Allow Multiple User Agents Headers

[danieldiekmeier]

Hello!

Thank you for all your work on Async and Falcon. We're in the process of migrating our largest Rails app from Puma to Falcon and the performance improvement is very impressive.

After deploying to production, I noticed a lot of dropped requests. According to the nginx error logs, Falcon closed the connection before sending a response. After a lot of debugging, I discovered that the problem seems to be that Protocol::HTTP doesn't allow multiple user agent headers. (From what I can see, it looks like it's mainly the Googlebot that sends the header multiple times.)

curl http://localhost:3000/en -H "User-Agent: foobar/2000" -H "User-Agent: foobar/2001"                                                
curl: (52) Empty reply from server

Protocol::HTTP::DuplicateHeaderError: Duplicate singleton header key: "user-agent"
               |   	Existing value: "foobar/2000"
               |   	New value: "foobar/2001"

This seems pretty harsh. Do you know what the reason for that is?

protocol-http/lib/protocol/http/headers.rb

Line 348 in a2f2d1c

"user-agent" => false,

protocol-http/lib/protocol/http/headers.rb

Lines 455 to 457 in a2f2d1c

	if hash.key?(key)
	raise DuplicateHeaderError.new(key, hash[key], value)
	end

Puma (and nginx, as far as I can tell) handle this by concatenating the headers together, e.g. foobar/2000, foobar/2001.

Additionally, the header value that actually gets sent to Rack is foobar/2000,foobar/2001 anyway, because it gets concatenated in Protocol::Rack::Adapter::Generic.unwrap_headers.

I "fixed" this for our app by adding an initializer, but I was wondering if this problem wouldn't hit all users of Falcon that get Googlebot traffic.

# config/initializers/falcon.rb

Protocol::HTTP::Headers::POLICY["user-agent"] = Protocol::HTTP::Header::Split

[ioquatix]

Multiple user agent headers is not compliant with the HTTP specs, it’s surprising if Google bot is sending multiple values. Can you provide more evidence/details?

[danieldiekmeier]

Yes, of course, I'll try. First, this is the warning that Falcon shows:

{
  "time": "2026-05-23T08:12:24+00:00",
  "severity": "warn",
  "process_id": 41,
  "fiber_id": 823928,
  "pid": 41,
  "subject": "Async::Task",
  "object_id": 823936,
  "annotation": "Reading HTTP/1.1 requests for Async::HTTP::Protocol::HTTP1::Server.",
  "message": "Task may have ended with unhandled exception.",
  "event": {
    "type": "failure",
    "root": "/rails",
    "class": "Protocol::HTTP::DuplicateHeaderError",
    "message": "Duplicate singleton header key: \"user-agent\"\n\tExisting value: \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36\"\n\tNew value: \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"\n",
    "backtrace": [
      "/usr/local/bundle/ruby/4.0.0/gems/protocol-http-0.62.2/lib/protocol/http/headers.rb:456:in 'Protocol::HTTP::Headers#merge_into'",
      "/usr/local/bundle/ruby/4.0.0/gems/protocol-http-0.62.2/lib/protocol/http/headers.rb:473:in 'block in Protocol::HTTP::Headers#to_h'",
      "/usr/local/bundle/ruby/4.0.0/gems/protocol-http-0.62.2/lib/protocol/http/headers.rb:472:in 'Array#each'",
      "/usr/local/bundle/ruby/4.0.0/gems/protocol-http-0.62.2/lib/protocol/http/headers.rb:472:in 'Protocol::HTTP::Headers#to_h'",
      "/usr/local/bundle/ruby/4.0.0/gems/protocol-http-0.62.2/lib/protocol/http/headers.rb:311:in 'Protocol::HTTP::Headers#[]'",
      "/usr/local/bundle/ruby/4.0.0/gems/protocol-http1-0.39.0/lib/protocol/http1/connection.rb:169:in 'Protocol::HTTP1::Connection#persistent?'",
      "/usr/local/bundle/ruby/4.0.0/gems/protocol-http1-0.39.0/lib/protocol/http1/connection.rb:417:in 'Protocol::HTTP1::Connection#read_request'",
      "/usr/local/bundle/ruby/4.0.0/gems/async-http-0.95.1/lib/async/http/protocol/http1/request.rb:33:in 'Async::HTTP::Protocol::HTTP1::Request.read'",
      "/usr/local/bundle/ruby/4.0.0/gems/async-http-0.95.1/lib/async/http/protocol/http1/server.rb:56:in 'Async::HTTP::Protocol::HTTP1::Server#next_request'",
      "/usr/local/bundle/ruby/4.0.0/gems/async-http-0.95.1/lib/async/http/protocol/http1/server.rb:73:in 'Async::HTTP::Protocol::HTTP1::Server#each'",
      "/usr/local/bundle/ruby/4.0.0/gems/async-http-0.95.1/lib/async/http/server.rb:63:in 'Async::HTTP::Server#accept'",
      "/usr/local/bundle/ruby/4.0.0/gems/falcon-0.55.3/lib/falcon/server.rb:61:in 'block in Falcon::Server#accept'",
      "/usr/local/bundle/ruby/4.0.0/gems/async-utilization-0.3.2/lib/async/utilization/metric.rb:98:in 'Async::Utilization::Metric#track'",
      "/usr/local/bundle/ruby/4.0.0/gems/falcon-0.55.3/lib/falcon/server.rb:60:in 'Falcon::Server#accept'",
      "/usr/local/bundle/ruby/4.0.0/gems/io-endpoint-0.17.2/lib/io/endpoint/wrapper.rb:231:in 'block (2 levels) in IO::Endpoint::Wrapper#accept'",
      "/usr/local/bundle/ruby/4.0.0/gems/async-2.39.0/lib/async/task.rb:224:in 'block in Async::Task#run'",
      "/usr/local/bundle/ruby/4.0.0/gems/async-2.39.0/lib/async/task.rb:521:in 'block in Async::Task#schedule'",
      "/usr/local/bundle/ruby/4.0.0/gems/newrelic_rpm-10.4.0/lib/new_relic/agent/tracer.rb:434:in 'block (2 levels) in NewRelic::Agent::Tracer.thread_block_with_current_transaction'",
      "/usr/local/bundle/ruby/4.0.0/gems/newrelic_rpm-10.4.0/lib/new_relic/agent/tracer.rb:357:in 'NewRelic::Agent::Tracer.capture_segment_error'",
      "/usr/local/bundle/ruby/4.0.0/gems/newrelic_rpm-10.4.0/lib/new_relic/agent/tracer.rb:433:in 'block in NewRelic::Agent::Tracer.thread_block_with_current_transaction'"
    ]
  }
}

I added a monkey patch like this, to get all the headers before the error occurs:

class Protocol::HTTP::Headers
  alias_method :old_to_h, :to_h

  def to_h
    puts inspect

    old_to_h
  end
end

On our production servers, this gives me log lines like this (With line breaks for readability and Cloudflare headers removed):

    #<Protocol::HTTP::Headers [
        ["Connection", "Keep-Alive"], 
        ["X-Forwarded-For", "172.69.234.178"], 
        ["X-Forwarded-Port", "80"], 
        ["X-Forwarded-Proto", "http"], 
        ["X-Request-Start", "1779528417.807"], 
        ["accept", "text/markdown,text/html;q=0.9,application/xhtml+xml;q=0.8,application/xml;q=0.7,image/webp;q=0.6,*/*;q=0.5"], 
        ["accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"], 
        ["sec-ch-ua-platform", "\"Windows\""], 
        ["sec-ch-ua-mobile", "?0"], 
        ["sec-fetch-mode", "navigate"], 
        ["accept-language", "en-US,en;q=0.5"], 
        ["accept-language", "en-US"], 
        ["sec-fetch-site", "same-site"], 
        ["accept-encoding", "gzip, br"], 
        ["sec-ch-ua", "\"Not;A=Brand\";v=\"99\", \"Google Chrome\";v=\"139\", \"Chromium\";v=\"139\""], 
        ["sec-fetch-dest", "document"], 
        ["upgrade-insecure-requests", "1"], 
        ["cache-control", "no-cache"], 
        ["pragma", "no-cache"], 
!       ["user-agent", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"], 
!       ["user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"]
    ]>

I understand that these headers are in general quite weird, because we also get multiple accept and accept-language headers, but they sadly are hitting our server.

Because these requests look so suspicious, I also checked the CF-Connecting-IP (which is the IP of the client connecting to Cloudflare) as described on https://developers.google.com/crawling/docs/crawlers-fetchers/verify-google-requests, and they don't seem to be actual Googlebot crawlers. Looks like your surprise about Google getting it wrong was right.

I can understand if you want to stay completely spec compliant here, it's just a bit annoying for our logs and monitoring. (It's also annoying if it's true that I spent hours and hours debugging this only because some crawlers claim to be Google and send terrible requests. Welp.)