Hi Willy, List,
Just a little check, was below mail received properly with the 6
attachments (vtc/vtc/log/png/png/pcapng) .?
(As it didn't show up on the mail-archive.)
Regards,
PiBa-NL (Pieter)
Op 26-1-2019 om 21:04 schreef PiBa-NL:
Hi Willy,
Op 25-1-2019 om 17:04 schreef Willy Tarreau:
Hi Pieter,
On Fri, Jan 25, 2019 at 01:01:19AM +0100, PiBa-NL wrote:
Hi List,
Attached a regtest which i 'think' should pass.
** s1 0.0 === expect tbl.dec[1].key == ":authority"
---- s1 0.0 EXPECT tbl.dec[1].key (host) == ":authority" failed
It seems to me the Host <> Authority conversion isn't happening
properly.?
But maybe i'm just making a mistake in the test case...
I was using HA-Proxy version 2.0-dev0-f7a259d 2019/01/24 with this
test.
The test was inspired by the attempt to connect to mail google com , as
discussed in the "haproxy 1.9.2 with boringssl" mail thread.. Not
sure if
this is the main problem, but it seems suspicious to me..
It's not as simple, :authority is only required for CONNECT and is
optional
for other methods with Host as a fallback. Clients are encouraged to
use it
instead of the Host header field, according to paragraph 8.1.2.3, but
there
is nothing indicating that a gateway may nor should build one from
scratch
when translating HTTP/1.1 to HTTP/2. In fact the authority part is
generally not present in the URIs we receive as a gateway, so what
we'd put
there would be completely reconstructed from the host header field. I
don't
even know if all servers are fine with authority only instead of Host.
Please note, I'm not against changing this, I just want to be sure we
actually fix something and that we don't break anything. Thus if you
have
any info indicating there is an issue with this one missing, it could
definitely help.
Thanks!
Willy
Today ive given it another shot. (connecting to mail google com).
Is there a way in haproxy to directly 'manipulate' the h2 headers?
Setting h2 header with set-header :authority didn't seem to work.?
See attached some logs a packetcapture and a vtc that uses google's
servers itself.
It seems google replies "Header: :status: 400 Bad Request" But leaves
me 'guessing' why it would be invalid, also the 'body' doesn't get
downloaded but haproxy terminates the connection, which curl then
reports as missing bytes.. There are a few differences between the 2
get requests, authority and scheme.. But i also wonder if that is the
actual packet with the issue, H2 isnt quite a simple as H1 used to be ;).
Also with "h2-client-mail google vtc" the first request succeeds, but
the second where the Host header is used fails. I think this shows
there is a 'need' for the :authority header to be present? Or i mixed
something up...
p.s.
Wireshark doesnt nicely show/dissect the http2 requests made by vtest,
probably because for example the first magic packet is spread out over
multiple tcp packets, is there a way to make it send them in 1 go, or
make haproxy 'buffer' the short packets into a bigger complete
packets, i tried putting a little listen/bind/server section in the
request path, but it just forwarded the small packets as is..
Regards,
PiBa-NL (Pieter)
