MEDIUM: http: add a new "http-response" ruleset
Some actions were clearly missing to process response headers. This
patch adds a new "http-response" ruleset which provides the following
actions :
- allow : stop evaluating http-response rules
- deny : stop and reject the response with a 502
- add-header : add a header in log-format mode
- set-header : set a header in log-format mode
diff --git a/include/types/proto_http.h b/include/types/proto_http.h
index 12e446f..6190e6c 100644
--- a/include/types/proto_http.h
+++ b/include/types/proto_http.h
@@ -236,6 +236,7 @@
HTTP_AUTH_DIGEST,
};
+/* actions for "http-request" */
enum {
HTTP_REQ_ACT_UNKNOWN = 0,
HTTP_REQ_ACT_ALLOW,
@@ -248,6 +249,16 @@
HTTP_REQ_ACT_MAX /* must always be last */
};
+/* actions for "http-response" */
+enum {
+ HTTP_RES_ACT_UNKNOWN = 0,
+ HTTP_RES_ACT_ALLOW,
+ HTTP_RES_ACT_DENY,
+ HTTP_RES_ACT_ADD_HDR,
+ HTTP_RES_ACT_SET_HDR,
+ HTTP_RES_ACT_MAX /* must always be last */
+};
+
/*
* All implemented return codes
*/
@@ -360,6 +371,19 @@
} arg; /* arguments used by some actions */
};
+struct http_res_rule {
+ struct list list;
+ struct acl_cond *cond; /* acl condition to meet */
+ unsigned int action; /* HTTP_RES_* */
+ union {
+ struct {
+ char *name; /* header name */
+ int name_len; /* header name's length */
+ struct list fmt; /* log-format compatible expression */
+ } hdr_add; /* args used by "add-header" and "set-header" */
+ } arg; /* arguments used by some actions */
+};
+
/* This is an HTTP transaction. It contains both a request message and a
* response message (which can be empty).
*/
diff --git a/include/types/proxy.h b/include/types/proxy.h
index 273fb8b..e6bc755 100644
--- a/include/types/proxy.h
+++ b/include/types/proxy.h
@@ -211,7 +211,8 @@
char *name; /* default backend name during config parse */
} defbe;
struct list acl; /* ACL declared on this proxy */
- struct list http_req_rules; /* HTTP request rules: allow/deny/http-auth */
+ struct list http_req_rules; /* HTTP request rules: allow/deny/... */
+ struct list http_res_rules; /* HTTP response rules: allow/deny/... */
struct list block_cond; /* early blocking conditions (chained) */
struct list redirect_rules; /* content redirecting rules (chained) */
struct list switching_rules; /* content switching rules (chained) */