MEDIUM: spoe: Add support of ACLS to enable or disable sending of SPOE messages
Now, it is possible to conditionnaly send a SPOE message by adding an ACL-based
condition on the "event" line, in a "spoe-message" section. Here is the example
coming for the SPOE documentation:
spoe-message get-ip-reputation
args ip=src
event on-client-session if ! { src -f /etc/haproxy/whitelist.lst }
To avoid mixin with proxy's ACLs, each SPOE message has its private ACL list. It
possible to declare named ACLs in "spoe-message" section, using the same syntax
than for proxies. So we can rewrite the previous example to use a named ACL:
spoe-message get-ip-reputation
args ip=src
acl ip-whitelisted src -f /etc/haproxy/whitelist.lst
event on-client-session if ! ip-whitelisted
ACL-based conditions are executed in the context of the stream that handle the
client and the server connections.
diff --git a/doc/SPOE.txt b/doc/SPOE.txt
index 0f6ed14..611b228 100644
--- a/doc/SPOE.txt
+++ b/doc/SPOE.txt
@@ -1,7 +1,7 @@
-----------------------------------------------
Stream Processing Offload Engine (SPOE)
- Version 1.1
- ( Last update: 2017-02-27 )
+ Version 1.2
+ ( Last update: 2017-09-22 )
-----------------------------------------------
Author : Christopher Faulet
Contact : cfaulet at haproxy dot com
@@ -351,12 +351,20 @@
Here you define a message that can be referenced in a "spoe-agent"
section. Following keywords are supported :
+ - acl
- args
- event
See also: "spoe-agent" section.
+acl <aclname> <criterion> [flags] [operator] <value> ...
+
+ Declare or complete an access list.
+
+ See section 7 about ACL usage in the HAProxy Configuration Manual.
+
+
args [name=]<sample> ...
Define arguments passed into the SPOE message.
@@ -371,11 +379,17 @@
args frontend=fe_id src dst
-event <name>
- Set the event that triggers sending of the message.
+event <name> [ { if | unless } <condition> ]
+ Set the event that triggers sending of the message. It may optionally be
+ followed by an ACL-based condition, in which case it will only be evaluated
+ if the condition is true.
- Argument :
- <name> is the event name.
+ ACL-based conditions are executed in the context of the stream that handle
+ the client and the server connections.
+
+ Arguments :
+ <name> is the event name.
+ <condition> is a standard ACL-based condition.
Supported events are:
- on-client-session
@@ -387,7 +401,8 @@
- on-backend-http-request
- on-http-response
- See section "Events & Messages".
+ See section "Events & Messages" for more details about supported events.
+ See section 7 about ACL usage in the HAProxy Configuration Manual.
2.4. Example
-------------
@@ -441,7 +456,7 @@
spoe-message get-ip-reputation
args ip=src
- event on-client-session
+ event on-client-session if ! { src -f /etc/haproxy/whitelist.lst }
3. SPOP specification