search

tempesta-tech / tempesta

All-in-one solution for high performance web content delivery and advanced protection against DDoS and web attacks
https://tempesta-tech.com/
GNU General Public License v2.0
621 stars 103 forks source link

Config directive inheritance #2121

Open const-t opened 6 months ago

const-t commented 6 months ago

Scope

Inheritance of config directives looks not straightforward, there is a lot of cases where we can't predict how configuration file will be interpreted by Tempesta FW. Especially this applies to default vhost.

listen 80;
listen 443 proto=h2;

server ${server_ip}:8000;

tls_certificate ${tempesta_workdir}/tempesta.crt;
tls_certificate_key ${tempesta_workdir}/tempesta.key;

cache 2;
cache_fulfill * *;

resp_hdr_add hdr "global";

vhost default {
    cache_fulfill prefix "/must_cache";
    resp_hdr_add hdr "default";
    proxy_pass default;
}

vhost tempesta-tech.com {
    cache_fulfill prefix "/must_cache";
    resp_hdr_add hdr "tempesta-tech";
    proxy_pass default;
}

#`http_chain` is not specified for simplicity, it doesn't matter here.

For example, this simple config has unpredictable behavior in two places:

  1. Just looking on config we can assume following behavior: 1. When request is routed to tempesta-tech vhost response must have two headers added by Tempesta: hdr: global and hdr: tempesta-tech, however that's not how it works now. In this case we received only hdr: tempesta-tech, this is bug. But when request is routed to default vhost Tempesta responds with two headers: hdr: global and hdr: default as expected. Although resp_hdr_add works as expected, it looks like bug also, why different inheritance rules applied to same directive that located in two different vhosts vhost tempesta-tech.com and vhost defualt?

  2. Here we have cache_fulfill * * in global scope and overriding cache_fulfill prefix "/must_cache"; in both vhosts, but behavior for vhosts will be different. If request is forwarded to vhost default any uri will be received from cache, it means cache_fulfill * *; will be applied to default vhost. If request is forwarded to vhost tempesta-tech.com only request with uri /must_cache will be processed from cache, global cache_fulfill * *; will be completely ignored.

Summary: vhost default and other vhosts have different inheritance principles that not straightforward, some of directives from global scope not extends but overrides in vhosts, that also looks unpredictable. For overriding we can use approach suggested in this comment.

krizhanovsky commented 6 months ago

Is it related/duplicate for #2119 ?

const-t commented 6 months ago

Is it related/duplicate for #2119 ?

Seems they are related, #2119 it's only about frang, that has it's own inheritance rules.