed via a global 'expose-experimental-directives'", + px->conf.args.file, px->conf.args.line, args[2]); + return ACT_RET_PRS_ERR; + } + mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED); + rule->action = ACT_CUSTOM; rule->action_ptr = tcp_action_attach_srv; rule->release_ptr = release_attach_srv_action; diff --git a/src/tools.c b/src/tools.c index a7f4ff13c7..0b951e15c4 100644 --- a/src/tools.c +++ b/src/tools.c @@ -1104,6 +1104,13 @@ struct sockaddr_storage *str2sa_range(const char *str, int *port, int *low, int ss.ss_family = AF_CUST_SOCKPAIR; } else if (strncmp(str2, "rhttp@", 3) == 0) { + /* TODO duplicated code from check_kw_experimental() */ + if (!experimental_directives_allowed) { + memprintf(err, "Address '%s' is experimental, must be allowed via a global 'expose-experimental-directives'", str2); + goto out; + } + mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED); + str2 += 4; ss.ss_family = AF_CUST_RHTTP_SRV; }