Welcome! Log In Create A New Profile

Advanced

[PATCH 1/2] DOC: add deprecation notice to "block"

Posted by Jarno Huuskonen 
Jarno Huuskonen
[PATCH 1/2] DOC: add deprecation notice to "block"
December 28, 2016 06:40PM
---
doc/configuration.txt | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 6795166..b66267e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1805,7 +1805,7 @@ backlog X X X -
balance X - X X
bind - X X -
bind-process X X X X
-block - X X X
+block (deprecated) - X X X
capture cookie - X X -
capture request header - X X -
capture response header - X X -
@@ -2468,7 +2468,7 @@ bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
See also : "nbproc" in global section, and "process" in section 5.1.


-block { if | unless } <condition>
+block { if | unless } <condition> (deprecated)
Block a layer 7 request if/unless a condition is matched
May be used in sections : defaults | frontend | listen | backend
no | yes | yes | yes
@@ -2480,6 +2480,9 @@ block { if | unless } <condition>
conditions are met or not met. There is no fixed limit to the number of
"block" statements per instance.

+ This form is deprecated, do not use it in any new configuration, use the new
+ "http-request deny" instead.
+
Example:
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
--
1.8.3.1
Jarno Huuskonen
[PATCH 2/2] DOC: "block" deny_status documentation.
December 28, 2016 06:40PM
---
doc/configuration.txt | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index b66267e..775781d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2468,17 +2468,18 @@ bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
See also : "nbproc" in global section, and "process" in section 5.1.


-block { if | unless } <condition> (deprecated)
+block [deny_status <status>] { if | unless } <condition> (deprecated)
Block a layer 7 request if/unless a condition is matched
May be used in sections : defaults | frontend | listen | backend
no | yes | yes | yes

The HTTP request will be blocked very early in the layer 7 processing
- if/unless <condition> is matched. A 403 error will be returned if the request
- is blocked. The condition has to reference ACLs (see section 7). This is
- typically used to deny access to certain sensitive resources if some
- conditions are met or not met. There is no fixed limit to the number of
- "block" statements per instance.
+ if/unless <condition> is matched. A 403 error or optionally the status
+ code specified as an argument to "deny_status" will be returned if the
+ request is blocked. The condition has to reference ACLs (see section 7).
+ This is typically used to deny access to certain sensitive resources if
+ some conditions are met or not met. There is no fixed limit to the
+ number of "block" statements per instance.

This form is deprecated, do not use it in any new configuration, use the new
"http-request deny" instead.
@@ -2489,7 +2490,8 @@ block { if | unless } <condition> (deprecated)
acl local_dst hdr(host) -i localhost
block if invalid_src || local_dst

- See section 7 about ACL usage.
+ See also : "http-request deny", "http-response deny" as well as
+ section 7 about ACL usage.


capture cookie <name> len <length>
--
1.8.3.1
Willy Tarreau
Re: [PATCH 1/2] DOC: add deprecation notice to "block"
January 11, 2017 12:40PM
applied, thanks.
Willy Tarreau
Re: [PATCH 2/2] DOC: "block" deny_status documentation.
January 11, 2017 12:40PM
> -block { if | unless } <condition> (deprecated)
> +block [deny_status <status>] { if | unless } <condition> (deprecated)

I'd rather not add details suggesting how to do side-effect things to
a deprecated keyword. It supports it only because it's being emulated
using "http-request deny", so better not encourage its use anymore.

Thanks,
Willy
Sorry, only registered users may post in this forum.

Click here to login