On 12/10/2023 15:07, Tristan wrote:
Cool topic! A few things struck me (of various levels of pertinence, and sorry in advance for the digressions):

  http-request del-header [Ff]orwarded.+ -m reg
  http-request del-header [Xx]-[Ff]orwarded.+ -m reg

I wonder about the regex use here to handle header case.
The HTTP spec mandates that headers names are case-insensitive (https://www.rfc-editor.org/rfc/rfc9110.html#fields), and the documentation (here for example: https://docs.haproxy.org/2.9/configuration.html#4.2-option%20h1-case-adjust-bogus-client) suggests that HAProxy does the right thing and normalizes them all to lower-case by default:

Could be that I don't need the checks for different case. Pretty sure it isn't hurting anything to have it there, so I keep it. I'm no expert at this!

  http-request set-header X-H3 true if { so_name -i -m beg quic443 }
you can use HTTP_3.0 as a more readable fetch here I think
since: https://github.com/haproxy/haproxy/commit/89da4e9e5d8ef467d52beb9234f832aa9aa87bce in v2.9.0 Though if you are looking to get "GET /" 200 HTTP/3.0 in logs for example, you can use %HV in logs (well, almost... see: https://github.com/haproxy/haproxy/issues/2095#issuecomment-1803179697 the portion about HTTP versions).

I used the "name" option on all my bind lines. The ones for quic all start with "quic443". By checking for that and setting a header, applications I can know that a given request uses HTTP3 in the browser. The custom "X-H3" header is used by a silly little PHP program I wrote:


If there is something more standard, I can always adjust that.

  http-request set-header X-Scheme https
  http-request set-header X-Forwarded-Scheme https
  http-request set-header X-Forwarded-Proto https
  http-request set-header X-Forwarded-HTTPS true
  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  http-request set-header X-Forwarded-SSL true
  http-request set-header X-HTTPS on
  http-request set-header X-SSL %[ssl_fc]
I don't know how demanding your backends/developers are, but I'd consider threatening them with the nearest sharp object if they asked all of these from me...

I haven't got any developers. It's all personal websites, mostly using off-the-shelf applications. Gitlab, Wordpress, Plex, and others. I probably don't need all those headers, I was just setting everything I could think of that a web application might use to detect that the browser is using https.

My backend connections are not encrypted, except for plex.


Reply via email to