MEDIUM: Make 'block' directive fatal
It was deprecated with HAProxy 1.5. Time to remove it.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 3e402fb..62f02af 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2342,7 +2342,6 @@
balance X - X X
bind - X X -
bind-process X X X X
-block (deprecated) - X X X
capture cookie - X X -
capture request header - X X -
capture response header - X X -
@@ -2993,35 +2992,6 @@
See also : "nbproc" in global section, and "process" in section 5.1.
-block { if | unless } <condition> (deprecated)
- Block a layer 7 request if/unless a condition is matched
- May be used in sections : defaults | frontend | listen | backend
- no | yes | yes | yes
-
- The HTTP request will be blocked very early in the layer 7 processing
- if/unless <condition> is matched. A 403 error will be returned if the request
- is blocked. The condition has to reference ACLs (see section 7). This is
- typically used to deny access to certain sensitive resources if some
- conditions are met or not met. There is no fixed limit to the number of
- "block" statements per instance. To block connections at layer 4 (without
- sending a 403 error) see "tcp-request connection reject" and
- "tcp-request content reject" rules.
-
- This form is deprecated, do not use it in any new configuration, use the new
- "http-request deny" instead.
-
- Example:
- acl invalid_src src 0.0.0.0/7 224.0.0.0/3
- acl invalid_src src_port 0:1023
- acl local_dst hdr(host) -i localhost
- # block is deprecated. Use http-request deny instead:
- #block if invalid_src || local_dst
- http-request deny if invalid_src || local_dst
-
- See also : section 7 about ACL usage, "http-request deny",
- "http-response deny", "tcp-request connection reject" and
- "tcp-request content reject".
-
capture cookie <name> len <length>
Capture and log a cookie in the request and in the response.
May be used in sections : defaults | frontend | listen | backend
diff --git a/include/types/global.h b/include/types/global.h
index f9ab4c2..fb0c5e1 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -249,7 +249,7 @@
extern int atexit_flag;
/* bit values to go with "warned" above */
-#define WARN_BLOCK_DEPRECATED 0x00000001
+/* unassigned : 0x00000001 (previously: WARN_BLOCK_DEPRECATED) */
/* unassigned : 0x00000002 */
#define WARN_REDISPATCH_DEPRECATED 0x00000004
#define WARN_CLITO_DEPRECATED 0x00000008
diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c
index 6c18bfc..5fd8ecf 100644
--- a/src/cfgparse-listen.c
+++ b/src/cfgparse-listen.c
@@ -1546,33 +1546,11 @@
curproxy->server_id_hdr_name = strdup(args[1]);
curproxy->server_id_hdr_len = strlen(curproxy->server_id_hdr_name);
}
- else if (!strcmp(args[0], "block")) { /* early blocking based on ACLs */
- struct act_rule *rule;
-
- if (curproxy == &defproxy) {
- ha_alert("parsing [%s:%d] : '%s' not allowed in 'defaults' section.\n", file, linenum, args[0]);
- err_code |= ERR_ALERT | ERR_FATAL;
- goto out;
- }
-
- /* emulate "block" using "http-request block". Since these rules are supposed to
- * be processed before all http-request rules, we put them into their own list
- * and will insert them at the end.
- */
- rule = parse_http_req_cond((const char **)args, file, linenum, curproxy);
- if (!rule) {
- err_code |= ERR_ALERT | ERR_ABORT;
- goto out;
- }
- err_code |= warnif_misplaced_block(curproxy, file, linenum, args[0]);
- err_code |= warnif_cond_conflicts(rule->cond,
- (curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR,
- file, linenum);
- LIST_ADDQ(&curproxy->block_rules, &rule->list);
-
- if (!already_warned(WARN_BLOCK_DEPRECATED))
- ha_warning("parsing [%s:%d] : The '%s' directive is now deprecated in favor of 'http-request deny' which uses the exact same syntax. The rules are translated but support might disappear in a future version.\n", file, linenum, args[0]);
+ else if (!strcmp(args[0], "block")) {
+ ha_alert("parsing [%s:%d] : The '%s' directive is not supported anymore since HAProxy 2.1. Use 'http-request deny' which uses the exact same syntax.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
}
else if (!strcmp(args[0], "redirect")) {
struct redirect_rule *rule;