From: Christopher Faulet Date: Fri, 2 Oct 2020 09:38:46 +0000 (+0200) Subject: DOC: tcp-rules: Refresh details about L7 matching for tcp-request content rules X-Git-Tag: v2.3-dev6~118 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ea509e15f6fe3390a969f6eec29d76b8732d3aa;p=thirdparty%2Fhaproxy.git DOC: tcp-rules: Refresh details about L7 matching for tcp-request content rules Because the parsing of HTTP message is now performed in the HTTP multiplexers, the content is immediatly available when "tcp-request content" rules are evaluated for an HTTP frontend. So, it is a good idea to make the documentation explicit on this point. In addition, because in all cases, the parsing is already performed, there is no reason to still use "tcp-request content" rules based on L7 matching, although it is still valid. The recommended way is to use "http-request" rules instead. Again, it is a good idea to update the documentation on this point. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index db4a4a7600..9442c24915 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -11305,13 +11305,16 @@ tcp-request content [{if | unless} ] "track-sc*" actions as well as for changing the default action to a reject. It is perfectly possible to match layer 7 contents with "tcp-request content" - rules, since HTTP-specific ACL matches are able to preliminarily parse the - contents of a buffer before extracting the required data. If the buffered - contents do not parse as a valid HTTP message, then the ACL does not match. - The parser which is involved there is exactly the same as for all other HTTP - processing, so there is no risk of parsing something differently. In an HTTP - backend connected to from an HTTP frontend, it is guaranteed that HTTP - contents will always be immediately present when the rule is evaluated first. + rules from a TCP proxy, since HTTP-specific ACL matches are able to + preliminarily parse the contents of a buffer before extracting the required + data. If the buffered contents do not parse as a valid HTTP message, then the + ACL does not match. The parser which is involved there is exactly the same + as for all other HTTP processing, so there is no risk of parsing something + differently. In an HTTP frontend or an HTTP backend, it is guaranteed that + HTTP contents will always be immediately present when the rule is evaluated + first because the HTTP parsing is performed in the early stages of the + connection processing, at the session level. But for such proxies, using + "http-request" rules is much more natural and recommended. Tracking layer7 information is also possible provided that the information are present when the rule is processed. The rule processing engine is able to