Some notes about what happens with HTTP/1.0 requests

Wed, 05 Jul 2023 11:26:17 -0700

I have a backend in haproxy for my Solr server. Solr lives unencrypted on port 8983, haproxy provides TLS for it, on a name like `solr.example.com`. 

Everything works fully as expected with HTTP 1.1, 2, or 3.
If I send a request with curl using any HTTP version to https://solr.example.com/, it results in a 302 response.
If the request is HTTP/1.0, Solr is revealing the internal IP address -- the location header is https://172.31.8.104:8983/solr/ which will not work -- the port isn't exposed to the Internet, isn't using TLS, and the private IP address is only valid within the AWS VPC. An interesting detail: If I send the HTTP/1.0 request directly to Solr, it does NOT reveal the internal address. That only happens for requests relayed by haproxy. 

The backend connection is HTTP/2, as I have "proto h2" on the server line.

The curl command gets a response that's HTTP/1.1 even though it sent 1.0.
What I would like to do is deny HTTP/1.0 requests, but I have not been able to figure out a way to do that. Alternately, if there is a way for haproxy to intercept headers with the internal address and replace them with a hostname, I can do that instead.
While looking into this, I found that Solr is logging HTTP/1.0 requests for haproxy check requests, even though I configured "check-proto h2" on the server line. Actual requests are logged as HTTP/2 as expected, but check requests (which use /solr/ as the URL path) are being logged as HTTP/1.0:
172.31.8.104 - - [05/Jul/2023:18:08:54 +0000] "GET /solr/ HTTP/1.0" 200 17035 172.31.8.104 - - [05/Jul/2023:18:08:57 +0000] "POST /solr/dovecot/update HTTP/2.0" 200 180 172.31.8.104 - - [05/Jul/2023:18:08:57 +0000] "POST /solr/dovecot/update HTTP/2.0" 200 155 172.31.8.104 - - [05/Jul/2023:18:09:04 +0000] "GET /solr/ HTTP/1.0" 200 17035 172.31.8.104 - - [05/Jul/2023:18:09:15 +0000] "GET /solr/ HTTP/1.0" 200 17035 172.31.8.104 - - [05/Jul/2023:18:09:25 +0000] "GET /solr/ HTTP/1.0" 200 17035 

haproxy -vv output:
HAProxy version 2.8.1 2023/07/03 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028. 
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.1.html
Running on: Linux 5.15.0-1039-aws #44~20.04.1-Ubuntu SMP Thu Jun 22 12:21:12 UTC 2023 x86_64 
Build options :
  TARGET  = linux-glibc
  CPU     = native
  CC      = cc
CFLAGS = -O2 -march=native -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 USE_PCRE2_JIT=1 
  DEBUG   =
Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION +QUIC +RT +SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB 

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=2). 
Built with OpenSSL version : OpenSSL 3.1.0+quic 14 Mar 2023
Running on OpenSSL version : OpenSSL 3.1.0+quic 14 Mar 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND 
Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 9.4.0

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE     mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : none

Available filters :
        [BWLIM] bwlim-in
        [BWLIM] bwlim-out
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace

Thanks,
Shawn

Reply via email to