MEDIUM: Make 'block' directive fatal

It was deprecated with HAProxy 1.5. Time to remove it.
2019-05-14 20:57:57 +02:00 · 2019-05-14 20:57:57 +02:00 · 7b7c47f05c
commit 7b7c47f05c
parent a2913bed6b
3 changed files with 5 additions and 57 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -2342,7 +2342,6 @@ backlog                                   X          X         X         -
 balance                                   X          -         X         X
 bind                                      -          X         X         -
 bind-process                              X          X         X         X
-block                       (deprecated)  -          X         X         X
 capture cookie                            -          X         X         -
 capture request header                    -          X         X         -
 capture response header                   -          X         X         -
@ -2993,35 +2992,6 @@ bind-process [ all | odd | even | <process_num>[-[<process_num>]] ] ...
  See also : "nbproc" in global section, and "process" in section 5.1.


-block { if | unless } <condition> (deprecated)
-  Block a layer 7 request if/unless a condition is matched
-  May be used in sections :   defaults | frontend | listen | backend
-                                 no    |    yes   |   yes  |   yes
-
-  The HTTP request will be blocked very early in the layer 7 processing
-  if/unless <condition> is matched. A 403 error will be returned if the request
-  is blocked. The condition has to reference ACLs (see section 7). This is
-  typically used to deny access to certain sensitive resources if some
-  conditions are met or not met. There is no fixed limit to the number of
-  "block" statements per instance. To block connections at layer 4 (without
-  sending a 403 error) see "tcp-request connection reject" and
-  "tcp-request content reject" rules.
-
-  This form is deprecated, do not use it in any new configuration, use the new
-  "http-request deny" instead.
-
-  Example:
-        acl invalid_src  src          0.0.0.0/7 224.0.0.0/3
-        acl invalid_src  src_port     0:1023
-        acl local_dst    hdr(host) -i localhost
-        # block is deprecated. Use http-request deny instead:
-        #block if invalid_src || local_dst
-        http-request deny if invalid_src || local_dst
-
-  See also : section 7 about ACL usage, "http-request deny",
-            "http-response deny", "tcp-request connection reject" and
-            "tcp-request content reject".
-
 capture cookie <name> len <length>
  Capture and log a cookie in the request and in the response.
  May be used in sections :   defaults | frontend | listen | backend
--- a/include/types/global.h
+++ b/include/types/global.h
@ -249,7 +249,7 @@ extern unsigned int rlim_fd_max_at_boot;
 extern int atexit_flag;

 /* bit values to go with "warned" above */
-#define WARN_BLOCK_DEPRECATED       0x00000001
+/* unassigned : 0x00000001 (previously: WARN_BLOCK_DEPRECATED) */
 /* unassigned : 0x00000002 */
 #define WARN_REDISPATCH_DEPRECATED  0x00000004
 #define WARN_CLITO_DEPRECATED       0x00000008
--- a/src/cfgparse-listen.c
+++ b/src/cfgparse-listen.c
@ -1546,33 +1546,11 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
 		curproxy->server_id_hdr_name = strdup(args[1]);
 		curproxy->server_id_hdr_len  = strlen(curproxy->server_id_hdr_name);
 	}
-	else if (!strcmp(args[0], "block")) {  /* early blocking based on ACLs */
-		struct act_rule *rule;
-
-		if (curproxy == &defproxy) {
-			ha_alert("parsing [%s:%d] : '%s' not allowed in 'defaults' section.\n", file, linenum, args[0]);
-			err_code |= ERR_ALERT | ERR_FATAL;
-			goto out;
-		}
-
-		/* emulate "block" using "http-request block". Since these rules are supposed to
-		 * be processed before all http-request rules, we put them into their own list
-		 * and will insert them at the end.
-		 */
-		rule = parse_http_req_cond((const char **)args, file, linenum, curproxy);
-		if (!rule) {
-			err_code |= ERR_ALERT | ERR_ABORT;
-			goto out;
-		}
-		err_code |= warnif_misplaced_block(curproxy, file, linenum, args[0]);
-		err_code |= warnif_cond_conflicts(rule->cond,
-	                                          (curproxy->cap & PR_CAP_FE) ? SMP_VAL_FE_HRQ_HDR : SMP_VAL_BE_HRQ_HDR,
-	                                          file, linenum);
-		LIST_ADDQ(&curproxy->block_rules, &rule->list);
-
-		if (!already_warned(WARN_BLOCK_DEPRECATED))
-			ha_warning("parsing [%s:%d] : The '%s' directive is now deprecated in favor of 'http-request deny' which uses the exact same syntax. The rules are translated but support might disappear in a future version.\n", file, linenum, args[0]);
+	else if (!strcmp(args[0], "block")) {
+		ha_alert("parsing [%s:%d] : The '%s' directive is not supported anymore since HAProxy 2.1. Use 'http-request deny' which uses the exact same syntax.\n", file, linenum, args[0]);

+		err_code |= ERR_ALERT | ERR_FATAL;
+		goto out;
 	}
 	else if (!strcmp(args[0], "redirect")) {
 		struct redirect_rule *rule;