Skip to content
Permalink
Browse files

fix(aws-lambda) strip headers that are disallowed by HTTP/2

We currently access Lambda over HTTP/1.1, and it returns a Connection
header as such. The Connection header is not used in HTTP/2 (it is
superseded by other protocol features) and including it violates RFC
7540 8.1.2.2.

Per the same "an intermediary transforming an HTTP/1.x
message to HTTP/2 will need to remove any header fields nominated by the
Connection header field, along with the Connection header field itself.",
we also remove additional headers. Lambda does not currently emit these,
and the RFC indicates it's not strictly necessary to strip them unless they're
nominated by Connection, but their presence will break some HTTP/2
implementations (libcurl and Chrome at least, possibly others), so stripping
them is future-proof against Lambda adding them in the future.

From #4032
  • Loading branch information...
rainest authored and thibaultcha committed Dec 3, 2018
1 parent 62f6f30 commit f2ee98e2d50d0c70caed4cf19a7a5d48057b9c4f
Showing with 9 additions and 1 deletion.
  1. +9 −1 kong/plugins/aws-lambda/handler.lua
@@ -129,12 +129,12 @@ function AWSLambdaHandler:access(conf)
AWSLambdaHandler.super.access(self)

local upstream_body = new_tab(0, 6)
local var = ngx.var

if conf.forward_request_body or conf.forward_request_headers
or conf.forward_request_method or conf.forward_request_uri
then
-- new behavior to forward request method, body, uri and their args
local var = ngx.var

if conf.forward_request_method then
upstream_body.request_method = var.request_method
@@ -230,6 +230,14 @@ function AWSLambdaHandler:access(conf)
local content = res:read_body()
local headers = res.headers

if var.http2 then
headers["Connection"] = nil
headers["Keep-Alive"] = nil
headers["Proxy-Connection"] = nil
headers["Upgrade"] = nil
headers["Transfer-Encoding"] = nil
end

local ok, err = client:set_keepalive(conf.keepalive)
if not ok then
return responses.send_HTTP_INTERNAL_SERVER_ERROR(err)

0 comments on commit f2ee98e

Please sign in to comment.
You can’t perform that action at this time.