http-response add-headers doesn't work with the stats page

[wtarreau]

This issue was reported here : https://www.mail-archive.com/haproxy@formilux.org/msg27447.html

Output of haproxy -vv and uname -a

haproxy 1.5.4
haproxy 1.5.19

What's the configuration?

frontend stats_proxy
        bind <server ip>:<port>ssl crt <certificate path> no-sslv3 no-tlsv1 ciphers <cipher>
        mode http
        default_backend stats_server
        rspadd Cache-Control:\ no-store,no-cache,private
        rspadd Pragma:\ no-cache
        rspadd Strict-Transport-Security:

backend stats_server
        mode http
        option httpclose
        option abortonclose
        stats enable
        stats refresh     60s
        stats hide-version

Steps to reproduce the behavior

access the stats page

Actual behavior

the headers are missing

Expected behavior

the headers should be present

Do you have any idea what may have caused this?

Lukas diagnosed that the behaviour changed in 1.5-dev with commit 70730dd ("MEDIUM: http: enable analysers to have keep-alive on stats"). The commit message mentions :

We ensure to skip filters because we don't want to unexpectedly
block a response nor to mangle response headers.

It's interesting to note that we do support HTTP compression on the stats response but not HTTP rulesets, just to avoid causing trouble, but here it does have the opposite effect.

Do you have an idea how to solve the issue?

Maybe we'd need to have an options on the stats directive to indicate that there is some post-processing to be done on the response so that we don't remove the response analysers. Or maybe we should always keep them, but we'd then face the usual problem of response rules written for a server possibly blocking a generated response.

A possibly reasonable approach would be to remove the rules for the current proxy : if the stats are in the frontend, frontend rules are not processed. If the stats are in the backend, backend rules are not processed but frontend rules are processed. This would seem fairly natural and it is what the reported tried to do.

[wtarreau]

So after some discussion on the subject with Christopher, a good proposal seems to simply add a new stats directive to make the rule final and skip the rest of the evaluation (as is currently done), and by default we'd keep it running (as most users expect). For the rare ones seeing this interfere with their http-response rules, they would quickly notice the change when visiting their stats page and would thus be able to adjust the behavior using the new option, or just move the stats to a dedicated backend.

[capflam]

It is now possible since the 2.2 thanks to the http-after-response ruleset. This feature will not be backported in previous versions. So I guess we can close this issue. The 2.2 is a LTS version, so it seems reasonable to use it if someone really needs to rewrite responses generated by HAProxy.