From: Tim Duesterhus Date: Tue, 14 May 2019 18:57:57 +0000 (+0200) Subject: MEDIUM: Make 'block' directive fatal X-Git-Tag: v2.1-dev1~83 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b7c47f05cc746e8b7f3c00daf76e659acc580d8;p=thirdparty%2Fhaproxy.git MEDIUM: Make 'block' directive fatal It was deprecated with HAProxy 1.5. Time to remove it. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 3e402fb92c..62f02af51b 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -2342,7 +2342,6 @@ backlog X X X - balance X - X X bind - X X - bind-process X X X X -block (deprecated) - X X X capture cookie - X X - capture request header - X X - capture response header - X X - @@ -2993,35 +2992,6 @@ bind-process [ all | odd | even | [-[]] ] ... See also : "nbproc" in global section, and "process" in section 5.1. -block { if | unless } (deprecated) - Block a layer 7 request if/unless a condition is matched - May be used in sections : defaults | frontend | listen | backend - no | yes | yes | yes - - The HTTP request will be blocked very early in the layer 7 processing - if/unless is matched. A 403 error will be returned if the request - is blocked. The condition has to reference ACLs (see section 7). This is - typically used to deny access to certain sensitive resources if some - conditions are met or not met. There is no fixed limit to the number of - "block" statements per instance. To block connections at layer 4 (without - sending a 403 error) see "tcp-request connection reject" and - "tcp-request content reject" rules. - - This form is deprecated, do not use it in any new configuration, use the new - "http-request deny" instead. - - Example: - acl invalid_src src 0.0.0.0/7 224.0.0.0/3 - acl invalid_src src_port 0:1023 - acl local_dst hdr(host) -i localhost - # block is deprecated. Use http-request deny instead: - #block if invalid_src || local_dst - http-request deny if invalid_src || local_dst - - See also : section 7 about ACL usage, "http-request deny", - "http-response deny", "tcp-request connection reject" and - "tcp-request content reject". - capture cookie len Capture and log a cookie in the request and in the response. May be used in sections : defaults | frontend | listen | backend diff --git a/include/types/global.h b/include/types/global.h index f9ab4c29d3..fb0c5e123e 100644 --- a/include/types/global.h +++ b/include/types/global.h @@ -249,7 +249,7 @@ extern unsigned int rlim_fd_max_at_boot; extern int atexit_flag; /* bit values to go with "warned" above */ -#define WARN_BLOCK_DEPRECATED 0x00000001 +/* unassigned : 0x00000001 (previously: WARN_BLOCK_DEPRECATED) */ /* unassigned : 0x00000002 */ #define WARN_REDISPATCH_DEPRECATED 0x00000004 #define WARN_CLITO_DEPRECATED 0x00000008 diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c index 6c18bfc1a4..5fd8ecf5a7 100644 --- a/src/cfgparse-listen.c +++ b/src/cfgparse-listen.c @@ -1546,33 +1546,11 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) curproxy->server_id_hdr_name = strdup(args[1]); curproxy->server_id_hdr_len = strlen(curproxy->server_id_hdr_name); } - else if (!strcmp(args[0], "block")) { /* early blocking based on ACLs */ - struct act_rule *rule; - - if (curproxy == &defproxy) { - ha_alert("parsing [%s:%d] : '%s' not allowed in 'defaults' section.\n", file, linenum, args[0]); - err_code |= ERR_ALERT | ERR_FATAL; - goto out; - } - - /* emulate "block" using "http-request block". Since these rules are supposed to - * be processed before all http-request rules, we put them into their own list - * and will insert them at the end. - */ - rule = parse_http_req_cond((const char **)args, file, linenum, curproxy); - if (!rule) { - err_code |= ERR_ALERT | ERR_ABORT; - goto out; - } - err_code |= warnif_misplaced_block(curproxy, file, linenum, args[0]); - err_code |= warnif_cond_conflicts(rule->cond, - (curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR, - file, linenum); - LIST_ADDQ(&curproxy->block_rules, &rule->list); - - if (!already_warned(WARN_BLOCK_DEPRECATED)) - ha_warning("parsing [%s:%d] : The '%s' directive is now deprecated in favor of 'http-request deny' which uses the exact same syntax. The rules are translated but support might disappear in a future version.\n", file, linenum, args[0]); + else if (!strcmp(args[0], "block")) { + ha_alert("parsing [%s:%d] : The '%s' directive is not supported anymore since HAProxy 2.1. Use 'http-request deny' which uses the exact same syntax.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; } else if (!strcmp(args[0], "redirect")) { struct redirect_rule *rule;