Comments (6)
These tests are more surface tests than anything else. Internally the whole URI is conveyed along the path, and it is analyzed by the various parts that need it (e.g. path() sample fetch function, etc). If, for example, you observe the same request received over H1 and forwarded over H2, you'll see it split this way (and rejected by the next hop since the path does not start with / and is not *):
[00|h2|1|mux_h2.c:5308] h2c_dec_hdrs(): h2c=0x122a2d0(F,FRP) dsi=1 rcvh :method: GET
[00|h2|1|mux_h2.c:5308] h2c_dec_hdrs(): h2c=0x122a2d0(F,FRP) dsi=1 rcvh :scheme: https
[00|h2|1|mux_h2.c:5308] h2c_dec_hdrs(): h2c=0x122a2d0(F,FRP) dsi=1 rcvh :path: admin
We've seen what can be cleaned up, but again, it really has no impact beyond not being pretty.
from haproxy.
Thanks for your report. I'm wondering when we broke that, we'll have a look.
from haproxy.
So we had a look and actually it's not an authority that is passed, it's the path, and it's not modified along the path. If you replace the server behind with a standard netcat, you'll see that "GET admin" is sent as-is, there's no transformation such as prepending a slash. It's basically as if you were passing through a TCP proxy. It's still supported for historical/legacy reasons (normally paths should either begin with '/' or be exactly '*' but only for the OPTIONS method).
One could argue that this could expose vulnerable servers, such as the one you're showing that is incorrectly prepending a '/' in front of the requests it receives, but one could also argue that the goal of a reverse proxy is to be the most transparent possible and not necessarily to try to plug all possible holes of servers behind.
We've discussed about possibly enforcing '/' or '*' by default for paths in 3.1, that could be an acceptable breaking change I think, given that broken applications relying on paths not starting with '/' should not exist anymore.
from haproxy.
So we had a look and actually it's not an authority that is passed, it's the path, and it's not modified along the path. If you replace the server behind with a standard netcat, you'll see that "GET admin" is sent as-is, there's no transformation such as prepending a slash. It's basically as if you were passing through a TCP proxy. It's still supported for historical/legacy reasons (normally paths should either begin with '/' or be exactly '*' but only for the OPTIONS method).
One could argue that this could expose vulnerable servers, such as the one you're showing that is incorrectly prepending a '/' in front of the requests it receives, but one could also argue that the goal of a reverse proxy is to be the most transparent possible and not necessarily to try to plug all possible holes of servers behind.
We've discussed about possibly enforcing '/' or '*' by default for paths in 3.1, that could be an acceptable breaking change I think, given that broken applications relying on paths not starting with '/' should not exist anymore.
I see that in include/haproxy/http.h
, the http_uri_parser_init will set parser.format
to URI_PARSER_FORMAT_ABSURI_OR_AUTHORITY
if first character of URI not start with *
or /
Latterly, in src/http.c
if the http_parse_path doesn't found a scheme (using http_parse_scheme ), then it indicates that the URI is in authority format and the path won't be present
So with "GET admin", HAProxy currently doesn't see "admin" as path (this is why ACL path rule will not detect "admin" to reject the request), or am I in a mistaken way?
from haproxy.
I see your point. Thanks.
from haproxy.
Some patches were pushed to fix this issue. With Willy, we decided to be stricter on the target request parsing. So, it should be good now. However, the main fix will not be backported because it is a breaking change. And it is still annoying to perform this kind of changes in stable versions. Thanks !
from haproxy.
Related Issues (20)
- At least since 3.0-dev7 peers/stick table related crashes HOT 17
- I am using haproxy service port 3108. How should I use it to send to a different IP band? HOT 2
- src/log.c: null pointer dereference suspected by coverity HOT 2
- Allow to rewrite http-request value after server selection HOT 7
- 3.0-dev* sometimes logs two spaces between captures and http_request HOT 9
- src/clock.c: build failed on solaris HOT 5
- Haproxy crashing on OpenBSD HOT 18
- `allow-dup-ip` is ignored if server has `resolvers` and backend has `default-server` HOT 2
- Log-forwarding via syslog ring does not work anymore HOT 19
- Reg-tests timeouts HOT 3
- QUIC: segfault in qcc_recv_stop_sending HOT 6
- Modify Request Body / Response Body Before Sending To Server Or Client HOT 3
- Hello, I am experiencing a sudden termination here that causes the service to go down haproxy: Thread 14 is about to kill the process. HOT 5
- ACL: path_end with "-m str" flag is not work HOT 3
- FCGI calls return 500 with "IH" Stream State HOT 17
- HTTP/3 not working on OpenBSD -current arm64 HOT 59
- Connection is haulted when connection id is retired HOT 8
- src/ssl_crtlist.c dead code suspected by coverity HOT 1
- src/ssl_ckch.c: null pointer dereference suspected by coverity HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from haproxy.