On 24 October 2012 16:03, Dmitry Sivachenko <[email protected]> wrote: > Hello! > > I am running haproxy-1.4.22 with option accept-invalid-http-request turned > on (the default).
Do you actually mean "off" here? > It seems that haproxy successfully validates requests with unencoded '%' > characted in it: > > http://some.host.net/api/v1/do_smth?lang=en-ru&text=100%%20Pure%20Mulberry%20Queen > > (note unencoded % after 100). > > I see such requests in my backend's log. I expect haproxy return HTTP 400 > (Bad Request) in such cases. > > Is it a bug or am I missing something? Percentage signs are valid in URIs. Your application could be doing /anything/ with them; HAProxy doesn't know what. I don't /believe/ it's a validating parser's job to disallow these - it sounds like you want more of a WAF. All IMHO, of course :-) Jonathan -- Jonathan Matthews // Oxford, London, UK http://www.jpluscplusm.com/contact.html
