Hi Willy, Everyone,

On 8/17/21 5:13 PM, Willy Tarreau wrote:
2) Domain parts in ":scheme" and ":path"

[...] As such HTTP/1 servers are safe and only HTTP/2 servers are exposed.

I'd like to clarify that the above statement is not true. The issue also affects H2->HAProxy->H1 connections. It allows to forward a different 'host' header than the one HAProxy sees to the backend.

The 'http-request set-uri %[url]' workaround mentioned at the bottom of Willy's email also fixes the issue for HTTP/1 backends.

In any case I recommend to upgrade as soon as possible. That way you don't have to think whether your setup requires a workaround or not.

Best regards
Tim Düsterhus

Reply via email to