MINOR: log: add a new flag 'L' for locally processed requests
People who use "option dontlog-normal" are bothered with redirects and
stats being logged and reported as errors in the logs ("PR" = proxy
blocked the request).
This patch introduces a new flag 'L' for when a request is locally
processed, that is not considered as an error by the log filters. That
way we know a request was intercepted and processed by haproxy without
logging the line when "option dontlog-normal" is in effect.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 269c129..bd55745 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -11651,8 +11651,10 @@
connection limit enforcement, because a DENY filter was matched,
because of a security check which detected and blocked a dangerous
error in server response which might have caused information leak
- (eg: cacheable cookie), or because the response was processed by
- the proxy (redirect, stats, etc...).
+ (eg: cacheable cookie).
+
+ L : the session was locally processed by haproxy and was not passed to
+ a server. This is what happens for stats and redirects.
R : a resource on the proxy has been exhausted (memory, sockets, source
ports, ...). Usually, this appears during the connection phase, and
@@ -11837,6 +11839,9 @@
closer to the average reported "Tw" timer, in order not to consume
resources for just a few attackers.
+ LR The request was intercepted and locally handled by haproxy. Generally
+ it means that this was a redirect or a stats request.
+
SC The server or an equipment between it and haproxy explicitly refused
the TCP connection (the proxy received a TCP RST or an ICMP message
in return). Under some circumstances, it can also be the network
diff --git a/include/types/session.h b/include/types/session.h
index 8fbca53..b6bff57 100644
--- a/include/types/session.h
+++ b/include/types/session.h
@@ -60,19 +60,20 @@
#define SN_TUNNEL 0x00000800 /* tunnel-mode session, nothing to catch after data */
/* session termination conditions, bits values 0x1000 to 0x7000 (0-9 shift 12) */
-#define SN_ERR_NONE 0x00000000
-#define SN_ERR_CLITO 0x00001000 /* client time-out */
-#define SN_ERR_CLICL 0x00002000 /* client closed (read/write error) */
-#define SN_ERR_SRVTO 0x00003000 /* server time-out, connect time-out */
-#define SN_ERR_SRVCL 0x00004000 /* server closed (connect/read/write error) */
-#define SN_ERR_PRXCOND 0x00005000 /* the proxy decided to close (deny...) */
-#define SN_ERR_RESOURCE 0x00006000 /* the proxy encountered a lack of a local resources (fd, mem, ...) */
-#define SN_ERR_INTERNAL 0x00007000 /* the proxy encountered an internal error */
-#define SN_ERR_DOWN 0x00008000 /* the proxy killed a session because the backend became unavailable */
-#define SN_ERR_KILLED 0x00009000 /* the proxy killed a session because it was asked to do so */
-#define SN_ERR_UP 0x0000a000 /* the proxy killed a session because a preferred backend became available */
-#define SN_ERR_MASK 0x0000f000 /* mask to get only session error flags */
-#define SN_ERR_SHIFT 12 /* bit shift */
+#define SN_ERR_NONE 0x00000000 /* normal end of request */
+#define SN_ERR_LOCAL 0x00001000 /* the proxy locally processed this request => not an error */
+#define SN_ERR_CLITO 0x00002000 /* client time-out */
+#define SN_ERR_CLICL 0x00003000 /* client closed (read/write error) */
+#define SN_ERR_SRVTO 0x00004000 /* server time-out, connect time-out */
+#define SN_ERR_SRVCL 0x00005000 /* server closed (connect/read/write error) */
+#define SN_ERR_PRXCOND 0x00006000 /* the proxy decided to close (deny...) */
+#define SN_ERR_RESOURCE 0x00007000 /* the proxy encountered a lack of a local resources (fd, mem, ...) */
+#define SN_ERR_INTERNAL 0x00008000 /* the proxy encountered an internal error */
+#define SN_ERR_DOWN 0x00009000 /* the proxy killed a session because the backend became unavailable */
+#define SN_ERR_KILLED 0x0000a000 /* the proxy killed a session because it was asked to do so */
+#define SN_ERR_UP 0x0000b000 /* the proxy killed a session because a preferred backend became available */
+#define SN_ERR_MASK 0x0000f000 /* mask to get only session error flags */
+#define SN_ERR_SHIFT 12 /* bit shift */
/* session state at termination, bits values 0x10000 to 0x70000 (0-7 shift 16) */
#define SN_FINST_R 0x00010000 /* session ended during client request */
diff --git a/src/log.c b/src/log.c
index 020c381..627351f 100644
--- a/src/log.c
+++ b/src/log.c
@@ -54,7 +54,7 @@
"warning", "notice", "info", "debug"
};
-const char sess_term_cond[16] = "-cCsSPRIDKUIIIII"; /* normal, CliTo, CliErr, SrvTo, SrvErr, PxErr, Resource, Internal, Down, Killed, Up, -- */
+const char sess_term_cond[16] = "-LcCsSPRIDKUIIII"; /* normal, Local, CliTo, CliErr, SrvTo, SrvErr, PxErr, Resource, Internal, Down, Killed, Up, -- */
const char sess_fin_state[8] = "-RCHDLQT"; /* cliRequest, srvConnect, srvHeader, Data, Last, Queue, Tarpit */
@@ -1516,9 +1516,11 @@
int size, err, level;
/* if we don't want to log normal traffic, return now */
- err = (s->flags & (SN_ERR_MASK | SN_REDISP)) ||
- (s->req->cons->conn_retries != s->be->conn_retries) ||
- ((s->fe->mode == PR_MODE_HTTP) && s->txn.status >= 500);
+ err = (s->flags & SN_REDISP) ||
+ ((s->flags & SN_ERR_MASK) > SN_ERR_LOCAL) ||
+ (((s->flags & SN_ERR_MASK) == SN_ERR_NONE) &&
+ (s->req->cons->conn_retries != s->be->conn_retries)) ||
+ ((s->fe->mode == PR_MODE_HTTP) && s->txn.status >= 500);
if (!err && (s->fe->options2 & PR_O2_NOLOGNORM))
return;
diff --git a/src/proto_http.c b/src/proto_http.c
index d4e93e5..c6ead3b 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -830,7 +830,7 @@
si->state = SI_ST_CLO;
/* send the message */
- http_server_error(s, si, SN_ERR_PRXCOND, SN_FINST_C, 302, &trash);
+ http_server_error(s, si, SN_ERR_LOCAL, SN_FINST_C, 302, &trash);
/* FIXME: we should increase a counter of redirects per server and per backend. */
srv_inc_sess_ctr(srv);
@@ -2529,6 +2529,8 @@
/* we fail this request, let's return 503 service unavail */
txn->status = 503;
stream_int_retnclose(req->prod, http_error_message(s, HTTP_ERR_503));
+ if (!(s->flags & SN_ERR_MASK))
+ s->flags |= SN_ERR_LOCAL; /* we don't want a real error here */
goto return_prx_cond;
}
}
@@ -2536,6 +2538,8 @@
/* nothing to fail, let's reply normaly */
txn->status = 200;
stream_int_retnclose(req->prod, http_error_message(s, HTTP_ERR_200));
+ if (!(s->flags & SN_ERR_MASK))
+ s->flags |= SN_ERR_LOCAL; /* we don't want a real error here */
goto return_prx_cond;
}
@@ -3031,7 +3035,7 @@
s->fe->fe_counters.intercepted_req++;
if (!(s->flags & SN_ERR_MASK)) // this is not really an error but it is
- s->flags |= SN_ERR_PRXCOND; // to mark that it comes from the proxy
+ s->flags |= SN_ERR_LOCAL; // to mark that it comes from the proxy
if (!(s->flags & SN_FINST_MASK))
s->flags |= SN_FINST_R;
req->analysers = 0;
@@ -3060,7 +3064,7 @@
s->fe->fe_counters.intercepted_req++;
if (!(s->flags & SN_ERR_MASK)) // this is not really an error but it is
- s->flags |= SN_ERR_PRXCOND; // to mark that it comes from the proxy
+ s->flags |= SN_ERR_LOCAL; // to mark that it comes from the proxy
if (!(s->flags & SN_FINST_MASK))
s->flags |= SN_FINST_R;
@@ -3375,7 +3379,7 @@
}
if (!(s->flags & SN_ERR_MASK))
- s->flags |= SN_ERR_PRXCOND;
+ s->flags |= SN_ERR_LOCAL;
if (!(s->flags & SN_FINST_MASK))
s->flags |= SN_FINST_R;