From beaef9b02110053a4ccd24bbe6ff708aa76fcb55 Mon Sep 17 00:00:00 2001 From: Miika Kankare Date: Sat, 16 Jun 2018 21:46:35 +0300 Subject: [PATCH 1/3] Replace tcp_request with separate variables for content, connection, inspect_delay and session. Add relevant parts to backend, listen and frontend --- templates/etc/haproxy/backend.cfg.j2 | 10 ++++++++++ templates/etc/haproxy/frontend.cfg.j2 | 19 +++++++++++++++++-- templates/etc/haproxy/listen.cfg.j2 | 20 ++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/templates/etc/haproxy/backend.cfg.j2 b/templates/etc/haproxy/backend.cfg.j2 index e3e9cd24..20150e59 100644 --- a/templates/etc/haproxy/backend.cfg.j2 +++ b/templates/etc/haproxy/backend.cfg.j2 @@ -87,6 +87,16 @@ backend {{ backend.name }} {% endfor %} +{% for tcp_request_inspect_delay in frontend.tcp_request_inspect_delay | default([]) %} + tcp-request inspect-delay {{ tcp_request_inspect_delay.timeout }} + +{% endfor %} + +{% for tcp_request_content in frontend.tcp_request_content | default([]) %} + tcp-request content {{ tcp_request_content.action }}{% if tcp_request_content.cond is defined %} {{ tcp_request_content.cond }}{% endif %} + +{% endfor %} + {% for http_response in backend.http_response | default([]) %} http-response {{ http_response.action }}{% if http_response.param is defined %} {{ http_response.param }}{% endif %}{% if http_response.cond is defined %} {{ http_response.cond }}{% endif %} diff --git a/templates/etc/haproxy/frontend.cfg.j2 b/templates/etc/haproxy/frontend.cfg.j2 index 48adce3b..69af77b2 100644 --- a/templates/etc/haproxy/frontend.cfg.j2 +++ b/templates/etc/haproxy/frontend.cfg.j2 @@ -61,8 +61,23 @@ frontend {{ frontend.name }} {% endfor %} -{% for tcp_request in frontend.tcp_request | default([]) %} - tcp-request {{ tcp_request.action }}{% if tcp_request.param is defined %} {{ tcp_request.param }}{% endif %}{% if tcp_request.cond is defined %} {{ tcp_request.cond }}{% endif %} +{% for tcp_request_inspect_delay in frontend.tcp_request_inspect_delay | default([]) %} + tcp-request inspect-delay {{ tcp_request_inspect_delay.timeout }} + +{% endfor %} + +{% for tcp_request_connection in frontend.tcp_request_connection | default([]) %} + tcp-request connection {{ tcp_request_connection.action }}{% if tcp_request_connection.cond is defined %} {{ tcp_request_connection.cond }}{% endif %} + +{% endfor %} + +{% for tcp_request_content in frontend.tcp_request_content | default([]) %} + tcp-request content {{ tcp_request_content.action }}{% if tcp_request_content.cond is defined %} {{ tcp_request_content.cond }}{% endif %} + +{% endfor %} + +{% for tcp_request_session in frontend.tcp_request_session | default([]) %} + tcp-request session {{ tcp_request_session.action }}{% if tcp_request_session.cond is defined %} {{ tcp_request_session.cond }}{% endif %} {% endfor %} diff --git a/templates/etc/haproxy/listen.cfg.j2 b/templates/etc/haproxy/listen.cfg.j2 index 62235515..e60b7641 100644 --- a/templates/etc/haproxy/listen.cfg.j2 +++ b/templates/etc/haproxy/listen.cfg.j2 @@ -89,6 +89,26 @@ listen {{ listen.name }} {% endfor %} +{% for tcp_request_inspect_delay in frontend.tcp_request_inspect_delay | default([]) %} + tcp-request inspect-delay {{ tcp_request_inspect_delay.timeout }} + +{% endfor %} + +{% for tcp_request_connection in frontend.tcp_request_connection | default([]) %} + tcp-request connection {{ tcp_request_connection.action }}{% if tcp_request_connection.cond is defined %} {{ tcp_request_connection.cond }}{% endif %} + +{% endfor %} + +{% for tcp_request_content in frontend.tcp_request_content | default([]) %} + tcp-request content {{ tcp_request_content.action }}{% if tcp_request_content.cond is defined %} {{ tcp_request_content.cond }}{% endif %} + +{% endfor %} + +{% for tcp_request_session in frontend.tcp_request_session | default([]) %} + tcp-request session {{ tcp_request_session.action }}{% if tcp_request_session.cond is defined %} {{ tcp_request_session.cond }}{% endif %} + +{% endfor %} + {% for http_response in listen.http_response | default([]) %} http-response {{ http_response.action }}{% if http_response.param is defined %} {{ http_response.param }}{% endif %}{% if http_response.cond is defined %} {{ http_response.cond }}{% endif %} From 1019b0d5c08b9f086b4cfc09fc0d8982e07e165d Mon Sep 17 00:00:00 2001 From: Miika Kankare Date: Sat, 16 Jun 2018 22:03:05 +0300 Subject: [PATCH 2/3] Document the newly added options --- README.md | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e154ba53..e093f946 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,17 @@ Set up (the latest version of) [HAProxy](http://www.haproxy.org/) in Ubuntu syst * `haproxy_listen.{n}.http_response.{n}.action`: [required]: The rules action (e.g. `del-header`) * `haproxy_listen.{n}.http_response.{n}.param`: [optional]: The complete line to be added (e.g. `X-Varnish`) * `haproxy_listen.{n}.http_response.{n}.cond`: [optional]: A matching condition built from ACLs +* `haproxy_listen.{n}.tcp_request_content`: [optional]: Perform an action on a new session depending on a layer 4-7 condition. +* `haproxy_listen.{n}.tcp_request_content.{n}.action`: [required]: The action for the `tcp-request content` rule. +* `haproxy_listen.{n}.tcp_request_content.{n}.cond`: [optional]: A matching condition for the `tcp-request content` rule. +* `haproxy_listen.{n}.tcp_request_connection`: [optional]: Perform an action on an incoming connection depending on a layer 4 condition. +* `haproxy_listen.{n}.tcp_request_connection.{n}.action`: [required]: The action for the `tcp-request connection` rule. +* `haproxy_listen.{n}.tcp_request_connection.{n}.cond`: [optional]: A matching condition for the `tcp-request connection` rule. +* `haproxy_listen.{n}.tcp_request_session`: [optional]: Perform an action on a validated session depending on a layer 5 condition. +* `haproxy_listen.{n}.tcp_request_session.{n}.action`: [required]: The action for the `tcp-request session` rule. +* `haproxy_listen.{n}.tcp_request_session.{n}.cond`: [optional]: A matching condition for the `tcp-request session` rule. +* `haproxy_listen.{n}.tcp_request_inspect_delay`: [optional]: Set the maximum allowed time to wait for data during content inspection. +* `haproxy_listen.{n}.tcp_request_inspect_delay.{n}.timeout`: [required]: The timeout value in millisecond for the `tcp-request inspect-delay` rule. * `haproxy_listen.{n}.stats`: [optional]: Stats declarations * `haproxy_listen.{n}.stats.enable`: [required]: Enables statistics reporting with default settings * `haproxy_listen.{n}.stats.uri`: [optional, default `/`]: Define the URI prefix to access statistics @@ -177,7 +188,17 @@ Set up (the latest version of) [HAProxy](http://www.haproxy.org/) in Ubuntu syst * `haproxy_frontend.{n}.http_response.{n}.action`: [required]: The rules action (e.g. `del-header`) * `haproxy_frontend.{n}.http_response.{n}.param`: [optional]: The complete line to be added (e.g. `X-Varnish`) * `haproxy_frontend.{n}.http_response.{n}.cond`: [optional]: A matching condition built from ACLs -* `haproxy_frontend.{n}.tcp_request`: [optional]: Perform an action on a new session depending on a layer 4-7 condition. (e.g. `content captureparam req.ssl_sni len 50`) +* `haproxy_frontend.{n}.tcp_request_content`: [optional]: Perform an action on a new session depending on a layer 4-7 condition. +* `haproxy_frontend.{n}.tcp_request_content.{n}.action`: [required]: The action for the `tcp-request content` rule. +* `haproxy_frontend.{n}.tcp_request_content.{n}.cond`: [optional]: A matching condition for the `tcp-request content` rule. +* `haproxy_frontend.{n}.tcp_request_connection`: [optional]: Perform an action on an incoming connection depending on a layer 4 condition. +* `haproxy_frontend.{n}.tcp_request_connection.{n}.action`: [required]: The action for the `tcp-request connection` rule. +* `haproxy_frontend.{n}.tcp_request_connection.{n}.cond`: [optional]: A matching condition for the `tcp-request connection` rule. +* `haproxy_frontend.{n}.tcp_request_session`: [optional]: Perform an action on a validated session depending on a layer 5 condition. +* `haproxy_frontend.{n}.tcp_request_session.{n}.action`: [required]: The action for the `tcp-request session` rule. +* `haproxy_frontend.{n}.tcp_request_session.{n}.cond`: [optional]: A matching condition for the `tcp-request session` rule. +* `haproxy_frontend.{n}.tcp_request_inspect_delay`: [optional]: Set the maximum allowed time to wait for data during content inspection. +* `haproxy_frontend.{n}.tcp_request_inspect_delay.{n}.timeout`: [required]: The timeout value in millisecond for the `tcp-request inspect-delay` rule. * `haproxy_frontend.{n}.use_backend`: [optional]: Switch to a specific backend if/unless a Layer 7 condition is matched. (e.g. '%[req.hdr(host),lower,map_dom(/etc/haproxy/haproxy_backend.map,bk_default)]' or `['foo-backend if is_foo', 'bar-backend if is_bar']`) * `haproxy_frontend.{n}.default_backend`: [optional]: The backend to use when no `"use_backend"` rule has been matched (e.g. `webservers`) * `haproxy_frontend.{n}.rspadd`: [optional]: Adds headers at the end of the HTTP response @@ -234,6 +255,11 @@ Set up (the latest version of) [HAProxy](http://www.haproxy.org/) in Ubuntu syst * `haproxy_backend.{n}.http_response.{n}.action`: [required]: The rules action (e.g. `del-header`) * `haproxy_backend.{n}.http_response.{n}.param`: [optional]: The complete line to be added (e.g. `X-Varnish`) * `haproxy_backend.{n}.http_response.{n}.cond`: [optional]: A matching condition built from ACLs +* `haproxy_backend.{n}.tcp_request_content`: [optional]: Perform an action on a new session depending on a layer 4-7 condition. +* `haproxy_backend.{n}.tcp_request_content.{n}.action`: [required]: The action for the `tcp-request content` rule. +* `haproxy_backend.{n}.tcp_request_content.{n}.cond`: [optional]: A matching condition for the `tcp-request content` rule. +* `haproxy_backend.{n}.tcp_request_inspect_delay`: [optional]: Set the maximum allowed time to wait for data during content inspection. +* `haproxy_backend.{n}.tcp_request_inspect_delay.{n}.timeout`: [required]: The timeout value in millisecond for the `tcp-request inspect-delay` rule. * `haproxy_backend.{n}.stats`: [optional]: Stats declarations * `haproxy_backend.{n}.stats.enable`: [required]: Enables statistics reporting with default settings * `haproxy_backend.{n}.stats.uri`: [optional, default `/`]: Define the URI prefix to access statistics From 4c834e259417940bf7ba1e18513ca027c7bd5acb Mon Sep 17 00:00:00 2001 From: Miika Kankare Date: Sat, 16 Jun 2018 23:07:42 +0300 Subject: [PATCH 3/3] Oops, fix variable names --- templates/etc/haproxy/backend.cfg.j2 | 4 ++-- templates/etc/haproxy/listen.cfg.j2 | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/etc/haproxy/backend.cfg.j2 b/templates/etc/haproxy/backend.cfg.j2 index 20150e59..5d20da34 100644 --- a/templates/etc/haproxy/backend.cfg.j2 +++ b/templates/etc/haproxy/backend.cfg.j2 @@ -87,12 +87,12 @@ backend {{ backend.name }} {% endfor %} -{% for tcp_request_inspect_delay in frontend.tcp_request_inspect_delay | default([]) %} +{% for tcp_request_inspect_delay in backend.tcp_request_inspect_delay | default([]) %} tcp-request inspect-delay {{ tcp_request_inspect_delay.timeout }} {% endfor %} -{% for tcp_request_content in frontend.tcp_request_content | default([]) %} +{% for tcp_request_content in backend.tcp_request_content | default([]) %} tcp-request content {{ tcp_request_content.action }}{% if tcp_request_content.cond is defined %} {{ tcp_request_content.cond }}{% endif %} {% endfor %} diff --git a/templates/etc/haproxy/listen.cfg.j2 b/templates/etc/haproxy/listen.cfg.j2 index e60b7641..950ab97d 100644 --- a/templates/etc/haproxy/listen.cfg.j2 +++ b/templates/etc/haproxy/listen.cfg.j2 @@ -89,22 +89,22 @@ listen {{ listen.name }} {% endfor %} -{% for tcp_request_inspect_delay in frontend.tcp_request_inspect_delay | default([]) %} +{% for tcp_request_inspect_delay in listen.tcp_request_inspect_delay | default([]) %} tcp-request inspect-delay {{ tcp_request_inspect_delay.timeout }} {% endfor %} -{% for tcp_request_connection in frontend.tcp_request_connection | default([]) %} +{% for tcp_request_connection in listen.tcp_request_connection | default([]) %} tcp-request connection {{ tcp_request_connection.action }}{% if tcp_request_connection.cond is defined %} {{ tcp_request_connection.cond }}{% endif %} {% endfor %} -{% for tcp_request_content in frontend.tcp_request_content | default([]) %} +{% for tcp_request_content in listen.tcp_request_content | default([]) %} tcp-request content {{ tcp_request_content.action }}{% if tcp_request_content.cond is defined %} {{ tcp_request_content.cond }}{% endif %} {% endfor %} -{% for tcp_request_session in frontend.tcp_request_session | default([]) %} +{% for tcp_request_session in listen.tcp_request_session | default([]) %} tcp-request session {{ tcp_request_session.action }}{% if tcp_request_session.cond is defined %} {{ tcp_request_session.cond }}{% endif %} {% endfor %}