MEDIUM: proxy: remove long-broken 'option http_proxy'
This option had always been broken in HTX, which means that the first
breakage appeared in 1.9, that it was broken by default in 2.0 and that
no workaround existed starting with 2.1. The way this option works is
praticularly unfit to the rest of the configuration and to the internal
architecture. It had some uses when it was introduced 14 years ago but
nowadays it's possible to do much better and more reliable using a
set of "http-request set-dst" and "http-request set-uri" rules, which
additionally are compatible with DNS resolution (via do-resolve) and
are not exclusive to normal load balancing. The "option-http_proxy"
example config file was updated to reflect this.
The option is still parsed so that an error message gives hints about
what to look for.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index a64244e..2e08367 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -3607,7 +3607,6 @@
option httpchk X - X X
option httpclose (*) X X X X
option httplog X X X -
-option http_proxy (*) X X X X
option independent-streams (*) X X X X
option ldap-check X - X X
option external-check X - X X
@@ -4002,7 +4001,7 @@
might be a URL parameter list. This is probably not a concern with SGML
type message bodies.
- See also : "dispatch", "cookie", "transparent", "hash-type" and "http_proxy".
+ See also : "dispatch", "cookie", "transparent", "hash-type".
bind [<address>]:<port_range> [, ...] [param*]
@@ -8857,36 +8856,6 @@
See also : section 8 about logging.
-option http_proxy
-no option http_proxy
- Enable or disable plain HTTP proxy mode
- May be used in sections : defaults | frontend | listen | backend
- yes | yes | yes | yes
- Arguments : none
-
- It sometimes happens that people need a pure HTTP proxy which understands
- basic proxy requests without caching nor any fancy feature. In this case,
- it may be worth setting up an HAProxy instance with the "option http_proxy"
- set. In this mode, no server is declared, and the connection is forwarded to
- the IP address and port found in the URL after the "http://" scheme.
-
- No host address resolution is performed, so this only works when pure IP
- addresses are passed. Since this option's usage perimeter is rather limited,
- it will probably be used only by experts who know they need exactly it. This
- is incompatible with the HTTP tunnel mode.
-
- If this option has been enabled in a "defaults" section, it can be disabled
- in a specific instance by prepending the "no" keyword before it.
-
- Example :
- # this backend understands HTTP proxy requests and forwards them directly.
- backend direct_forward
- option httpclose
- option http_proxy
-
- See also : "option httpclose"
-
-
option independent-streams
no option independent-streams
Enable or disable independent timeout processing for both directions
@@ -19941,15 +19910,12 @@
presented as an IP address. Its use is very limited. For instance, a
monitoring system might use this field as an alternative for the source IP in
order to test what path a given source address would follow, or to force an
- entry in a table for a given source address. With ACLs it can be used to
- restrict access to certain systems through a proxy, for example when combined
- with option "http_proxy".
+ entry in a table for a given source address. It may be used in combination
+ with 'http-request set-dst' to emulate the older 'option http_proxy'.
url_port : integer
This extracts the port part from the request's URL. Note that if the port is
- not specified in the request, port 80 is assumed. With ACLs it can be used to
- restrict access to certain systems through a proxy, for example when combined
- with option "http_proxy".
+ not specified in the request, port 80 is assumed..
urlp([<name>[,<delim>]]) : string
url_param([<name>[,<delim>]]) : string
diff --git a/examples/option-http_proxy.cfg b/examples/option-http_proxy.cfg
index 117532f..8b28f67 100644
--- a/examples/option-http_proxy.cfg
+++ b/examples/option-http_proxy.cfg
@@ -17,8 +17,6 @@
log global
option httplog
option dontlognull
- option nolinger
- option http_proxy
maxconn 8000
timeout client 30s
@@ -40,12 +38,17 @@
timeout connect 5s
timeout server 5s
retries 2
- option nolinger
- option http_proxy
# layer7: Only GET method is valid
acl valid_method method GET
http-request deny if !valid_method
+ # take IP address from URL's authority
+ # and drop scheme+authority from URI
+ http-request set-dst url_ip
+ http-request set-dst-port url_port
+ http-request set-uri %[pathq]
+ server next-hop 0.0.0.0
+
# layer7: protect bad reply
http-response deny if { res.hdr(content-type) audio/mp3 }
diff --git a/include/haproxy/proxy-t.h b/include/haproxy/proxy-t.h
index 63c0790..aa3de2c 100644
--- a/include/haproxy/proxy-t.h
+++ b/include/haproxy/proxy-t.h
@@ -112,7 +112,7 @@
#define PR_O_TCPCHK_SSL 0x08000000 /* at least one TCPCHECK connect rule requires SSL */
#define PR_O_CONTSTATS 0x10000000 /* continuous counters */
-#define PR_O_HTTP_PROXY 0x20000000 /* Enable stream to use HTTP proxy operations */
+/* unused: 0x20000000 */
#define PR_O_DISABLE404 0x40000000 /* Disable a server on a 404 response to a health-check */
#define PR_O_ORGTO 0x80000000 /* insert x-original-to with destination address */
diff --git a/src/backend.c b/src/backend.c
index ceb24a7..adbd606 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -792,17 +792,6 @@
else if (s->be->options & (PR_O_DISPATCH | PR_O_TRANSP)) {
s->target = &s->be->obj_type;
}
- else if ((s->be->options & PR_O_HTTP_PROXY)) {
- conn = cs_conn(objt_cs(s->si[1].end));
-
- if (conn && conn->dst && is_addr(conn->dst)) {
- /* in proxy mode, we need a valid destination address */
- s->target = &s->be->obj_type;
- } else {
- err = SRV_STATUS_NOSRV;
- goto out;
- }
- }
else {
err = SRV_STATUS_NOSRV;
goto out;
@@ -904,10 +893,6 @@
(cli_conn->dst->ss_family == AF_INET || cli_conn->dst->ss_family == AF_INET6))
**ss = *cli_conn->dst;
}
- else if (s->be->options & PR_O_HTTP_PROXY) {
- /* If HTTP PROXY option is set, then server is already assigned
- * during incoming client request parsing. */
- }
else {
/* no server and no LB algorithm ! */
return SRV_STATUS_INTERNAL;
diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c
index 0929ba4..483bfa2 100644
--- a/src/cfgparse-listen.c
+++ b/src/cfgparse-listen.c
@@ -2024,6 +2024,13 @@
goto out;
}
+ if (strcmp(args[1], "http_proxy") == 0) {
+ ha_alert("parsing [%s:%d]: option '%s' is not supported any more since HAProxy 2.5. This option stopped working in HAProxy 1.9 and usually had nasty side effects. It can be more reliably implemented with combinations of 'http-request set-dst' and 'http-request set-uri', and even 'http-request do-resolve' if DNS resolution is desired.\n",
+ file, linenum, args[1]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+
if (kwm != KWM_STD) {
ha_alert("parsing [%s:%d]: negation/default is not supported for option '%s'.\n",
file, linenum, args[1]);
diff --git a/src/cfgparse.c b/src/cfgparse.c
index fed8f7e..3ac31fc 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2579,7 +2579,7 @@
err_code |= ERR_WARN;
}
}
- else if (!(curproxy->options & (PR_O_TRANSP | PR_O_DISPATCH | PR_O_HTTP_PROXY))) {
+ else if (!(curproxy->options & (PR_O_TRANSP | PR_O_DISPATCH))) {
/* If no LB algo is set in a backend, and we're not in
* transparent mode, dispatch mode nor proxy mode, we
* want to use balance roundrobin by default.
@@ -2590,11 +2590,9 @@
}
if (curproxy->options & PR_O_DISPATCH)
- curproxy->options &= ~(PR_O_TRANSP | PR_O_HTTP_PROXY);
- else if (curproxy->options & PR_O_HTTP_PROXY)
- curproxy->options &= ~(PR_O_DISPATCH | PR_O_TRANSP);
+ curproxy->options &= ~PR_O_TRANSP;
else if (curproxy->options & PR_O_TRANSP)
- curproxy->options &= ~(PR_O_DISPATCH | PR_O_HTTP_PROXY);
+ curproxy->options &= ~PR_O_DISPATCH;
if ((curproxy->tcpcheck_rules.flags & TCPCHK_RULES_UNUSED_HTTP_RS)) {
ha_warning("%s '%s' uses http-check rules without 'option httpchk', so the rules are ignored.\n",
diff --git a/src/http_ana.c b/src/http_ana.c
index 7049263..884ad50 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -617,42 +617,6 @@
htx = htxbuf(&req->buf);
/*
- * If HTTP PROXY is set we simply get remote server address parsing
- * incoming request.
- */
- if ((s->be->options & PR_O_HTTP_PROXY) && !(s->flags & SF_ADDR_SET)) {
- struct htx_sl *sl;
- struct ist uri, path;
- struct http_uri_parser parser;
-
- if (!sockaddr_alloc(&s->target_addr, NULL, 0)) {
- if (!(s->flags & SF_ERR_MASK))
- s->flags |= SF_ERR_RESOURCE;
- goto return_int_err;
- }
- sl = http_get_stline(htx);
- uri = htx_sl_req_uri(sl);
- parser = http_uri_parser_init(uri);
- path = http_parse_path(&parser);
-
- if (url2sa(uri.ptr, uri.len - path.len, s->target_addr, NULL) == -1)
- goto return_bad_req;
-
- s->target = &s->be->obj_type;
- s->flags |= SF_ADDR_SET | SF_ASSIGNED;
-
- /* if the path was found, we have to remove everything between
- * uri.ptr and path.ptr (excluded). If it was not found, we need
- * to replace from all the uri by a single "/".
- *
- * Instead of rewriting the whole start line, we just update
- * the star-line URI. Some space will be lost but it should be
- * insignificant.
- */
- istcpy(&uri, (path.len ? path : ist("/")), uri.len);
- }
-
- /*
* 7: Now we can work with the cookies.
* Note that doing so might move headers in the request, but
* the fields will stay coherent and the URI will not move.
diff --git a/src/proxy.c b/src/proxy.c
index 764207d..f698843 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -68,7 +68,6 @@
{ "clitcpka", PR_O_TCP_CLI_KA, PR_CAP_FE, 0, 0 },
{ "contstats", PR_O_CONTSTATS, PR_CAP_FE, 0, 0 },
{ "dontlognull", PR_O_NULLNOLOG, PR_CAP_FE, 0, 0 },
- { "http_proxy", PR_O_HTTP_PROXY, PR_CAP_FE | PR_CAP_BE, 0, PR_MODE_HTTP },
{ "http-buffer-request", PR_O_WREQ_BODY, PR_CAP_FE | PR_CAP_BE, 0, PR_MODE_HTTP },
{ "http-ignore-probes", PR_O_IGNORE_PRB, PR_CAP_FE, 0, PR_MODE_HTTP },
{ "prefer-last-server", PR_O_PREF_LAST, PR_CAP_BE, 0, PR_MODE_HTTP },