[DOC] document all req* and rsp* keywords.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2d6081c..84ebc0e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2238,6 +2238,350 @@
See also : "option redispatch"
+reqadd <string>
+ Add a header at the end of the HTTP request
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <string> is the complete line to be added. Any space or known delimiter
+ must be escaped using a backslash ('\'). Please refer to section
+ 2.6 about HTTP header manipulation for more information.
+
+ A new line consisting in <string> followed by a line feed will be added after
+ the last header of an HTTP request.
+
+ Header transformations only apply to traffic which passes through HAProxy,
+ and not to traffic generated by HAProxy, such as health-checks or error
+ responses.
+
+ See also: "rspadd" and section 2.6 about HTTP header manipulation
+
+
+reqallow <search>
+reqiallow <search> (ignore case)
+ Definitely allow an HTTP request if a line matches a regular expression
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <search> is the regular expression applied to HTTP headers and to the
+ request line. This is an extended regular expression. Parenthesis
+ grouping is supported and no preliminary backslash is required.
+ Any space or known delimiter must be escaped using a backslash
+ ('\'). The pattern applies to a full line at a time. The
+ "reqallow" keyword strictly matches case while "reqiallow"
+ ignores case.
+
+ A request containing any line which matches extended regular expression
+ <search> will mark the request as allowed, even if any later test would
+ result in a deny. The test applies both to the request line and to request
+ headers. Keep in mind that URLs in request line are case-sensitive while
+ header names are not.
+
+ It is easier, faster and more powerful to use ACLs to write access policies.
+ Reqdeny, reqallow and reqpass should be avoided in new designs.
+
+ Example :
+ # allow www.* but refuse *.local
+ reqiallow ^Host:\ www\.
+ reqideny ^Host:\ .*\.local
+
+ See also: "reqdeny", "acl", "block" and section 2.6 about HTTP header
+ manipulation
+
+
+reqdel <search>
+reqidel <search> (ignore case)
+ Delete all headers matching a regular expression in an HTTP request
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <search> is the regular expression applied to HTTP headers and to the
+ request line. This is an extended regular expression. Parenthesis
+ grouping is supported and no preliminary backslash is required.
+ Any space or known delimiter must be escaped using a backslash
+ ('\'). The pattern applies to a full line at a time. The "reqdel"
+ keyword strictly matches case while "reqidel" ignores case.
+
+ Any header line matching extended regular expression <search> in the request
+ will be completely deleted. Most common use of this is to remove unwanted
+ and/or dangerous headers or cookies from a request before passing it to the
+ next servers.
+
+ Header transformations only apply to traffic which passes through HAProxy,
+ and not to traffic generated by HAProxy, such as health-checks or error
+ responses. Keep in mind that header names are not case-sensitive.
+
+ Example :
+ # remove X-Forwarded-For header and SERVER cookie
+ reqidel ^X-Forwarded-For:.*
+ reqidel ^Cookie:.*SERVER=
+
+ See also: "reqadd", "reqrep", "rspdel" and section 2.6 about HTTP header
+ manipulation
+
+
+reqdeny <search>
+reqideny <search> (ignore case)
+ Deny an HTTP request if a line matches a regular expression
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <search> is the regular expression applied to HTTP headers and to the
+ request line. This is an extended regular expression. Parenthesis
+ grouping is supported and no preliminary backslash is required.
+ Any space or known delimiter must be escaped using a backslash
+ ('\'). The pattern applies to a full line at a time. The
+ "reqdeny" keyword strictly matches case while "reqideny" ignores
+ case.
+
+ A request containing any line which matches extended regular expression
+ <search> will mark the request as denied, even if any later test would
+ result in an allow. The test applies both to the request line and to request
+ headers. Keep in mind that URLs in request line are case-sensitive while
+ header names are not.
+
+ It is easier, faster and more powerful to use ACLs to write access policies.
+ Reqdeny, reqallow and reqpass should be avoided in new designs.
+
+ Example :
+ # refuse *.local, then allow www.*
+ reqideny ^Host:\ .*\.local
+ reqiallow ^Host:\ www\.
+
+ See also: "reqallow", "rspdeny", "acl", "block" and section 2.6 about HTTP
+ header manipulation
+
+
+reqpass <search>
+reqipass <search> (ignore case)
+ Ignore any HTTP request line matching a regular expression in next rules
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <search> is the regular expression applied to HTTP headers and to the
+ request line. This is an extended regular expression. Parenthesis
+ grouping is supported and no preliminary backslash is required.
+ Any space or known delimiter must be escaped using a backslash
+ ('\'). The pattern applies to a full line at a time. The
+ "reqpass" keyword strictly matches case while "reqipass" ignores
+ case.
+
+ A request containing any line which matches extended regular expression
+ <search> will skip next rules, without assigning any deny or allow verdict.
+ The test applies both to the request line and to request headers. Keep in
+ mind that URLs in request line are case-sensitive while header names are not.
+
+ It is easier, faster and more powerful to use ACLs to write access policies.
+ Reqdeny, reqallow and reqpass should be avoided in new designs.
+
+ Example :
+ # refuse *.local, then allow www.*, but ignore "www.private.local"
+ reqipass ^Host:\ www.private\.local
+ reqideny ^Host:\ .*\.local
+ reqiallow ^Host:\ www\.
+
+ See also: "reqallow", "reqdeny", "acl", "block" and section 2.6 about HTTP
+ header manipulation
+
+
+reqrep <search> <string>
+reqirep <search> <string> (ignore case)
+ Replace a regular expression with a string in an HTTP request line
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <search> is the regular expression applied to HTTP headers and to the
+ request line. This is an extended regular expression. Parenthesis
+ grouping is supported and no preliminary backslash is required.
+ Any space or known delimiter must be escaped using a backslash
+ ('\'). The pattern applies to a full line at a time. The "reqrep"
+ keyword strictly matches case while "reqirep" ignores case.
+
+ <string> is the complete line to be added. Any space or known delimiter
+ must be escaped using a backslash ('\'). References to matched
+ pattern groups are possible using the common \N form, with N
+ being a single digit between 0 and 9. Please refer to section
+ 2.6 about HTTP header manipulation for more information.
+
+ Any line matching extended regular expression <search> in the request (both
+ the request line and header lines) will be completely replaced with <string>.
+ Most common use of this is to rewrite URLs or domain names in "Host" headers.
+
+ Header transformations only apply to traffic which passes through HAProxy,
+ and not to traffic generated by HAProxy, such as health-checks or error
+ responses. Note that for increased readability, it is suggested to add enough
+ spaces between the request and the response. Keep in mind that URLs in
+ request line are case-sensitive while header names are not.
+
+ Example :
+ # replace "/static/" with "/" at the beginning of any request path.
+ reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2
+ # replace "www.mydomain.com" with "www" in the host name.
+ reqirep ^Host:\ www.mydomain.com Host:\ www
+
+ See also: "reqadd", "reqdel", "rsprep" and section 2.6 about HTTP header
+ manipulation
+
+
+reqtarpit <search>
+reqitarpit <search> (ignore case)
+ Tarpit an HTTP request containing a line matching a regular expression
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <search> is the regular expression applied to HTTP headers and to the
+ request line. This is an extended regular expression. Parenthesis
+ grouping is supported and no preliminary backslash is required.
+ Any space or known delimiter must be escaped using a backslash
+ ('\'). The pattern applies to a full line at a time. The
+ "reqtarpit" keyword strictly matches case while "reqitarpit"
+ ignores case.
+
+ A request containing any line which matches extended regular expression
+ <search> will be tarpitted, which means that it will connect to nowhere, will
+ be kept open for a pre-defined time, then will return an HTTP error 500. The
+ delay is defined by "timeout tarpit", or "timeout connect" if the former is
+ not set.
+
+ The goal of the tarpit is to slow down robots attacking servers with
+ identifiable requests. Many robots limit their outgoing number of connections
+ and stay connected waiting for a reply which can take several minutes to
+ come. Depending on the environment and attack, it may be particularly
+ efficient at reducing the load on the network and firewalls.
+
+ Example :
+ # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
+ # block all others.
+ reqipass ^User-Agent:\.*(Mozilla|MSIE)
+ reqitarpit ^User-Agent:
+
+ See also: "reqallow", "reqdeny", "reqpass", and section 2.6 about HTTP header
+ manipulation
+
+
+rspadd <string>
+ Add a header at the end of the HTTP response
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <string> is the complete line to be added. Any space or known delimiter
+ must be escaped using a backslash ('\'). Please refer to section
+ 2.6 about HTTP header manipulation for more information.
+
+ A new line consisting in <string> followed by a line feed will be added after
+ the last header of an HTTP response.
+
+ Header transformations only apply to traffic which passes through HAProxy,
+ and not to traffic generated by HAProxy, such as health-checks or error
+ responses.
+
+ See also: "reqadd" and section 2.6 about HTTP header manipulation
+
+
+rspdel <search>
+rspidel <search> (ignore case)
+ Delete all headers matching a regular expression in an HTTP response
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <search> is the regular expression applied to HTTP headers and to the
+ response line. This is an extended regular expression, so
+ parenthesis grouping is supported and no preliminary backslash
+ is required. Any space or known delimiter must be escaped using
+ a backslash ('\'). The pattern applies to a full line at a time.
+ The "rspdel" keyword strictly matches case while "rspidel"
+ ignores case.
+
+ Any header line matching extended regular expression <search> in the response
+ will be completely deleted. Most common use of this is to remove unwanted
+ and/or sensible headers or cookies from a response before passing it to the
+ client.
+
+ Header transformations only apply to traffic which passes through HAProxy,
+ and not to traffic generated by HAProxy, such as health-checks or error
+ responses. Keep in mind that header names are not case-sensitive.
+
+ Example :
+ # remove the Server header from responses
+ reqidel ^Server:.*
+
+ See also: "rspadd", "rsprep", "reqdel" and section 2.6 about HTTP header
+ manipulation
+
+
+rspdeny <search>
+rspideny <search> (ignore case)
+ Block an HTTP response if a line matches a regular expression
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <search> is the regular expression applied to HTTP headers and to the
+ response line. This is an extended regular expression, so
+ parenthesis grouping is supported and no preliminary backslash
+ is required. Any space or known delimiter must be escaped using
+ a backslash ('\'). The pattern applies to a full line at a time.
+ The "rspdeny" keyword strictly matches case while "rspideny"
+ ignores case.
+
+ A response containing any line which matches extended regular expression
+ <search> will mark the request as denied. The test applies both to the
+ response line and to response headers. Keep in mind that header names are not
+ case-sensitive.
+
+ Main use of this keyword is to prevent sensitive information leak and to
+ block the response before it reaches the client. If a response is denied,
+ it will be replaced with an HTTP 502 error so that the client never gets
+ the sensitive data.
+
+ It is easier, faster and more powerful to use ACLs to write access policies.
+ Rspdeny should be avoided in new designs.
+
+ Example :
+ # Ensure that no content type matching ms-word will leak
+ rspideny ^Content-type:\.*/ms-word
+
+ See also: "reqdeny", "acl", "block" and section 2.6 about HTTP header
+ manipulation
+
+
+rsprep <search> <string>
+rspirep <search> <string> (ignore case)
+ Replace a regular expression with a string in an HTTP response line
+ May be used in sections : defaults | frontend | listen | backend
+ no | yes | yes | yes
+ Arguments :
+ <search> is the regular expression applied to HTTP headers and to the
+ response line. This is an extended regular expression, so
+ parenthesis grouping is supported and no preliminary backslash
+ is required. Any space or known delimiter must be escaped using
+ a backslash ('\'). The pattern applies to a full line at a time.
+ The "rsprep" keyword strictly matches case while "rspirep"
+ ignores case.
+
+ <string> is the complete line to be added. Any space or known delimiter
+ must be escaped using a backslash ('\'). References to matched
+ pattern groups are possible using the common \N form, with N
+ being a single digit between 0 and 9. Please refer to section
+ 2.6 about HTTP header manipulation for more information.
+
+ Any line matching extended regular expression <search> in the response (both
+ the response line and header lines) will be completely replaced with
+ <string>. Most common use of this is to rewrite Location headers.
+
+ Header transformations only apply to traffic which passes through HAProxy,
+ and not to traffic generated by HAProxy, such as health-checks or error
+ responses. Note that for increased readability, it is suggested to add enough
+ spaces between the request and the response. Keep in mind that header names
+ are not case-sensitive.
+
+ Example :
+ # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
+ rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
+
+ See also: "rspadd", "rspdel", "reqrep" and section 2.6 about HTTP header
+ manipulation
+
+
server <name> <address>[:port] [param*]
Declare a server in a backend
May be used in sections : defaults | frontend | listen | backend