haproxy public development tree
Go to file
Christopher Faulet 18c13d3bd8 MEDIUM: http-ana: Add a proxy option to restrict chars in request header names
The "http-restrict-req-hdr-names" option can now be set to restrict allowed
characters in the request header names to the "[a-zA-Z0-9-]" charset.

Idea of this option is to not send header names with non-alphanumeric or
hyphen character. It is especially important for FastCGI application because
all those characters are converted to underscore. For instance,
"X-Forwarded-For" and "X_Forwarded_For" are both converted to
"HTTP_X_FORWARDED_FOR". So, header names can be mixed up by FastCGI
applications. And some HAProxy rules may be bypassed by mangling header
names. In addition, some non-HTTP compliant servers may incorrectly handle
requests when header names contain characters ouside the "[a-zA-Z0-9-]"
charset.

When this option is set, the policy must be specify:

  * preserve: It disables the filtering. It is the default mode for HTTP
              proxies with no FastCGI application configured.

  * delete: It removes request headers with a name containing a character
            outside the "[a-zA-Z0-9-]" charset. It is the default mode for
            HTTP backends with a configured FastCGI application.

  * reject: It rejects the request with a 403-Forbidden response if it
            contains a header name with a character outside the
            "[a-zA-Z0-9-]" charset.

The option is evaluated per-proxy and after http-request rules evaluation.

This patch may be backported to avoid any secuirty issue with FastCGI
application (so as far as 2.2).
2022-05-16 16:00:26 +02:00
.github CI: determine actual LibreSSL version dynamically 2022-05-14 17:30:15 +02:00
addons CLEANUP: applet: remove the unneeded appctx->owner 2022-05-13 14:28:48 +02:00
admin BUILD: halog: fix some incorrect signs in printf formats for integers 2022-04-12 08:40:38 +02:00
dev MINOR: connection: get rid of the CO_FL_ADDR_*_SET flags 2022-05-02 17:47:46 +02:00
doc MEDIUM: http-ana: Add a proxy option to restrict chars in request header names 2022-05-16 16:00:26 +02:00
examples MEDIUM: proxy: remove long-broken 'option http_proxy' 2021-07-18 19:35:32 +02:00
include MEDIUM: http-ana: Add a proxy option to restrict chars in request header names 2022-05-16 16:00:26 +02:00
reg-tests MEDIUM: http-ana: Add a proxy option to restrict chars in request header names 2022-05-16 16:00:26 +02:00
scripts SCRIPTS: announce-release: add URL of dev packages 2022-04-30 14:16:15 +02:00
src MEDIUM: http-ana: Add a proxy option to restrict chars in request header names 2022-05-16 16:00:26 +02:00
tests CLEANUP: assorted typo fixes in the code and comments 2021-08-16 12:37:59 +02:00
.cirrus.yml CI: cirrus: switch to FreeBSD-13.0 2022-04-12 07:59:06 +02:00
.gitattributes
.gitignore DOC: lua-api: Add documentation about lua filters 2021-08-15 20:56:44 +02:00
.mailmap DOC: update Tim's address in .mailmap 2021-09-16 09:14:14 +02:00
.travis.yml CI: travis-ci: temporarily disable arm64 builds 2021-08-07 07:28:15 +02:00
BRANCHES
CHANGELOG [RELEASE] Released version 2.6-dev10 2022-05-14 16:05:50 +02:00
CONTRIBUTING CLEANUP: assorted typo fixes in the code and comments 2021-08-16 12:37:59 +02:00
INSTALL DOC: install: update gcc version requirements 2022-05-11 11:31:15 +02:00
LICENSE
MAINTAINERS CONTRIB: move spoa_example out of the tree 2021-04-21 09:39:06 +02:00
Makefile MINOR: ncbuf: define non-contiguous buffer 2022-05-12 18:13:21 +02:00
README
ROADMAP
SUBVERS
VERDATE [RELEASE] Released version 2.6-dev10 2022-05-14 16:05:50 +02:00
VERSION [RELEASE] Released version 2.6-dev10 2022-05-14 16:05:50 +02:00

The HAProxy documentation has been split into a number of different files for
ease of use.

Please refer to the following files depending on what you're looking for :

  - INSTALL for instructions on how to build and install HAProxy
  - BRANCHES to understand the project's life cycle and what version to use
  - LICENSE for the project's license
  - CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory :

  - doc/intro.txt for a quick introduction on HAProxy
  - doc/configuration.txt for the configuration's reference manual
  - doc/lua.txt for the Lua's reference manual
  - doc/SPOE.txt for how to use the SPOE engine
  - doc/network-namespaces.txt for how to use network namespaces under Linux
  - doc/management.txt for the management guide
  - doc/regression-testing.txt for how to use the regression testing suite
  - doc/peers.txt for the peers protocol reference
  - doc/coding-style.txt for how to adopt HAProxy's coding style
  - doc/internals for developer-specific documentation (not all up to date)