Hi Willy, Everyone,
On 8/17/21 5:13 PM, Willy Tarreau wrote:
2) Domain parts in ":scheme" and ":path"
[...] As such HTTP/1 servers are safe and only HTTP/2 servers are exposed.
I'd like to clarify that the above statement is not true. The issue also
affects H2->HAProxy->H1 connections. It allows to forward a different
'host' header than the one HAProxy sees to the backend.
The 'http-request set-uri %[url]' workaround mentioned at the bottom of
Willy's email also fixes the issue for HTTP/1 backends.
In any case I recommend to upgrade as soon as possible. That way you
don't have to think whether your setup requires a workaround or not.
Best regards
Tim Düsterhus