From: Amaury Denoyelle Date: Fri, 20 Oct 2023 14:49:03 +0000 (+0200) Subject: MINOR: listener: forbid most keywords for reverse HTTP bind X-Git-Tag: v2.9-dev8~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f70cf28539803b2f33fbfa39156d7d47e3609614;p=thirdparty%2Fhaproxy.git MINOR: listener: forbid most keywords for reverse HTTP bind Reverse HTTP bind is very specific in that in rely on a server to initiate connection. All connection settings are defined on the server line and ignored from the bind line. Before this patch, most of keywords were silently ignored. This could result in a configuration from doing unexpected things from the user point of view. To improve this situation, add a new 'rhttp_ok' field in bind_kw structure. If not set, the keyword is forbidden on a reverse bind line and will cause a fatal config error. For the moment, only the following keywords are usable with reverse bind 'id', 'name' and 'nbconn'. This change is safe as it's already forbidden to mix reverse and standard addresses on the same bind line. --- diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h index 6b2fc66a77..cdf64cbd6c 100644 --- a/include/haproxy/listener-t.h +++ b/include/haproxy/listener-t.h @@ -272,6 +272,7 @@ struct bind_kw { const char *kw; int (*parse)(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err); int skip; /* nb of args to skip */ + int rhttp_ok; /* non-zero if kw is support for reverse HTTP bind */ }; /* same as bind_kw but for crtlist keywords */ diff --git a/src/listener.c b/src/listener.c index f812d9fad7..8a951f3916 100644 --- a/src/listener.c +++ b/src/listener.c @@ -2132,6 +2132,13 @@ int bind_parse_args_list(struct bind_conf *bind_conf, char **args, int cur_arg, goto out; } + if ((bind_conf->options & BC_O_REVERSE_HTTP) && !kw->rhttp_ok) { + ha_alert("'%s' option is not accepted for reverse HTTP\n", + args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + code = kw->parse(args, cur_arg, bind_conf->frontend, bind_conf, &err); err_code |= code; @@ -2423,18 +2430,18 @@ INITCALL1(STG_REGISTER, acl_register_keywords, &acl_kws); * not enabled. */ static struct bind_kw_list bind_kws = { "ALL", { }, { - { "accept-netscaler-cip", bind_parse_accept_netscaler_cip, 1 }, /* enable NetScaler Client IP insertion protocol */ - { "accept-proxy", bind_parse_accept_proxy, 0 }, /* enable PROXY protocol */ - { "backlog", bind_parse_backlog, 1 }, /* set backlog of listening socket */ - { "id", bind_parse_id, 1 }, /* set id of listening socket */ - { "maxconn", bind_parse_maxconn, 1 }, /* set maxconn of listening socket */ - { "name", bind_parse_name, 1 }, /* set name of listening socket */ - { "nbconn", bind_parse_nbconn, 1 }, /* set number of connection on active preconnect */ - { "nice", bind_parse_nice, 1 }, /* set nice of listening socket */ - { "process", bind_parse_process, 1 }, /* set list of allowed process for this socket */ - { "proto", bind_parse_proto, 1 }, /* set the proto to use for all incoming connections */ - { "shards", bind_parse_shards, 1 }, /* set number of shards */ - { "thread", bind_parse_thread, 1 }, /* set list of allowed threads for this socket */ + { "accept-netscaler-cip", bind_parse_accept_netscaler_cip, 1, 0 }, /* enable NetScaler Client IP insertion protocol */ + { "accept-proxy", bind_parse_accept_proxy, 0, 0 }, /* enable PROXY protocol */ + { "backlog", bind_parse_backlog, 1, 0 }, /* set backlog of listening socket */ + { "id", bind_parse_id, 1, 1 }, /* set id of listening socket */ + { "maxconn", bind_parse_maxconn, 1, 0 }, /* set maxconn of listening socket */ + { "name", bind_parse_name, 1, 1 }, /* set name of listening socket */ + { "nbconn", bind_parse_nbconn, 1, 1 }, /* set number of connection on active preconnect */ + { "nice", bind_parse_nice, 1, 0 }, /* set nice of listening socket */ + { "process", bind_parse_process, 1, 0 }, /* set list of allowed process for this socket */ + { "proto", bind_parse_proto, 1, 0 }, /* set the proto to use for all incoming connections */ + { "shards", bind_parse_shards, 1, 0 }, /* set number of shards */ + { "thread", bind_parse_thread, 1, 0 }, /* set list of allowed threads for this socket */ { /* END */ }, }};