Hi Tim, On Sun, Jan 07, 2024 at 01:01:34PM +0100, Tim Düsterhus wrote: > Willy, > > On 1/6/24 15:08, Willy Tarreau wrote: > > multiple frontend nodes, etc. One of the issue is directly related to > > the current lack of ability to force to close a connection from HTTP > > rules, but even without rules, it makes sense to be able to say that > > This feature request of mine is probably relevant here, unless it's already > on your radar: > > https://github.com/haproxy/haproxy/issues/969
Yep I have it in mind, but thanks for the reminder, there are a few other ones as well (I grepped for keep-alive and for close in the issue tracker to make sure not to miss any). That's among the cases of closing after (i.e. without breaking existing streams). > I wanted to bump it anyway in the context of CVE-2023-44487, but so far > didn't get around to reading all the related HAProxy discussion in its > entirety, yet :-) Well, it's not directly related because regarding that attack (rapid reset), streams are created and instantly aborted, most of the time the rules do not even have the time to be evaluated. However as a general rule I agree that we need to improve our ability to forcefully close an annoying connection, that's particularly true for H2 and H3 which can exchange a lot without even creating streams. But I've started working on this, because sooner or later new attacks will come and I don't want us to have to rush an emergency workaround nor to have to degrade the quality of service. Willy
