Valters, On 12/13/21 7:51 PM, Valters Jansons wrote:
Is this thread really "on-topic" for HAProxy?
"I want to block specific pattern in a header" certainly is on-topic for the HAProxy list.
Attempts to mitigate Log4Shell at HAProxy level to me feel similar to.. looking at a leaking roof of a house and thinking "I should put an umbrella above it, so the leak isn't hit by rain". Generally, it might work, but it's not something that you can expect to hold up in the long run, and it's not something construction folks would advise.
This is true. However it can be a useful extra layer to keep out the dumb vulnerability scanners that try the shotgun approach of attacking everything (TM) and go away after they realize their first attempt to exploit your app does not work.
I don't think that anyone who frequents this list expects that this basic check would be sufficient to fully mitigate the security issue.
So just patch/update your vulnerable applications; and where vendors provide mitigation steps - apply those instead.
Yes, this is the correct solution in the long run. But we all know the vendors who need extra time even for ultra-critical security updates. If a simple 1-line HAProxy configuration change keeps the dumb automated scanners away for another 24 hours then this might buy you sufficient time to deploy the updated application.
Best regards Tim Düsterhus
