On Tue, Aug 17, 2021 at 06:57:28PM +0200, Tim Düsterhus wrote: > Hi Willy, Everyone, > > On 8/17/21 5:13 PM, Willy Tarreau wrote: > > 2) Domain parts in ":scheme" and ":path" > > > > [...] As such HTTP/1 servers are safe and only HTTP/2 servers are exposed. > > I'd like to clarify that the above statement is not true. The issue also > affects H2->HAProxy->H1 connections. It allows to forward a different 'host' > header than the one HAProxy sees to the backend.
So to be more precise, based on the output of your test, both will see the same Host header field, however the server will receive a different authority than the Host header field. While this is not a valid request we know that some servers are more willing to accept that than the poorly formatted requests. However those which do most often only use the Host (which is why they don't check the authority). I'm not saying this to try to dismiss the problem, it's in order to help admins analyze strange logs that they may encounter before upgrading or deploying workarounds. > The 'http-request set-uri %[url]' workaround mentioned at the bottom of > Willy's email also fixes the issue for HTTP/1 backends. > > In any case I recommend to upgrade as soon as possible. That way you don't > have to think whether your setup requires a workaround or not. I agree on both points! Thanks for reporting that one. Willy