Hi Willy, Yeah, I agree with you. I report it only to make haproxy team know this side case. I have contacted fortinet's tech to check if this is the "feature" of fortiweb product or product configuration mistake.
BR, DeltaY 2013/12/31 Willy Tarreau <[email protected]> > On Tue, Dec 31, 2013 at 02:04:02PM +0800, Delta Yeh wrote: > > Hi Lukas, > > I know the response is crappy like Baptiste said. > > But as a reverse proxy, nginx works OK for this website, it would be > > better if haproxy also works for such website. > > > > The debug output of wget is: > > Could you please provide a PCAP output instead ? Your copy-paste is > clearly missing some parts. The fact that some "headers" are left in > the body should not block anything, they will just be delivered as a > body to the client. So there's something else. > > Also, the fact that proxy X or browser Y accepts to deliver non-compliant > contents isn't a good sign in general, it often means that it's vulnerable > to security issues. Just like haproxy when you enable option > "accept-invalid-http-responses". If someone told me that haproxy works with > this option and squid does not, I would not consider it squid's fault. > > And as Lukas said, please check with Fortinet's support, this bug seems > so huge that it there's obviously a fix already. > > Best regards, > Willy > >
