Re: Regression in 2.1 with Host header sent by backends
Le 27/11/2019 à 11:59, Christopher Faulet a écrit : Le 27/11/2019 à 04:03, Willy Tarreau a écrit : On Wed, Nov 27, 2019 at 12:31:48AM +0100, Lukas Tribus wrote: That said, I'm not sure this was really the intention of the change in question (commit 531b83e03 "MINOR: h1: Reject requests if the authority does not match the header host"). Christopher? I'm pretty sure it was not intended and as the commit message mentions, it's more of an accidental side effect of correctly matching the Host with the URI. I suspect we're lacking a direction check to make sure the test only happens on the request path. You're right Willy, it is a bug. The host header must only by checked for the requests. I will push a fix. FYI, the fix was merged and backported. -- Christopher Faulet
Re: Regression in 2.1 with Host header sent by backends
Le 27/11/2019 à 04:03, Willy Tarreau a écrit : On Wed, Nov 27, 2019 at 12:31:48AM +0100, Lukas Tribus wrote: That said, I'm not sure this was really the intention of the change in question (commit 531b83e03 "MINOR: h1: Reject requests if the authority does not match the header host"). Christopher? I'm pretty sure it was not intended and as the commit message mentions, it's more of an accidental side effect of correctly matching the Host with the URI. I suspect we're lacking a direction check to make sure the test only happens on the request path. You're right Willy, it is a bug. The host header must only by checked for the requests. I will push a fix. -- Christopher Faulet
Re: Regression in 2.1 with Host header sent by backends
On Wed, Nov 27, 2019 at 12:31:48AM +0100, Lukas Tribus wrote: > That said, I'm not sure this was really the intention of the change in > question (commit 531b83e03 "MINOR: h1: Reject requests if the > authority does not match the header host"). Christopher? I'm pretty sure it was not intended and as the commit message mentions, it's more of an accidental side effect of correctly matching the Host with the URI. I suspect we're lacking a direction check to make sure the test only happens on the request path. Willy
Re: Regression in 2.1 with Host header sent by backends
Hello Julien, On Wed, Nov 27, 2019 at 12:47 AM Julien Pivotto wrote: > Yes indeed. I tested too and it works. I indeed tried > accept-invalid-http-request like in the commit message > instead of accept-invalid-http-response. > > My concern with the workaround is that there might be huge > side effects. All side effects are server controlled. If the server emits other invalid responses and haproxy let's them pass because it's configured to ignore them, then yes, the workaround may hide other issues. However I assume that this server was used with previous haproxy releases in production without accept-invalid-http-response, so there are probably no other issues. The general recommendation is to use those two options temporary, until the root cause is fixed. Lukas
Re: Regression in 2.1 with Host header sent by backends
On 27 Nov 00:39, Lukas Tribus wrote: > On Wed, Nov 27, 2019 at 12:36 AM Julien Pivotto > wrote: > > > > On 27 Nov 00:31, Lukas Tribus wrote: > > > Hello Julien, > > > > > > > > > > > > On Wed, Nov 27, 2019 at 12:21 AM Julien Pivotto > > > wrote: > > > > Haproxy 2.1 blocks a response with PH-- if the response has a Host > > > > header. > > > > > > A Host header belongs to the request, not the response. Haproxy 2.1 is > > > more strict in that regard. You can configure "option > > > accept-invalid-http-response" to ignore it. > > > > > > That said, I'm not sure this was really the intention of the change in > > > question (commit 531b83e03 "MINOR: h1: Reject requests if the > > > authority does not match the header host"). Christopher? > > > > > > > > > Lukas > > > > I tried this option after finding that commit, but it does not work. > > > > I know that that header belongs to requests normally but in this case we > > have a backend that sends it in the response. > > I just tried it, it does work, but it needs to be > option accept-invalid-http-response > > not > option accept-invalid-http-request > > as mentioned in the commit, because this is about the server response, > not the client request. Yes indeed. I tested too and it works. I indeed tried accept-invalid-http-request like in the commit message instead of accept-invalid-http-response. My concern with the workaround is that there might be huge side effects. Thank you :) > > > Lukas -- (o-Julien Pivotto //\Open-Source Consultant V_/_ Inuits - https://www.inuits.eu signature.asc Description: PGP signature
Re: Regression in 2.1 with Host header sent by backends
On Wed, Nov 27, 2019 at 12:36 AM Julien Pivotto wrote: > > On 27 Nov 00:31, Lukas Tribus wrote: > > Hello Julien, > > > > > > > > On Wed, Nov 27, 2019 at 12:21 AM Julien Pivotto > > wrote: > > > Haproxy 2.1 blocks a response with PH-- if the response has a Host header. > > > > A Host header belongs to the request, not the response. Haproxy 2.1 is > > more strict in that regard. You can configure "option > > accept-invalid-http-response" to ignore it. > > > > That said, I'm not sure this was really the intention of the change in > > question (commit 531b83e03 "MINOR: h1: Reject requests if the > > authority does not match the header host"). Christopher? > > > > > > Lukas > > I tried this option after finding that commit, but it does not work. > > I know that that header belongs to requests normally but in this case we > have a backend that sends it in the response. I just tried it, it does work, but it needs to be option accept-invalid-http-response not option accept-invalid-http-request as mentioned in the commit, because this is about the server response, not the client request. Lukas
Re: Regression in 2.1 with Host header sent by backends
On 27 Nov 00:31, Lukas Tribus wrote: > Hello Julien, > > > > On Wed, Nov 27, 2019 at 12:21 AM Julien Pivotto > wrote: > > Haproxy 2.1 blocks a response with PH-- if the response has a Host header. > > A Host header belongs to the request, not the response. Haproxy 2.1 is > more strict in that regard. You can configure "option > accept-invalid-http-response" to ignore it. > > That said, I'm not sure this was really the intention of the change in > question (commit 531b83e03 "MINOR: h1: Reject requests if the > authority does not match the header host"). Christopher? > > > Lukas I tried this option after finding that commit, but it does not work. I know that that header belongs to requests normally but in this case we have a backend that sends it in the response. -- (o-Julien Pivotto //\Open-Source Consultant V_/_ Inuits - https://www.inuits.eu signature.asc Description: PGP signature
Re: Regression in 2.1 with Host header sent by backends
Hello Julien, On Wed, Nov 27, 2019 at 12:21 AM Julien Pivotto wrote: > Haproxy 2.1 blocks a response with PH-- if the response has a Host header. A Host header belongs to the request, not the response. Haproxy 2.1 is more strict in that regard. You can configure "option accept-invalid-http-response" to ignore it. That said, I'm not sure this was really the intention of the change in question (commit 531b83e03 "MINOR: h1: Reject requests if the authority does not match the header host"). Christopher? Lukas