MEDIUM: proxy: remove obsolete "monitor-net"
As discussed here during 2.1-dev, "monitor-net" is totally obsolete:
https://www.mail-archive.com/haproxy@formilux.org/msg35204.html
It's fundamentally incompatible with usage of SSL, and imposes the
presence of file descriptors with hard-coded syscalls directly in the
generic accept path.
It's very unlikely that anyone has used it in the last 10 years for
anything beyond testing. In the worst case if anyone would depend
on it, replacing it with "http-request return status 200 if ..." and
"mode http" would certainly do the trick.
The keyword is still detected as special by the config parser to help
users update their configurations appropriately.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index b55a807..8b165f8 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2985,7 +2985,6 @@
maxconn X X X -
mode X X X X
monitor fail - X X -
-monitor-net X X X -
monitor-uri X X X -
option abortonclose (*) X - X X
option accept-invalid-http-request (*) X X X -
@@ -7158,50 +7157,9 @@
monitor-uri /site_alive
monitor fail if site_dead
- See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
+ See also : "monitor-uri", "errorfile", "errorloc"
-monitor-net <source>
- Declare a source network which is limited to monitor requests
- May be used in sections : defaults | frontend | listen | backend
- yes | yes | yes | no
- Arguments :
- <source> is the source IPv4 address or network which will only be able to
- get monitor responses to any request. It can be either an IPv4
- address, a host name, or an address followed by a slash ('/')
- followed by a mask.
-
- In TCP mode, any connection coming from a source matching <source> will cause
- the connection to be immediately closed without any log. This allows another
- equipment to probe the port and verify that it is still listening, without
- forwarding the connection to a remote server.
-
- In HTTP mode, a connection coming from a source matching <source> will be
- accepted, the following response will be sent without waiting for a request,
- then the connection will be closed : "HTTP/1.0 200 OK". This is normally
- enough for any front-end HTTP probe to detect that the service is UP and
- running without forwarding the request to a backend server. Note that this
- response is sent in raw format, without any transformation. This is important
- as it means that it will not be SSL-encrypted on SSL listeners.
-
- Monitor requests are processed very early, just after tcp-request connection
- ACLs which are the only ones able to block them. These connections are short
- lived and never wait for any data from the client. They cannot be logged, and
- it is the intended purpose. They are only used to report HAProxy's health to
- an upper component, nothing more. Please note that "monitor fail" rules do
- not apply to connections intercepted by "monitor-net".
-
- Last, please note that only one "monitor-net" statement can be specified in
- a frontend. If more than one is found, only the last one will be considered.
-
- Example :
- # addresses .252 and .253 are just probing us.
- frontend www
- monitor-net 192.168.0.252/31
-
- See also : "monitor fail", "monitor-uri"
-
-
monitor-uri <uri>
Intercept a URI used by external components' monitor requests
May be used in sections : defaults | frontend | listen | backend
@@ -7238,7 +7196,7 @@
mode http
monitor-uri /haproxy_test
- See also : "monitor fail", "monitor-net"
+ See also : "monitor fail"
option abortonclose
@@ -7555,7 +7513,7 @@
If this option has been enabled in a "defaults" section, it can be disabled
in a specific instance by prepending the "no" keyword before it.
- See also : "log", "http-ignore-probes", "monitor-net", "monitor-uri", and
+ See also : "log", "http-ignore-probes", "monitor-uri", and
section 8 about logging.
@@ -19321,11 +19279,8 @@
setting "option dontlognull" in the frontend. It also disables logging of
port scans, which may or may not be desired.
- - if the connection come from a known source network, use "monitor-net" to
- declare this network as monitoring only. Any host in this network will then
- only be able to perform health checks, and their requests will not be
- logged. This is generally appropriate to designate a list of equipment
- such as other load-balancers.
+ - it is possible to use the "http-request set-log-level silent" action using
+ a variety of conditions (source networks, paths, user-agents, etc).
- if the tests are performed on a known URI, use "monitor-uri" to declare
this URI as dedicated to monitoring. Any host sending this request will
diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h
index 2181c81..c29328c 100644
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@@ -90,7 +90,7 @@
#define LI_O_DEF_ACCEPT 0x0008 /* wait up to 1 second for data before accepting */
#define LI_O_TCP_L4_RULES 0x0010 /* run TCP L4 rules checks on the incoming connection */
#define LI_O_TCP_L5_RULES 0x0020 /* run TCP L5 rules checks on the incoming session */
-#define LI_O_CHK_MONNET 0x0040 /* check the source against a monitor-net rule */
+/* unused 0x0040 */
#define LI_O_ACC_PROXY 0x0080 /* find the proxied address in the first request line */
#define LI_O_UNLIMITED 0x0100 /* listener not subject to global limits (peers & stats socket) */
#define LI_O_TCP_FO 0x0200 /* enable TCP Fast Open (linux >= 3.7) */
diff --git a/include/haproxy/proxy-t.h b/include/haproxy/proxy-t.h
index 18f6d55..09eb9bc 100644
--- a/include/haproxy/proxy-t.h
+++ b/include/haproxy/proxy-t.h
@@ -253,7 +253,6 @@
int options; /* PR_O_REDISP, PR_O_TRANSP, ... */
int options2; /* PR_O2_* */
int max_out_conns; /* Max number of idling connections we keep for a session */
- struct in_addr mon_net, mon_mask; /* don't forward connections from this net (network order) FIXME: should support IPv6 */
unsigned int ck_opts; /* PR_CK_* (cookie options) */
unsigned int fe_req_ana, be_req_ana; /* bitmap of common request protocol analysers for the frontend and backend */
unsigned int fe_rsp_ana, be_rsp_ana; /* bitmap of common response protocol analysers for the frontend and backend */
diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c
index 211c4b6..97a97e7 100644
--- a/src/cfgparse-listen.c
+++ b/src/cfgparse-listen.c
@@ -369,8 +369,6 @@
curproxy->timeout.tarpit = defproxy.timeout.tarpit;
curproxy->timeout.httpreq = defproxy.timeout.httpreq;
curproxy->timeout.httpka = defproxy.timeout.httpka;
- curproxy->mon_net = defproxy.mon_net;
- curproxy->mon_mask = defproxy.mon_mask;
if (defproxy.monitor_uri)
curproxy->monitor_uri = strdup(defproxy.monitor_uri);
curproxy->monitor_uri_len = defproxy.monitor_uri_len;
@@ -662,17 +660,8 @@
goto out;
}
else if (!strcmp(args[0], "monitor-net")) { /* set the range of IPs to ignore */
- if (!*args[1] || !str2net(args[1], 1, &curproxy->mon_net, &curproxy->mon_mask)) {
- ha_alert("parsing [%s:%d] : '%s' expects address[/mask].\n",
- file, linenum, args[0]);
- err_code |= ERR_ALERT | ERR_FATAL;
- goto out;
- }
- if (warnifnotcap(curproxy, PR_CAP_FE, file, linenum, args[0], NULL))
- err_code |= ERR_WARN;
-
- /* flush useless bits */
- curproxy->mon_net.s_addr &= curproxy->mon_mask.s_addr;
+ ha_alert("parsing [%s:%d] : 'monitor-net' doesn't exist anymore. Please use 'http-request return status 200 if { src %s }' instead.\n", file, linenum, args[1]);
+ err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
else if (!strcmp(args[0], "monitor-uri")) { /* set the URI to intercept */
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 902fc0e..cda2590 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -3726,9 +3726,6 @@
if (!LIST_ISEMPTY(&curproxy->tcp_req.l5_rules))
listener->options |= LI_O_TCP_L5_RULES;
- if (curproxy->mon_mask.s_addr)
- listener->options |= LI_O_CHK_MONNET;
-
/* smart accept mode is automatic in HTTP mode */
if ((curproxy->options2 & PR_O2_SMARTACC) ||
((curproxy->mode == PR_MODE_HTTP || listener->bind_conf->is_ssl) &&
diff --git a/src/session.c b/src/session.c
index ab023b4..da271cf 100644
--- a/src/session.c
+++ b/src/session.c
@@ -190,30 +190,6 @@
goto out_free_sess;
}
- /* monitor-net and health mode are processed immediately after TCP
- * connection rules. This way it's possible to block them, but they
- * never use the lower data layers, they send directly over the socket,
- * as they were designed for. We first flush the socket receive buffer
- * in order to avoid emission of an RST by the system. We ignore any
- * error.
- */
- if (unlikely(((l->options & LI_O_CHK_MONNET) &&
- addr->ss_family == AF_INET &&
- (((struct sockaddr_in *)addr)->sin_addr.s_addr & p->mon_mask.s_addr) == p->mon_net.s_addr))) {
- /* we have 4 possibilities here :
- * - HTTP mode, from monitoring address => send "HTTP/1.0 200 OK"
- * - HEALTH mode with HTTP check => send "HTTP/1.0 200 OK"
- * - HEALTH mode without HTTP check => just send "OK"
- * - TCP mode from monitoring address => just close
- */
- if (l->rx.proto->drain)
- l->rx.proto->drain(cfd);
- if (p->mode == PR_MODE_HTTP)
- send(cfd, "HTTP/1.0 200 OK\r\n\r\n", 19, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_MORE);
- ret = 0;
- goto out_free_sess;
- }
-
/* Adjust some socket options */
if (l->rx.addr.ss_family == AF_INET || l->rx.addr.ss_family == AF_INET6) {
setsockopt(cfd, IPPROTO_TCP, TCP_NODELAY, (char *) &one, sizeof(one));