Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / bbba2a8ecc35daf99317aaff7015c1931779c33b^! / . / src / proto_http.c
commitbbba2a8ecc35daf99317aaff7015c1931779c33b[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Mon Apr 28 13:57:26 2014 +0200
committerWilly Tarreau <w@1wt.eu>Mon Apr 28 18:46:20 2014 +0200
treec753fcfc293458743073d3f325e5271148892a1e
parent5e9edce0f009bb92ac746052dd3f6d271a77d34b [diff] [blame]
MEDIUM: http: jump to dedicated labels after http-request processing

Continue the cleanup of http-request post-processing to remove some
of the interleaved tests. Here we set up a few labels to deal with
the deny and tarpit actions and avoid interleaved ifs.

diff --git a/src/proto_http.c b/src/proto_http.c
index b233fd9..84274c8 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c

@@ -3760,9 +3760,6 @@
 		return 0;
 	}
 
-	req->analysers &= ~an_bit;
-	req->analyse_exp = TICK_ETERNITY;
-
 	DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bh=%d analysers=%02x\n",
 		now_ms, __FUNCTION__,
 		s,
@@ -3796,6 +3793,13 @@
 	/* evaluate http-request rules */
 	http_req_last_rule = http_req_get_intercept_rule(px, &px->http_req_rules, s, txn);
 
+	if (txn->flags & (TX_CLDENY|TX_CLTARPIT)) {
+		if (txn->flags & TX_CLDENY)
+			goto deny;
+		else
+			goto tarpit;
+	}
+
 	/* evaluate stats http-request rules only if http-request is OK */
 	if (!http_req_last_rule) {
 		if (stats_check_uri(s->rep->prod, txn, px)) {
@@ -3812,56 +3816,23 @@
 			/* parse the whole stats request and extract the relevant information */
 			http_handle_stats(s, req);
 			http_req_last_rule = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, txn);
+
+			/* we can still get a deny on the stats page */
+			if (txn->flags & TX_CLDENY)
+				goto deny;
 		}
 	}
 
-	/* only apply req{,i}{rep/deny/tarpit} if the request was not yet
-	 * blocked by an http-request rule.
-	 */
-	if (!(txn->flags & (TX_CLDENY|TX_CLTARPIT)) && (px->req_exp != NULL)) {
+	/* evaluate the req* rules except reqadd */
+	if (px->req_exp != NULL) {
 		if (apply_filters_to_request(s, req, px) < 0)
 			goto return_bad_req;
-	}
 
-	/* return a 403 if either rule has blocked */
-	if (txn->flags & (TX_CLDENY|TX_CLTARPIT)) {
-		if (txn->flags & TX_CLDENY) {
-			txn->status = 403;
-			s->logs.tv_request = now;
-			stream_int_retnclose(req->prod, http_error_message(s, HTTP_ERR_403));
-			session_inc_http_err_ctr(s);
-			s->fe->fe_counters.denied_req++;
-			if (s->fe != s->be)
-				s->be->be_counters.denied_req++;
-			if (s->listener->counters)
-				s->listener->counters->denied_req++;
-			goto return_prx_cond;
-		}
+		if (txn->flags & TX_CLDENY)
+			goto deny;
 
-		/* When a connection is tarpitted, we use the tarpit timeout,
-		 * which may be the same as the connect timeout if unspecified.
-		 * If unset, then set it to zero because we really want it to
-		 * eventually expire. We build the tarpit as an analyser.
-		 */
-		if (txn->flags & TX_CLTARPIT) {
-			channel_erase(s->req);
-			/* wipe the request out so that we can drop the connection early
-			 * if the client closes first.
-			 */
-			channel_dont_connect(req);
-			req->analysers = 0; /* remove switching rules etc... */
-			req->analysers |= AN_REQ_HTTP_TARPIT;
-			req->analyse_exp = tick_add_ifset(now_ms,  s->be->timeout.tarpit);
-			if (!req->analyse_exp)
-				req->analyse_exp = tick_add(now_ms, 0);
-			session_inc_http_err_ctr(s);
-			s->fe->fe_counters.denied_req++;
-			if (s->fe != s->be)
-				s->be->be_counters.denied_req++;
-			if (s->listener->counters)
-				s->listener->counters->denied_req++;
-			return 1;
-		}
+		if (txn->flags & TX_CLTARPIT)
+			goto tarpit;
 	}
 
 	/* Until set to anything else, the connection mode is set as Keep-Alive. It will
@@ -3874,7 +3845,6 @@
 	 * one is non-null, or one of them is non-null and we are there for the first
 	 * time.
 	 */
-
 	if (!(txn->flags & TX_HDR_CONN_PRS) ||
 	    ((s->fe->options & PR_O_HTTP_MODE) != (s->be->options & PR_O_HTTP_MODE))) {
 		int tmp = TX_CON_WANT_KAL;
@@ -3952,14 +3922,11 @@
 	if (http_req_last_rule && http_req_last_rule->action == HTTP_REQ_ACT_REDIR) {
 		if (!http_apply_redirect_rule(http_req_last_rule->arg.redir, s, txn))
 			goto return_bad_req;
-		req->analyse_exp = TICK_ETERNITY;
-		return 1;
+		goto done;
 	}
 
-	if (http_req_last_rule && http_req_last_rule->action == HTTP_REQ_ACT_CUSTOM_STOP) {
-		req->analyse_exp = TICK_ETERNITY;
-		return 1;
-	}
+	if (http_req_last_rule && http_req_last_rule->action == HTTP_REQ_ACT_CUSTOM_STOP)
+		goto done;
 
 	/* add request headers from the rule sets in the same order */
 	list_for_each_entry(wl, &px->req_add, list) {
@@ -3986,8 +3953,6 @@
 		if (!(s->flags & SN_FINST_MASK))
 			s->flags |= SN_FINST_R;
 
-		req->analyse_exp = TICK_ETERNITY;
-
 		/* we may want to compress the stats page */
 		if (s->fe->comp || s->be->comp)
 			select_compression_request_header(s, req->buf);
@@ -3995,7 +3960,7 @@
 		/* enable the minimally required analyzers to handle keep-alive and compression on the HTTP response */
 		req->analysers = (req->analysers & AN_REQ_HTTP_BODY) |
 		                 AN_REQ_HTTP_XFER_BODY | AN_RES_WAIT_HTTP | AN_RES_HTTP_PROCESS_BE | AN_RES_HTTP_XFER_BODY;
-		return 1;
+		goto done;
 	}
 
 	/* check whether we have some ACLs set to redirect this request */
@@ -4012,9 +3977,7 @@
 		}
 		if (!http_apply_redirect_rule(rule, s, txn))
 			goto return_bad_req;
-
-		req->analyse_exp = TICK_ETERNITY;
-		return 1;
+		goto done;
 	}
 
 	/* POST requests may be accompanied with an "Expect: 100-Continue" header.
@@ -4026,9 +3989,50 @@
 	 */
 	req->flags |= CF_SEND_DONTWAIT;
 
-	/* that's OK for us now, let's move on to next analysers */
+ done:	/* done with this analyser, continue with next ones that the calling
+	 * points will have set, if any.
+	 */
+	req->analysers &= ~an_bit;
+	req->analyse_exp = TICK_ETERNITY;
 	return 1;
 
+ tarpit:
+	/* When a connection is tarpitted, we use the tarpit timeout,
+	 * which may be the same as the connect timeout if unspecified.
+	 * If unset, then set it to zero because we really want it to
+	 * eventually expire. We build the tarpit as an analyser.
+	 */
+	channel_erase(s->req);
+
+	/* wipe the request out so that we can drop the connection early
+	 * if the client closes first.
+	 */
+	channel_dont_connect(req);
+	req->analysers = 0; /* remove switching rules etc... */
+	req->analysers |= AN_REQ_HTTP_TARPIT;
+	req->analyse_exp = tick_add_ifset(now_ms,  s->be->timeout.tarpit);
+	if (!req->analyse_exp)
+		req->analyse_exp = tick_add(now_ms, 0);
+	session_inc_http_err_ctr(s);
+	s->fe->fe_counters.denied_req++;
+	if (s->fe != s->be)
+		s->be->be_counters.denied_req++;
+	if (s->listener->counters)
+		s->listener->counters->denied_req++;
+	goto done;
+
+ deny:	/* this request was blocked (denied) */
+	txn->status = 403;
+	s->logs.tv_request = now;
+	stream_int_retnclose(req->prod, http_error_message(s, HTTP_ERR_403));
+	session_inc_http_err_ctr(s);
+	s->fe->fe_counters.denied_req++;
+	if (s->fe != s->be)
+		s->be->be_counters.denied_req++;
+	if (s->listener->counters)
+		s->listener->counters->denied_req++;
+	goto return_prx_cond;
+
  return_bad_req:
 	/* We centralize bad requests processing here */
 	if (unlikely(msg->msg_state == HTTP_MSG_ERROR) || msg->err_pos >= 0) {