From: Willy Tarreau Date: Wed, 8 Oct 2025 08:18:35 +0000 (+0200) Subject: MAJOR: proxy: enable abortonclose by default on HTTP proxies X-Git-Tag: v3.3-dev10~62 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=644b3dc7d880ab69997bc05ebc8dd3045ee23186;p=thirdparty%2Fhaproxy.git MAJOR: proxy: enable abortonclose by default on HTTP proxies As discussed on https://github.com/orgs/haproxy/discussions/3146 and on the mailing list, there's a marked preference for having abortonclose enabled by default when relevant. The point being that with todays' internet, the large majority of requests sent with a closed input channel are aborted requests, and that it's pointless to waste resources processing them. This patch now considers both "option abortonclose" and its opposite "no option abortonclose" to figure whether abortonclose is enabled or disabled in a backend. When neither are set (thus not even inherited from a defaults section), then it considers the proxy's mode, and HTTP mode implies abortonclose by default. This may make some legacy services fail starting with 3.3. In this case it will be sufficient to add "no option abortonclose" in either the affected backend or the defaults section it derives from. But for internet-facing proxies it's better to stay with the option enabled. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 8c6e6158d..632268f94 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -9089,11 +9089,14 @@ no option abortonclose pending in the queue or when trying to connect). If the request is already being served by a server, then the connection to the server is in turn switched to half-close to indicate the same condition to the - server, which will then decide how to proceed. + server, which will then decide how to proceed. This is the default for + HTTP-mode backends. The recommendation is to enable this option on internet-facing TLS endpoints and HTTP services, and to disable it for pure TCP ones as well as unexposed - legacy environments. + legacy environments. It is enabled by default in HTTP backends, and may be + forcefully disabled by prepending the "no" keyword before it, either in the + backend section itself, or in the "defaults" section it inherits from. If this option has been enabled in a "defaults" section, it can be disabled in a specific instance by prepending the "no" keyword before it. diff --git a/include/haproxy/proxy.h b/include/haproxy/proxy.h index 46f5df84b..7be5a55d5 100644 --- a/include/haproxy/proxy.h +++ b/include/haproxy/proxy.h @@ -141,10 +141,18 @@ static inline void proxy_reset_timeouts(struct proxy *proxy) proxy->timeout.tunnel = TICK_ETERNITY; } -/* return proxy's abortonclose status: 0=off, non-zero=on */ +/* return proxy's abortonclose status: 0=off, non-zero=on. + * Considers the proxy's mode when neither on/off was set, + * and HTTP mode defaults to on. + */ static inline int proxy_abrt_close(const struct proxy *px) { - return !!(px->options & PR_O_ABRT_CLOSE); + if (px->options & PR_O_ABRT_CLOSE) + return 1; + else if (px->no_options & PR_O_ABRT_CLOSE) + return 0; + /* When unset: 1 for HTTP, 0 for TCP */ + return px->mode == PR_MODE_HTTP; } /* increase the number of cumulated connections received on the designated frontend */ diff --git a/reg-tests/http-messaging/http_abortonclose.vtc b/reg-tests/http-messaging/http_abortonclose.vtc index f9ad90621..33b194dff 100644 --- a/reg-tests/http-messaging/http_abortonclose.vtc +++ b/reg-tests/http-messaging/http_abortonclose.vtc @@ -126,6 +126,7 @@ haproxy h2 -conf { defaults mode http + no option abortonclose retries 1 timeout client 10s timeout server 10s