On 12/10/2023 15:07, Tristan wrote:
Cool topic! A few things struck me (of various levels of pertinence, and
sorry in advance for the digressions):
http-request del-header [Ff]orwarded.+ -m reg
http-request del-header [Xx]-[Ff]orwarded.+ -m reg
I wonder about the regex use here to handle header case.
The HTTP spec mandates that headers names are case-insensitive
(https://www.rfc-editor.org/rfc/rfc9110.html#fields), and the
documentation (here for example:
https://docs.haproxy.org/2.9/configuration.html#4.2-option%20h1-case-adjust-bogus-client) suggests that HAProxy does the right thing and normalizes them all to lower-case by default:
Could be that I don't need the checks for different case. Pretty sure
it isn't hurting anything to have it there, so I keep it. I'm no expert
at this!
http-request set-header X-H3 true if { so_name -i -m beg quic443 }
you can use HTTP_3.0 as a more readable fetch here I think
since:
https://github.com/haproxy/haproxy/commit/89da4e9e5d8ef467d52beb9234f832aa9aa87bce in v2.9.0
Though if you are looking to get "GET /" 200 HTTP/3.0 in logs for
example, you can use %HV in logs (well, almost... see:
https://github.com/haproxy/haproxy/issues/2095#issuecomment-1803179697
the portion about HTTP versions).
I used the "name" option on all my bind lines. The ones for quic all
start with "quic443". By checking for that and setting a header,
applications I can know that a given request uses HTTP3 in the browser.
The custom "X-H3" header is used by a silly little PHP program I wrote:
https://http3test.elyograg.org
If there is something more standard, I can always adjust that.
http-request set-header X-Scheme https
http-request set-header X-Forwarded-Scheme https
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-HTTPS true
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-SSL true
http-request set-header X-HTTPS on
http-request set-header X-SSL %[ssl_fc]
I don't know how demanding your backends/developers are, but I'd
consider threatening them with the nearest sharp object if they asked
all of these from me...
I haven't got any developers. It's all personal websites, mostly using
off-the-shelf applications. Gitlab, Wordpress, Plex, and others. I
probably don't need all those headers, I was just setting everything I
could think of that a web application might use to detect that the
browser is using https.
My backend connections are not encrypted, except for plex.
Thanks,
Shawn