Hello

Haproxy 2.1 blocks a response with PH-- if the response has a Host header.

Haproxy config:

frontend default
        bind 127.0.0.1:8443
        use_backend default
        log stdout format raw local0
        mode http
        option httplog

backend default
        mode http
        http-request set-header Host mcntest.free.beeceptor.com
        server x mcntest.free.beeceptor.com:443 ssl sni 
str(mcntest.free.beeceptor.com) ssl verify none

Request without haproxy:

[root@1f8d018cdbee /]# curl https://mcntest.free.beeceptor.com:443 -v
* About to connect() to mcntest.free.beeceptor.com port 443 (#0)
*   Trying 165.227.26.218...
* Connected to mcntest.free.beeceptor.com (165.227.26.218) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=beeceptor.com
*       start date: Nov 02 19:01:58 2019 GMT
*       expire date: Jan 31 19:01:58 2020 GMT
*       common name: beeceptor.com
*       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: mcntest.free.beeceptor.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 26 Nov 2019 22:50:21 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Host: mcntest.free.beeceptor.com
< 
* Connection #0 to host mcntest.free.beeceptor.com left intact

Request with haproxy:

[root@1f8d018cdbee /]# curl 127.0.0.1:8443 -v
* About to connect() to 127.0.0.1 port 8443 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8443
> Accept: */*
> 
< HTTP/1.1 502 Bad Gateway
< content-length: 107
< cache-control: no-cache
< content-type: text/html
< connection: close
< 
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
* Closing connection 0

127.0.0.1:39820 [26/Nov/2019:22:53:09.560] default default/x 0/0/486/-1/681 502 
229 - - PH-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"

Why is this request blocked? As soon as I remove the HOST header from the 
response (server side), it works fine.

NOTE: this worked in haproxy 2.0, no longer in 2.1, so it looks like a 
regression.

-- 
 (o-    Julien Pivotto
 //\    Open-Source Consultant
 V_/_   Inuits - https://www.inuits.eu

Attachment: signature.asc
Description: PGP signature

Reply via email to