Too many headers http 400 Error while using revers proxies #40421
Comments
|
I believe this to be caused by this PR #38696 |
|
http documentation |
|
Hello, I have the pretty same issue. My external access setup is a bit complicated tho: External client -> Cloudflare -> Haproxy -> Home Assistant instance. My config is following (first is IP of haproxy): I have added all of CF ranges from https://www.cloudflare.com/ips/ But when I access HA from external site, I get these |
|
Edit: my bad. My nginx config actually had a duplicate entry of the |
|
Yeah @tomashejatko your setup is identical to mine and you also are getting the same errors. This seems to be limited to those of us using CloudFlare. Hoping this gains some traction. |
|
This is not a bug, but a configuration error in your reverse proxy configuration and is caused if the HTTP request that ends up with Home Assistant contains 2 or more Basically, CloudFlare already sets an The problem is: If Home Assistant receives 2 or more |
|
From HAProxy documentation: It really looks that haproxy send this header two times (I made little PHP script, it looked ok, but I am not sure if it will show duplicate headers or not) on my HASS backend, because I have Hope this will help somebody |
|
@tomashejatko For |
|
I don't know if I miss something, but there is no "append" parameter, not even in latest version: https://cbonte.github.io/haproxy-dconv/2.3/configuration.html#4.2-option%20forwardfor - so the solution (more workaround IMHO) is to not use haproxy's X-Forwared-For header handling, as it will send it twice |
|
Sorry, I should have looked it up, instead of speaking from top of my mind (which was incorrect).
☝️ That is another solution that might put you into a workable direction. |
|
So in my case I have 2 frontends in HA Proxy for HomeAssistant. One is for internal usage and the other for external. I turned off the x-forwarded-for on the external HA Proxy and now I'm cooking with gas. Thank you @frenck for the explanation. |
|
Same error appear'd on my installation after upgrading to the latest version without any changes on my reverse proxy. I know it's a miss configuration but some users can be affected. |
are you able to axxess home assistant from outside via the HA Mobile app on a phone ? I can get it working from outside in a browser (whichI'd actually want to disable, but want to get the mobile working.) G |
|
@frenck While it's possible to work around that issue, I still think the Home Assistant webserver (and many other webserver implementations out there) fails to follow the de-facto standard for comma separated HTTP header values. For these headers both representations should be equivalent: <===> From what I read, HA chooses to print this message to avoid ambivalence (as there seem to be problems in the past where HA used the wrong header). IMHO there shouldn't be "wrong" values as this header contains a chain. If the request goes through multipe proxies, the There is an informative comment in the HAProxy repo: haproxy/haproxy#44 (comment) The "best" workaround is discussed in the HAProxy forums: This comment is particuarily interesting:
I really think this issue should be opened again. |
|
I also think this needs revisiting, Using Cloudflare then my PFsense router is causing me the same pain when trying to pass the real IP to home assistant rather then just the PFsense internal IP |
|
I don't really understand these things, but I finally figured it out! Again, had HAProxy reverse proxying everything just fine for some time. Then, several months ago - Home Assistant broke externally with the Too many headers error throwing up Cloudflare IPs and random LTE ones. Finally figured it out, and here is the picture of my new action on my backend. I had to do it this way, because I use 2 frontends only, http & https with https having checked the "Use "forwardfor" option" box. This was after trying multiple edits of copying and pasting what frenck wrote, and other threads all over. Hope this helps someone. |
in fact haproxy apply the x-forward is de facto standard... and most of the user of this standard reconnise only the version with coma... is why i've exchangerd on this on the haproxy issue... because only haproxy force this way of doing... the only solution is to not use |
|
@mcarbonneaux Please read my comment above. HAProxy is NOT the problem here. It's the HASSIO webserver not following the HTTP standard. The devs just seem ignorant about this... |
|
@flobernd i'm not ok with that, haproxy must support the two posibility of the http rfc not only one (multiheader vs one header with multi value, the two are ok with the rfc), and be configurable. and most of the application that support x-forward (quasi majority in fact) not support the multi header way of the http standard... haproxy as reverse proxy must be abel to adapt to the destination not the reverse... |
Even if that would be that case, issue is still on them. There is a HTTP standard for a reason and if you don't follow the standard (completely), you have to expect incompatibilities.
HAProxy does not know anything about the destination and as such it has to expect the destination server follows the HTTP standard. HAProxy understands the comma separated header perfectly fine and chooses one of the valid actions to perform as a proxy: appending a new header. Reasons for that can e.g. be read up here: haproxy/haproxy#44 (comment). The HTTP standard nowhere mentions that a proxy must support both variants. From a semantic perspective HAProxy does not alter the HTTP request at all! Judging from this comment it's pretty clear that the HASSIO devs never checked the HTTP standard. There is no ambiguity as they state in this comment and there is a well defined way to handle such requests. |
Thank you. Your solution is unfortunately the right one. I guess it infers some more processing for haproxy to replace the header on every incoming requests. Here's how the rule should look like in OPNSense HAproxy config page: Add the rule to your "Public service" config for your frontend proxy. |
when you use
i'm ok with that, and is why you must be abel to chose how haproxy apply the standard.... because not all backend are conform... specificaly about this aspect of the http standard (coma vs multiple header)...
yes but x-forward-for are not a real standard... but defacto standard... and many interpretation has been done on the way of backend interpret it... and haproxy must be abel to address this different intepretation, even if is the default way of dooing of haproxy is ok in relation of the http standard... is not the only way of doing from the standard view... and the http standard say coma or multiple header are equal... in that way he say that coma are valid too not juste multiple header... but if the application that are in back of haproxy are generaly not completly strict with http standard... haproxy with this default way of doing make reverse proxification of this application generaly ko... haproxy as reverse proxy must be standard compliant (not only with multiple header way... must be compliant with the two way of the standard http...) but also must be working in majority of the way of backend work... and in the x-forward defacto standard, in the majority of implementation are using coma... not multiple header... even it is partialy ok with the http standard... the chance with haproxy it as many way to be configured, and the good solution to be compatible with majority of the usage of x-forward header defacto standard, is to not use
ok adding header in place of replacing modified one is less performant (but with autoscaling infrastructure he had very ligth impact, and with new generation of processor we speak in microseconds...), but is working with majority of backend... is what i say to owner of haproxy... majority of the reverse proxy of the market (open source or proprietary) as chose this way of doing (replace and coma) because work by default... i arged that haproxy must have |
haproxy is partialy compliant with http standard because is conforming only on multiple header... but haproxy are reverse proxy and must abel to address the two way of the standard... because some backend chose one of them not the two... and i thing haproxy had chose the performance way of doing, but not the more compatible way of doing... |
Doesn't matter.
I disagree. HAProxy "understands" (or ignores) both variants for the incomming request which means it's fully compliant. They just choose to append a new header vs. altering the original one, but this is perfectly fine as it does not change the semantics of the altered request. That's what I'm trying to explain to you 🙂
For this part, I do agree. I think there is no point in discussing this any further. I've already linked an official comment of one of the HAProxy members which describes the exact reasons for not using the comma separated list:
They instead suggest ...
I personally agree with them to use the extra header as their default behavior and at the end it's their decision! HAProxy has this exact behavior for 22 years now (wow!) and there is no need to change this. Especially as they provide a workaround with the header rewrite functionality. HASSIO on the other hand has no good reason for not implementing both variants. Their explaination/excuse for not following the standard is just not valid. They wrote this:
They didn't know an answer to this question at that time, but it's well defined behavior as can be read up here. If a HTTP server receives two headers with the same name, they simply get combined in the same order they are specified: In the special case of Maybe @frenck could give this another look? 🙂 |
Thanks for pulling me into this conversation. It feels a bit demanding though... To answer your question there, I have no interest in looking at it at this point. This is old and closed as well. ../Frenck |
Sorry to hear that, but fair enough I guess...
This does not make it less relevant. Would you accept PRs about this? |
no I disagree, haproxy understand the inbound traffic in two way of the http standard, but when add x-forward he use only the way of adding header (not coma way) and is not simply configurable (only using http-request replace-header).
no, i disagree, if haproxy support fully the http standard he must be configurable to use the two way of doing depend on the backend way of doing. is not to the backend to adapt to the reverse proxy but is the reverse proxy to adapt to the backend...
the problem of using another header... is that you must recode many application that work with this header... and is not the reverse proxy to force the way of doing, the reverse proxy must adapt to the backend... and must but configurable ...
in real life they are no other header that are used in that way... only x-forward header... and is very special way of doing because are defacto standard.... if you whant to use the http standard you must use forwarded header in place of x-forward-*.... but none of the backend application know this header.... |
The problem
Environment
Problem-relevant
configuration.yamlTraceback/Error logs
Additional information
In the past I've never had to provide the proxy addresses of Cloudflare as my Firewall only allows those IPs to come in. As Cloudflare does everything in subnet IPs do I need to put the full subnet into my configuration.yaml? Will it accept standard IP subneting for the reverse proxy addresses? i.e. 0.0.0.0/24
Thank you for your help with this item.
The text was updated successfully, but these errors were encountered: