I could be wrong, but I think he is stating that if you have that allowed, it can be used to get a direct connection to the backend bypassing any routing or acls you have in the load balancer, so if you some endpoints are blocked, or internal only, they could potentially be accessed this way. For example, if you have something like: acl is_restrict path_sub /.git/ http-request deny if is_restrict !is_safe_ip
The acl could be bypassed by using the method to connect directly to a backend. That's not to say it's a security flaw in haproxy, but a potential misconfiguration that could allow traffic you thought was blocked by the proxy. On Fri, Sep 11, 2020 at 2:07 AM Willy Tarreau <w...@1wt.eu> wrote: > > Hi Igor, > > On Fri, Sep 11, 2020 at 01:55:10PM +1000, Igor Cicimov wrote: > > Should we be worried? > > > > https://portswigger.net/daily-swig/http-request-smuggling-http-2-opens-a-new-attack-tunnel > > But this stuff is total non-sense. Basically the guy is complaining > that the products he tested work exactly as desired, designed and > documented! > > The principle of the upgrade at the gateway level precisely is to say > "OK both the client and the server want to speak another protocol you > agreed upon, let me retract" and let them talk over a tunnel. That's > exactly what is needed to support WebSocket for example. The simple > fact that he found that many proxies/gateways work like this should > ring a bell about the intended behavior! > > In addition there is zero smuggling here as there is no desynchronisation. > It's just a tunnel between the client and the server, both agreeing to > do so. It does *exactly* the same as if the client had connected to the > server using a CONNECT method and the server had returned 200. So there > is absolutely no attack nor whatever here, just a connection that remains > dedicated to a client and a server till the end. > > Sadly, as usual after people discover protocols during the summer, some > journalists will surely want to make noise about this to put some bread > on their table... > > Thanks for the link anyway I had a partial laugh; partial only because > it makes useless noise. > > Cheers, > Willy >
