upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-04-15 21:59:41 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

MEDIUM: http_act: check status codes against the bit fields for err/fail

Browse source 
This drops the hard-coded 4xx and 5xx status codes for err_cnt and
fail_cnt, in favor of the new bit fields that will soon be configurable.
There should be no difference at all since the bit fields are initialized
to the exact same sets (400-499 for err, 500-599 minus 501 and 505 for
fail).
This commit is contained in:
Willy Tarreau 2024-01-10 18:44:30 +01:00
parent 3c135569c5
commit 9d827e1049
2 changed files with 10 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/http_act.c
View file

@ -2044,13 +2044,14 @@ static enum act_return http_action_track_sc(struct act_rule *rule, struct proxy
* but here we're tracking after this ought to have been done so we have
* to do it on purpose.
*/
if (rule->from == ACT_F_HTTP_RES && (unsigned)(s->txn->status - 400) < 100) {
if (rule->from == ACT_F_HTTP_RES &&
http_status_matches(http_err_status_codes, s->txn->status)) {
ptr3 = stktable_data_ptr(t, ts, STKTABLE_DT_HTTP_ERR_CNT);
ptr4 = stktable_data_ptr(t, ts, STKTABLE_DT_HTTP_ERR_RATE);
}
if (rule->from == ACT_F_HTTP_RES && (unsigned)(s->txn->status - 500) < 100 &&
s->txn->status != 501 && s->txn->status != 505) {
if (rule->from == ACT_F_HTTP_RES &&
http_status_matches(http_fail_status_codes, s->txn->status)) {
ptr5 = stktable_data_ptr(t, ts, STKTABLE_DT_HTTP_FAIL_CNT);
ptr6 = stktable_data_ptr(t, ts, STKTABLE_DT_HTTP_FAIL_RATE);
}

12
src/http_ana.c
View file

@ -1444,22 +1444,22 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
if (sl->flags & HTX_SL_F_CONN_UPG)
msg->flags |= HTTP_MSGF_CONN_UPG;
n = txn->status / 100;
if (n < 1 || n > 5)
n = 0;
/* when the client triggers a 4xx from the server, it's most often due
* to a missing object or permission. These events should be tracked
* because if they happen often, it may indicate a brute force or a
* vulnerability scan.
*/
if (n == 4)
if (http_status_matches(http_err_status_codes, txn->status))
stream_inc_http_err_ctr(s);
if (n == 5 && txn->status != 501 && txn->status != 505)
if (http_status_matches(http_fail_status_codes, txn->status))
stream_inc_http_fail_ctr(s);
if (objt_server(s->target)) {
n = txn->status / 100;
if (n < 1 || n > 5)
n = 0;
_HA_ATOMIC_INC(&__objt_server(s->target)->counters.p.http.rsp[n]);
_HA_ATOMIC_INC(&__objt_server(s->target)->counters.p.http.cum_req);
}