Hi Baptiste,
In our production setup. The flow will be like this:
incoming clients request -- *HAProxy* (as a load balancer) -- Nginx (as a
router) -- App servers (java and ruby)
In our java app servers, sometime there is an exception log complained by
'Netty' (our java web server) with a message something like this:
java.lang.IllegalArgumentException: Header value contains a prohibited
character '\f': ga^L???`?
at
org.jboss.netty.handler.codec.http.HttpHeaders.validateHeaderValue(HttpHeaders.java:1079)
~[io.netty.netty-3.9.3.Final.jar:na]
at
org.jboss.netty.handler.codec.http.DefaultHttpHeaders.validateHeaderValue0(DefaultHttpHeaders.java:128)
~[io.netty.netty-3.9.3.Final.jar:na]
...
It's complaining about the 'invalid characters' on the header. But I can't
seem to reproduce it manually, because I'm myself not sure what kind of
'invalid' characters it had.
So now I'm wondering, what kind of filter that already done automatically
by HAProxy as default? And how if I want to add extra 'regex' filter in the
HAProxy for incoming headers, for let say I only want to allow [a-Z0-9] for
example. (So I can make sure if the error msg still occurring that's mean
the traffic didn't come from HAProxy)
It's hard to parse all the logs because quite big of a traffic, so I want
to do a trial-error approach.
Regards,
Firman
On Fri, Aug 28, 2015 at 1:55 PM, Baptiste bed...@gmail.com wrote:
Le 28 août 2015 06:31, Firman Gautama firman.gaut...@gmail.com a
écrit :
Hello All,
I was just wondering what is the best way if we want to filter all
headers by certain regex to block invalid/malicious characters?
I read on the documentation, CMIIW, but the example there only shown if
we know the specific header name.
Does anybody know how to filter all the http headers with specific
regex, so we could discard all the traffic with the invalid headers and
only forward the good one.
Regards,
Firman Gautama
Hi Firman,
This is already haproxy's default behavior.
Do you have an example of a 'weird' character which passed through?
Baptiste
