From 252412316e5814a8743c6b22644f5d6ce0cc2a23 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sun, 18 Jul 2021 19:18:56 +0200 Subject: [PATCH] MEDIUM: proxy: remove long-broken 'option http_proxy' This option had always been broken in HTX, which means that the first breakage appeared in 1.9, that it was broken by default in 2.0 and that no workaround existed starting with 2.1. The way this option works is praticularly unfit to the rest of the configuration and to the internal architecture. It had some uses when it was introduced 14 years ago but nowadays it's possible to do much better and more reliable using a set of "http-request set-dst" and "http-request set-uri" rules, which additionally are compatible with DNS resolution (via do-resolve) and are not exclusive to normal load balancing. The "option-http_proxy" example config file was updated to reflect this. The option is still parsed so that an error message gives hints about what to look for. --- doc/configuration.txt | 42 ++++------------------------------ examples/option-http_proxy.cfg | 11 +++++---- include/haproxy/proxy-t.h | 2 +- src/backend.c | 15 ------------ src/cfgparse-listen.c | 7 ++++++ src/cfgparse.c | 8 +++---- src/http_ana.c | 36 ----------------------------- src/proxy.c | 1 - 8 files changed, 22 insertions(+), 100 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index a64244e67c..2e08367275 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -3607,7 +3607,6 @@ option http-use-proxy-header (*) X X X - option httpchk X - X X option httpclose (*) X X X X option httplog X X X - -option http_proxy (*) X X X X option independent-streams (*) X X X X option ldap-check X - X X option external-check X - X X @@ -4002,7 +4001,7 @@ balance url_param [check_post] might be a URL parameter list. This is probably not a concern with SGML type message bodies. - See also : "dispatch", "cookie", "transparent", "hash-type" and "http_proxy". + See also : "dispatch", "cookie", "transparent", "hash-type". bind [
]: [, ...] [param*] @@ -8857,36 +8856,6 @@ option httplog [ clf ] See also : section 8 about logging. -option http_proxy -no option http_proxy - Enable or disable plain HTTP proxy mode - May be used in sections : defaults | frontend | listen | backend - yes | yes | yes | yes - Arguments : none - - It sometimes happens that people need a pure HTTP proxy which understands - basic proxy requests without caching nor any fancy feature. In this case, - it may be worth setting up an HAProxy instance with the "option http_proxy" - set. In this mode, no server is declared, and the connection is forwarded to - the IP address and port found in the URL after the "http://" scheme. - - No host address resolution is performed, so this only works when pure IP - addresses are passed. Since this option's usage perimeter is rather limited, - it will probably be used only by experts who know they need exactly it. This - is incompatible with the HTTP tunnel mode. - - If this option has been enabled in a "defaults" section, it can be disabled - in a specific instance by prepending the "no" keyword before it. - - Example : - # this backend understands HTTP proxy requests and forwards them directly. - backend direct_forward - option httpclose - option http_proxy - - See also : "option httpclose" - - option independent-streams no option independent-streams Enable or disable independent timeout processing for both directions @@ -19941,15 +19910,12 @@ url_ip : ip presented as an IP address. Its use is very limited. For instance, a monitoring system might use this field as an alternative for the source IP in order to test what path a given source address would follow, or to force an - entry in a table for a given source address. With ACLs it can be used to - restrict access to certain systems through a proxy, for example when combined - with option "http_proxy". + entry in a table for a given source address. It may be used in combination + with 'http-request set-dst' to emulate the older 'option http_proxy'. url_port : integer This extracts the port part from the request's URL. Note that if the port is - not specified in the request, port 80 is assumed. With ACLs it can be used to - restrict access to certain systems through a proxy, for example when combined - with option "http_proxy". + not specified in the request, port 80 is assumed.. urlp([[,]]) : string url_param([[,]]) : string diff --git a/examples/option-http_proxy.cfg b/examples/option-http_proxy.cfg index 117532f512..8b28f6760a 100644 --- a/examples/option-http_proxy.cfg +++ b/examples/option-http_proxy.cfg @@ -17,8 +17,6 @@ frontend test-proxy log global option httplog option dontlognull - option nolinger - option http_proxy maxconn 8000 timeout client 30s @@ -40,12 +38,17 @@ backend test-proxy-srv timeout connect 5s timeout server 5s retries 2 - option nolinger - option http_proxy # layer7: Only GET method is valid acl valid_method method GET http-request deny if !valid_method + # take IP address from URL's authority + # and drop scheme+authority from URI + http-request set-dst url_ip + http-request set-dst-port url_port + http-request set-uri %[pathq] + server next-hop 0.0.0.0 + # layer7: protect bad reply http-response deny if { res.hdr(content-type) audio/mp3 } diff --git a/include/haproxy/proxy-t.h b/include/haproxy/proxy-t.h index 63c0790876..aa3de2cca7 100644 --- a/include/haproxy/proxy-t.h +++ b/include/haproxy/proxy-t.h @@ -112,7 +112,7 @@ enum PR_SRV_STATE_FILE { #define PR_O_TCPCHK_SSL 0x08000000 /* at least one TCPCHECK connect rule requires SSL */ #define PR_O_CONTSTATS 0x10000000 /* continuous counters */ -#define PR_O_HTTP_PROXY 0x20000000 /* Enable stream to use HTTP proxy operations */ +/* unused: 0x20000000 */ #define PR_O_DISABLE404 0x40000000 /* Disable a server on a 404 response to a health-check */ #define PR_O_ORGTO 0x80000000 /* insert x-original-to with destination address */ diff --git a/src/backend.c b/src/backend.c index ceb24a7096..adbd60605a 100644 --- a/src/backend.c +++ b/src/backend.c @@ -792,17 +792,6 @@ int assign_server(struct stream *s) else if (s->be->options & (PR_O_DISPATCH | PR_O_TRANSP)) { s->target = &s->be->obj_type; } - else if ((s->be->options & PR_O_HTTP_PROXY)) { - conn = cs_conn(objt_cs(s->si[1].end)); - - if (conn && conn->dst && is_addr(conn->dst)) { - /* in proxy mode, we need a valid destination address */ - s->target = &s->be->obj_type; - } else { - err = SRV_STATUS_NOSRV; - goto out; - } - } else { err = SRV_STATUS_NOSRV; goto out; @@ -904,10 +893,6 @@ static int alloc_dst_address(struct sockaddr_storage **ss, (cli_conn->dst->ss_family == AF_INET || cli_conn->dst->ss_family == AF_INET6)) **ss = *cli_conn->dst; } - else if (s->be->options & PR_O_HTTP_PROXY) { - /* If HTTP PROXY option is set, then server is already assigned - * during incoming client request parsing. */ - } else { /* no server and no LB algorithm ! */ return SRV_STATUS_INTERNAL; diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c index 0929ba4d8a..483bfa2685 100644 --- a/src/cfgparse-listen.c +++ b/src/cfgparse-listen.c @@ -2024,6 +2024,13 @@ stats_error_parsing: goto out; } + if (strcmp(args[1], "http_proxy") == 0) { + ha_alert("parsing [%s:%d]: option '%s' is not supported any more since HAProxy 2.5. This option stopped working in HAProxy 1.9 and usually had nasty side effects. It can be more reliably implemented with combinations of 'http-request set-dst' and 'http-request set-uri', and even 'http-request do-resolve' if DNS resolution is desired.\n", + file, linenum, args[1]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + if (kwm != KWM_STD) { ha_alert("parsing [%s:%d]: negation/default is not supported for option '%s'.\n", file, linenum, args[1]); diff --git a/src/cfgparse.c b/src/cfgparse.c index fed8f7e591..3ac31fc9bd 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -2579,7 +2579,7 @@ int check_config_validity() err_code |= ERR_WARN; } } - else if (!(curproxy->options & (PR_O_TRANSP | PR_O_DISPATCH | PR_O_HTTP_PROXY))) { + else if (!(curproxy->options & (PR_O_TRANSP | PR_O_DISPATCH))) { /* If no LB algo is set in a backend, and we're not in * transparent mode, dispatch mode nor proxy mode, we * want to use balance roundrobin by default. @@ -2590,11 +2590,9 @@ int check_config_validity() } if (curproxy->options & PR_O_DISPATCH) - curproxy->options &= ~(PR_O_TRANSP | PR_O_HTTP_PROXY); - else if (curproxy->options & PR_O_HTTP_PROXY) - curproxy->options &= ~(PR_O_DISPATCH | PR_O_TRANSP); + curproxy->options &= ~PR_O_TRANSP; else if (curproxy->options & PR_O_TRANSP) - curproxy->options &= ~(PR_O_DISPATCH | PR_O_HTTP_PROXY); + curproxy->options &= ~PR_O_DISPATCH; if ((curproxy->tcpcheck_rules.flags & TCPCHK_RULES_UNUSED_HTTP_RS)) { ha_warning("%s '%s' uses http-check rules without 'option httpchk', so the rules are ignored.\n", diff --git a/src/http_ana.c b/src/http_ana.c index 7049263ae0..884ad50421 100644 --- a/src/http_ana.c +++ b/src/http_ana.c @@ -616,42 +616,6 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit) */ htx = htxbuf(&req->buf); - /* - * If HTTP PROXY is set we simply get remote server address parsing - * incoming request. - */ - if ((s->be->options & PR_O_HTTP_PROXY) && !(s->flags & SF_ADDR_SET)) { - struct htx_sl *sl; - struct ist uri, path; - struct http_uri_parser parser; - - if (!sockaddr_alloc(&s->target_addr, NULL, 0)) { - if (!(s->flags & SF_ERR_MASK)) - s->flags |= SF_ERR_RESOURCE; - goto return_int_err; - } - sl = http_get_stline(htx); - uri = htx_sl_req_uri(sl); - parser = http_uri_parser_init(uri); - path = http_parse_path(&parser); - - if (url2sa(uri.ptr, uri.len - path.len, s->target_addr, NULL) == -1) - goto return_bad_req; - - s->target = &s->be->obj_type; - s->flags |= SF_ADDR_SET | SF_ASSIGNED; - - /* if the path was found, we have to remove everything between - * uri.ptr and path.ptr (excluded). If it was not found, we need - * to replace from all the uri by a single "/". - * - * Instead of rewriting the whole start line, we just update - * the star-line URI. Some space will be lost but it should be - * insignificant. - */ - istcpy(&uri, (path.len ? path : ist("/")), uri.len); - } - /* * 7: Now we can work with the cookies. * Note that doing so might move headers in the request, but diff --git a/src/proxy.c b/src/proxy.c index 764207d1d9..f698843690 100644 --- a/src/proxy.c +++ b/src/proxy.c @@ -68,7 +68,6 @@ const struct cfg_opt cfg_opts[] = { "clitcpka", PR_O_TCP_CLI_KA, PR_CAP_FE, 0, 0 }, { "contstats", PR_O_CONTSTATS, PR_CAP_FE, 0, 0 }, { "dontlognull", PR_O_NULLNOLOG, PR_CAP_FE, 0, 0 }, - { "http_proxy", PR_O_HTTP_PROXY, PR_CAP_FE | PR_CAP_BE, 0, PR_MODE_HTTP }, { "http-buffer-request", PR_O_WREQ_BODY, PR_CAP_FE | PR_CAP_BE, 0, PR_MODE_HTTP }, { "http-ignore-probes", PR_O_IGNORE_PRB, PR_CAP_FE, 0, PR_MODE_HTTP }, { "prefer-last-server", PR_O_PREF_LAST, PR_CAP_BE, 0, PR_MODE_HTTP }, -- 2.39.5