[MEDIUM] http: add support for conditional response header rewriting
Just as for the req* rules, we can now condition rsp* rules with ACLs.
ACLs match on response, so volatile request information cannot be used.
A warning is emitted if a configuration contains such an anomaly.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index e6cffa9..3c27e8e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -3857,7 +3857,7 @@
See also : "option redispatch"
-rspadd <string>
+rspadd <string> [{if | unless} <cond>]
Add a header at the end of the HTTP response
May be used in sections : defaults | frontend | listen | backend
no | yes | yes | yes
@@ -3866,6 +3866,9 @@
must be escaped using a backslash ('\'). Please refer to section
6 about HTTP header manipulation for more information.
+ <cond> is an optional matching condition built from ACLs. It makes it
+ possible to ignore this rule when other conditions are not met.
+
A new line consisting in <string> followed by a line feed will be added after
the last header of an HTTP response.
@@ -3873,11 +3876,12 @@
and not to traffic generated by HAProxy, such as health-checks or error
responses.
- See also: "reqadd" and section 6 about HTTP header manipulation
+ See also: "reqadd", section 6 about HTTP header manipulation, and section 7
+ about ACLs.
-rspdel <search>
-rspidel <search> (ignore case)
+rspdel <search> [{if | unless} <cond>]
+rspidel <search> [{if | unless} <cond>] (ignore case)
Delete all headers matching a regular expression in an HTTP response
May be used in sections : defaults | frontend | listen | backend
no | yes | yes | yes
@@ -3890,6 +3894,9 @@
The "rspdel" keyword strictly matches case while "rspidel"
ignores case.
+ <cond> is an optional matching condition built from ACLs. It makes it
+ possible to ignore this rule when other conditions are not met.
+
Any header line matching extended regular expression <search> in the response
will be completely deleted. Most common use of this is to remove unwanted
and/or sensible headers or cookies from a response before passing it to the
@@ -3903,12 +3910,12 @@
# remove the Server header from responses
reqidel ^Server:.*
- See also: "rspadd", "rsprep", "reqdel" and section 6 about HTTP header
- manipulation
+ See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
+ manipulation, and section 7 about ACLs.
-rspdeny <search>
-rspideny <search> (ignore case)
+rspdeny <search> [{if | unless} <cond>]
+rspideny <search> [{if | unless} <cond>] (ignore case)
Block an HTTP response if a line matches a regular expression
May be used in sections : defaults | frontend | listen | backend
no | yes | yes | yes
@@ -3921,6 +3928,9 @@
The "rspdeny" keyword strictly matches case while "rspideny"
ignores case.
+ <cond> is an optional matching condition built from ACLs. It makes it
+ possible to ignore this rule when other conditions are not met.
+
A response containing any line which matches extended regular expression
<search> will mark the request as denied. The test applies both to the
response line and to response headers. Keep in mind that header names are not
@@ -3938,12 +3948,12 @@
# Ensure that no content type matching ms-word will leak
rspideny ^Content-type:\.*/ms-word
- See also: "reqdeny", "acl", "block" and section 6 about HTTP header
- manipulation
+ See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
+ and section 7 about ACLs.
-rsprep <search> <string>
-rspirep <search> <string> (ignore case)
+rsprep <search> <string> [{if | unless} <cond>]
+rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Replace a regular expression with a string in an HTTP response line
May be used in sections : defaults | frontend | listen | backend
no | yes | yes | yes
@@ -3962,6 +3972,9 @@
being a single digit between 0 and 9. Please refer to section
6 about HTTP header manipulation for more information.
+ <cond> is an optional matching condition built from ACLs. It makes it
+ possible to ignore this rule when other conditions are not met.
+
Any line matching extended regular expression <search> in the response (both
the response line and header lines) will be completely replaced with
<string>. Most common use of this is to rewrite Location headers.
@@ -3976,8 +3989,8 @@
# replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
- See also: "rspadd", "rspdel", "reqrep" and section 6 about HTTP header
- manipulation
+ See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
+ manipulation, and section 7 about ACLs.
server <name> <address>[:port] [param*]