As noted in https://github.com/icing/mod_h2/issues/230#issuecomment-1032905432
This doesn't look right to me. I think what you want is to verify that https is in a secured connection. This should have no effect on other schemes, and certainly not require all schemes to be http or https. Literally, the scheme is a naming system, not a protocol. "http" and "https" and "foo" schemes can be resolved by any protocol that performs requests on an absolute URI, including HTTP/2. "https" only requires the connection to be secured end-to-end. ....Roy > On Feb 8, 2022, at 5:38 AM, ic...@apache.org wrote: > > Author: icing > Date: Tue Feb 8 13:38:49 2022 > New Revision: 1897872 > > URL: http://svn.apache.org/viewvc?rev=1897872&view=rev > Log: > *) mod_http2: when a h2 request carries a ':scheme' pseudoheader, > it gives a 400 response if the scheme does not match the > connection. Fixes <https://github.com/icing/mod_h2/issues/230>. > > > Added: > httpd/httpd/trunk/changes-entries/http2_request_scheme.txt > Modified: > httpd/httpd/trunk/modules/http2/h2_stream.c > httpd/httpd/trunk/test/modules/http2/test_003_get.py > > Added: httpd/httpd/trunk/changes-entries/http2_request_scheme.txt > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/http2_request_scheme.txt?rev=1897872&view=auto > ============================================================================== > --- httpd/httpd/trunk/changes-entries/http2_request_scheme.txt (added) > +++ httpd/httpd/trunk/changes-entries/http2_request_scheme.txt Tue Feb 8 > 13:38:49 2022 > @@ -0,0 +1,3 @@ > + *) mod_http2: when a h2 request carries a ':scheme' pseudoheader, > + it gives a 400 response if the scheme does not match the > + connection. Fixes <https://github.com/icing/mod_h2/issues/230>. > > Modified: httpd/httpd/trunk/modules/http2/h2_stream.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_stream.c?rev=1897872&r1=1897871&r2=1897872&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/http2/h2_stream.c (original) > +++ httpd/httpd/trunk/modules/http2/h2_stream.c Tue Feb 8 13:38:49 2022 > @@ -23,6 +23,7 @@ > #include <http_core.h> > #include <http_connection.h> > #include <http_log.h> > +#include <http_ssl.h> > > #include <nghttp2/nghttp2.h> > > @@ -773,12 +774,10 @@ apr_status_t h2_stream_end_headers(h2_st > status = h2_request_end_headers(stream->rtmp, stream->pool, eos, > raw_bytes); > if (APR_SUCCESS == status) { > set_policy_for(stream, stream->rtmp); > - stream->request = stream->rtmp; > - stream->rtmp = NULL; > - > + > ctx.maxlen = stream->session->s->limit_req_fieldsize; > ctx.failed_key = NULL; > - apr_table_do(table_check_val_len, &ctx, stream->request->headers, > NULL); > + apr_table_do(table_check_val_len, &ctx, stream->rtmp->headers, NULL); > if (ctx.failed_key) { > if (!h2_stream_is_ready(stream)) { > ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, stream->session->c1, > @@ -790,6 +789,15 @@ apr_status_t h2_stream_end_headers(h2_st > /* keep on returning APR_SUCCESS, so that we send a HTTP response > and > * do not RST the stream. */ > } > + if (stream->rtmp->scheme && strcasecmp(stream->rtmp->scheme, > + ap_ssl_conn_is_ssl(stream->session->c1)? "https" : "http")) { > + ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, stream->session->c1, > + H2_STRM_LOG(APLOGNO(), stream,"Request :scheme > '%s' and " > + "connection do not match."), > stream->rtmp->scheme); > + set_error_response(stream, HTTP_BAD_REQUEST); > + } > + stream->request = stream->rtmp; > + stream->rtmp = NULL; > } > return status; > } > > Modified: httpd/httpd/trunk/test/modules/http2/test_003_get.py > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/test/modules/http2/test_003_get.py?rev=1897872&r1=1897871&r2=1897872&view=diff > ============================================================================== > --- httpd/httpd/trunk/test/modules/http2/test_003_get.py (original) > +++ httpd/httpd/trunk/test/modules/http2/test_003_get.py Tue Feb 8 13:38:49 > 2022 > @@ -211,3 +211,11 @@ content-type: text/html > assert 1024 == len(r.response["body"]) > assert "content-length" in h > assert clen == h["content-length"] > + > + # use an invalid scheme > + def test_h2_003_51(self, env): > + url = env.mkurl("https", "cgi", "/") > + opt = ["-H:scheme: http"] > + r = env.nghttp().get(url, options=opt) > + assert r.exit_code == 0, r > + assert r.response['status'] == 400 > >