On Fri, Sep 11, 2020 at 02:52:30AM -0400, John Lauro wrote: > I could be wrong, but I think he is stating that if you have that > allowed, it can be used to get a direct connection to the backend > bypassing any routing or acls you have in the load balancer, so if you > some endpoints are blocked, or internal only, they could potentially > be accessed this way. > For example, if you have something like: > acl is_restrict path_sub /.git/ > http-request deny if is_restrict !is_safe_ip > > The acl could be bypassed by using the method to connect directly to a > backend. > > That's not to say it's a security flaw in haproxy, but a potential > misconfiguration that could allow traffic you thought was blocked by > the proxy.
We're talking about an upgrade agreement between the client and the server in order to use a protocol that the LB doesn't speak. This is typically used for websocket, I remember having seen one terminal server using this as well, maybe RDP or Citrix, I don't remember. This is exactly the same as CONNECT+200: both ends agree to upgrade the HTTP connection to another protocol till it ends. It's not HTTP that applies once the tunnel is set up, so there are no filtering rules nor whatever, exactly like after an accepted CONNECT request. Willy
