commit fdb563c06fd57b509efed5532c7449ee25e2bc4b
author Willy Tarreau <w@1wt.eu> Sun Jan 31 15:43:27 2010 +0100
committer Willy Tarreau <w@1wt.eu> Sun Jan 31 15:43:27 2010 +0100
tree 0f8b186ac867391527db30fc52b1cc8d3b360eb1
parent 8abd4cd526cabe5d7c84d80c27088e715142742e

[MEDIUM] http: add support for conditional response header rewriting

Just as for the req* rules, we can now condition rsp* rules with ACLs.
ACLs match on response, so volatile request information cannot be used.
A warning is emitted if a configuration contains such an anomaly.

doc/configuration.txt

diff --git a/doc/configuration.txt b/doc/configuration.txt
index e6cffa9..3c27e8e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -3857,7 +3857,7 @@
   See also : "option redispatch"
 
 
-rspadd <string>
+rspadd <string> [{if | unless} <cond>]
   Add a header at the end of the HTTP response
   May be used in sections :   defaults | frontend | listen | backend
                                  no    |    yes   |   yes  |   yes
@@ -3866,6 +3866,9 @@
               must be escaped using a backslash ('\'). Please refer to section
               6 about HTTP header manipulation for more information.
 
+    <cond>    is an optional matching condition built from ACLs. It makes it
+              possible to ignore this rule when other conditions are not met.
+
   A new line consisting in <string> followed by a line feed will be added after
   the last header of an HTTP response.
 
@@ -3873,11 +3876,12 @@
   and not to traffic generated by HAProxy, such as health-checks or error
   responses.
 
-  See also: "reqadd" and section 6 about HTTP header manipulation
+  See also: "reqadd", section 6 about HTTP header manipulation, and section 7
+            about ACLs.
 
 
-rspdel  <search>
-rspidel <search>  (ignore case)
+rspdel  <search> [{if | unless} <cond>]
+rspidel <search> [{if | unless} <cond>]  (ignore case)
   Delete all headers matching a regular expression in an HTTP response
   May be used in sections :   defaults | frontend | listen | backend
                                  no    |    yes   |   yes  |   yes
@@ -3890,6 +3894,9 @@
               The "rspdel" keyword strictly matches case while "rspidel"
               ignores case.
 
+    <cond>    is an optional matching condition built from ACLs. It makes it
+              possible to ignore this rule when other conditions are not met.
+
   Any header line matching extended regular expression <search> in the response
   will be completely deleted. Most common use of this is to remove unwanted
   and/or sensible headers or cookies from a response before passing it to the
@@ -3903,12 +3910,12 @@
      # remove the Server header from responses
      reqidel ^Server:.*
 
-  See also: "rspadd", "rsprep", "reqdel" and section 6 about HTTP header
-            manipulation
+  See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
+            manipulation, and section 7 about ACLs.
 
 
-rspdeny  <search>
-rspideny <search>  (ignore case)
+rspdeny  <search> [{if | unless} <cond>]
+rspideny <search> [{if | unless} <cond>]  (ignore case)
   Block an HTTP response if a line matches a regular expression
   May be used in sections :   defaults | frontend | listen | backend
                                  no    |    yes   |   yes  |   yes
@@ -3921,6 +3928,9 @@
               The "rspdeny" keyword strictly matches case while "rspideny"
               ignores case.
 
+    <cond>    is an optional matching condition built from ACLs. It makes it
+              possible to ignore this rule when other conditions are not met.
+
   A response containing any line which matches extended regular expression
   <search> will mark the request as denied. The test applies both to the
   response line and to response headers. Keep in mind that header names are not
@@ -3938,12 +3948,12 @@
      # Ensure that no content type matching ms-word will leak
      rspideny  ^Content-type:\.*/ms-word
 
-  See also: "reqdeny", "acl", "block" and section 6 about HTTP header
-            manipulation
+  See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
+            and section 7 about ACLs.
 
 
-rsprep  <search> <string>
-rspirep <search> <string>  (ignore case)
+rsprep  <search> <string> [{if | unless} <cond>]
+rspirep <search> <string> [{if | unless} <cond>]  (ignore case)
   Replace a regular expression with a string in an HTTP response line
   May be used in sections :   defaults | frontend | listen | backend
                                  no    |    yes   |   yes  |   yes
@@ -3962,6 +3972,9 @@
               being a single digit between 0 and 9. Please refer to section
               6 about HTTP header manipulation for more information.
 
+    <cond>    is an optional matching condition built from ACLs. It makes it
+              possible to ignore this rule when other conditions are not met.
+
   Any line matching extended regular expression <search> in the response (both
   the response line and header lines) will be completely replaced with
   <string>. Most common use of this is to rewrite Location headers.
@@ -3976,8 +3989,8 @@
      # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
      rspirep ^Location:\ 127.0.0.1:8080    Location:\ www.mydomain.com
 
-  See also: "rspadd", "rspdel", "reqrep" and section 6 about HTTP header
-            manipulation
+  See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
+            manipulation, and section 7 about ACLs.
 
 
 server <name> <address>[:port] [param*]