I have a backend in haproxy for my Solr server. Solr lives unencrypted
on port 8983, haproxy provides TLS for it, on a name like
`solr.example.com`.
Everything works fully as expected with HTTP 1.1, 2, or 3.
If I send a request with curl using any HTTP version to
https://solr.example.com/, it results in a 302 response.
If the request is HTTP/1.0, Solr is revealing the internal IP address --
the location header is https://172.31.8.104:8983/solr/ which will not
work -- the port isn't exposed to the Internet, isn't using TLS, and the
private IP address is only valid within the AWS VPC. An interesting
detail: If I send the HTTP/1.0 request directly to Solr, it does NOT
reveal the internal address. That only happens for requests relayed by
haproxy.
The backend connection is HTTP/2, as I have "proto h2" on the server line.
The curl command gets a response that's HTTP/1.1 even though it sent 1.0.
What I would like to do is deny HTTP/1.0 requests, but I have not been
able to figure out a way to do that. Alternately, if there is a way for
haproxy to intercept headers with the internal address and replace them
with a hostname, I can do that instead.
While looking into this, I found that Solr is logging HTTP/1.0 requests
for haproxy check requests, even though I configured "check-proto h2" on
the server line. Actual requests are logged as HTTP/2 as expected, but
check requests (which use /solr/ as the URL path) are being logged as
HTTP/1.0:
172.31.8.104 - - [05/Jul/2023:18:08:54 +0000] "GET /solr/ HTTP/1.0" 200
17035
172.31.8.104 - - [05/Jul/2023:18:08:57 +0000] "POST /solr/dovecot/update
HTTP/2.0" 200 180
172.31.8.104 - - [05/Jul/2023:18:08:57 +0000] "POST /solr/dovecot/update
HTTP/2.0" 200 155
172.31.8.104 - - [05/Jul/2023:18:09:04 +0000] "GET /solr/ HTTP/1.0" 200
17035
172.31.8.104 - - [05/Jul/2023:18:09:15 +0000] "GET /solr/ HTTP/1.0" 200
17035
172.31.8.104 - - [05/Jul/2023:18:09:25 +0000] "GET /solr/ HTTP/1.0" 200
17035
haproxy -vv output:
HAProxy version 2.8.1 2023/07/03 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2
2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.1.html
Running on: Linux 5.15.0-1039-aws #44~20.04.1-Ubuntu SMP Thu Jun 22
12:21:12 UTC 2023 x86_64
Build options :
TARGET = linux-glibc
CPU = native
CC = cc
CFLAGS = -O2 -march=native -g -Wall -Wextra -Wundef
-Wdeclaration-after-statement -Wfatal-errors -Wtype-limits
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond
-Wnull-dereference -fwrapv -Wno-address-of-packed-member
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered
-Wno-missing-field-initializers -Wno-cast-function-type
-Wno-string-plus-int -Wno-atomic-alignment
OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1
USE_PCRE2_JIT=1
DEBUG =
Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY
+CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE
-LIBATOMIC +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY -LUA -MATH
-MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL
-OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL
-PROCCTL -PROMEX -PTHREAD_EMULATION +QUIC +RT +SHM_OPEN -SLZ +SSL
-STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY
-WURFL +ZLIB
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256,
default=2).
Built with OpenSSL version : OpenSSL 3.1.0+quic 14 Mar 2023
Running on OpenSSL version : OpenSSL 3.1.0+quic 14 Mar 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 9.4.0
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
Thanks,
Shawn