The option works great!
2010/12/30 Willy Tarreau <[email protected]>:
> Hi,
>
> On Thu, Dec 30, 2010 at 04:00:19PM +0800, Delta Yeh wrote:
>> More tests show that Apache and Nginx work as reverse proxy is OK.
>>
>> For haproxy, change proto_http.c array http_is_token
>>
>> ['/'] = 0 to ['/'] = 1
>>
>> fix this issue.
>>
>> It seems haproxy do more strict check against RFC.
>>
>> Willy, would you please make haproxy not so strict with RFC?
>
> No, a slash cannot appear in a header name and both your header and
> your fix are wrong. The RFC is very clear on the subject :
>
> token = 1*<any CHAR except CTLs or separators>
> separators = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
>
> "/" being a separator, it cannot be part of a token, so your header
> "video/x-flv:" is simply invalid and not HTTP compliant.
>
> You can set the option "accept-invalid-http-responses" for the time
> it takes to fix the application, but you should not run that way for
> a long time because you have no way to know who correctly receives
> your data. Also, keep in mind that HTTP-based components are getting
> closer to RFCs every day due to the huge number of vulnerabilities
> implied by their lack of checking, and that what works today with
> such a hack might not work tomorrow after an update anywhere in the
> chain.
>
> Hoping this helps,
> Willy
>
>
