Re: invalid request

Wed, 12 Jan 2022 08:07:56 -0800 

On Thu, Dec 30, 2021 at 10:15 PM Willy Tarreau <[email protected]> wrote:

> On Wed, Dec 29, 2021 at 12:29:11PM +0100, Aleksandar Lazic wrote:
> > >     00000  CONNECT download.eclipse.org:443 HTTP/1.1\r\n
> > >     00043  Host: download.eclipse.org\r\n
> > >     00071  User-Agent: Apache-HttpClient/4.5.10 (Java/11.0.13)\r\n
> > >     00124  \r\n
>
> It indeed looks like a recently fixed problem related to the mandatory
> comparison between the authority part of the request and the Host header
> field, which do not match above since only one contains a port.
>

I don't know how pervasive this issue is on non-Java clients, but the
sendCONNECTRequest() method from Java's HttpURLConnection API is
responsible for the authority/host mismatch when using native Java HTTP
support, and has been operating this way for a very long time:

    /**
     * send a CONNECT request for establishing a tunnel to proxy server
     */
    private void sendCONNECTRequest() throws IOException {
        int port = url.getPort();

        requests.set(0, HTTP_CONNECT + " " + connectRequestURI(url)
                         + " " + httpVersion, null);
        requests.setIfNotSet("User-Agent", userAgent);

        String host = url.getHost();
        if (port != -1 && port != url.getDefaultPort()) {
            host += ":" + String.valueOf(port);
        }
        requests.setIfNotSet("Host", host);

The Apache-HttpClient library has a similar issue as well (as demonstrated
above).

More recent versions are applying scheme-based normalization which consists
> in dropping the port from the comparison when it matches the scheme
> (which is implicitly https here).


Is there an option other than using "accept-invalid-http-request" available
to modify this behavior on the haproxy side in 2.4?  I have also run into
this with Java 8, 11 and 17 clients.

Are these commits what you are referring to about scheme-based
normalization available in more recent versions (2.5+):

https://github.com/haproxy/haproxy/commit/89c68c8117dc18a2f25999428b4bfcef83f7069e
(MINOR: http: implement http uri parser)
https://github.com/haproxy/haproxy/commit/8ac8cbfd7219b5c8060ba6d7b5c76f0ec539e978
(MINOR: http: use http uri parser for scheme)
https://github.com/haproxy/haproxy/commit/69294b20ac03497e33c99464a0050951bdfff737
(MINOR: http: use http uri parser for authority)

If so, I can pull those into my 2.4 build and see if that works better for
Java clients.

Andrew

Reply via email to