On Tue, Aug 17, 2021 at 06:57:28PM +0200, Tim Düsterhus wrote:
> Hi Willy, Everyone,
> 
> On 8/17/21 5:13 PM, Willy Tarreau wrote:
> > 2) Domain parts in ":scheme" and ":path"
> > 
> > [...] As such HTTP/1 servers are safe and only HTTP/2 servers are exposed.
> 
> I'd like to clarify that the above statement is not true. The issue also
> affects H2->HAProxy->H1 connections. It allows to forward a different 'host'
> header than the one HAProxy sees to the backend.

So to be more precise, based on the output of your test, both will see
the same Host header field, however the server will receive a different
authority than the Host header field. While this is not a valid request
we know that some servers are more willing to accept that than the
poorly formatted requests. However those which do most often only use
the Host (which is why they don't check the authority).

I'm not saying this to try to dismiss the problem, it's in order to
help admins analyze strange logs that they may encounter before
upgrading or deploying workarounds.

> The 'http-request set-uri %[url]' workaround mentioned at the bottom of
> Willy's email also fixes the issue for HTTP/1 backends.
> 
> In any case I recommend to upgrade as soon as possible. That way you don't
> have to think whether your setup requires a workaround or not.

I agree on both points!

Thanks for reporting that one.
Willy

Reply via email to