-
Notifications
You must be signed in to change notification settings - Fork 768
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CONNECT method: too strict checking of Host header #1159
Comments
RFC7231 #4.3.6:
Haproxy enforces this. You can disable the check with
I disagree, this is exactly what |
Technically the RFC says nothing about the
|
Relevant commit is this one: 531b83e |
Thanks a lot for the explanation and sorry for not spotting that in the changelog. |
Detailed description of the problem
Since ~ 2.2 haproxy shows a very strict checking of the Host header for the CONNECT method:
Using
works well as before.
Expected behavior
While I think that a strict Host/Connect string checkign makes sense, it is also common not to have the standard https port in the Host header. This breaks the proxy handling of current java and python3 versions for example. The only client I was able to find that actually sends the port number by default was curl.
Also I'd at least expect a proper log message in the http-log instead of receiving a 400 error without log message at all - the error is shown in show errors only.
Steps to reproduce the behavior
this one works:
Do you have any idea what may have caused this?
Wild guess: htx or some security fix to do a better check on Host headers for proxied connections.
Do you have an idea how to solve the issue?
I've tried to do a workaround by rewriting the Host header - doesn't work.
What is your configuration?
See above.
Output of
haproxy -vv
anduname -a
If HAProxy crashed: Last outputs and backtraces
no crash
Additional information (if helpful)
Same behaviour with haproxy 2.3.5 from Debian/experimental.
The text was updated successfully, but these errors were encountered: