RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-12 00:39:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
18c13d3bd8
haproxy/doc
History
Christopher Faulet 18c13d3bd8 MEDIUM: http-ana: Add a proxy option to restrict chars in request header names 
The "http-restrict-req-hdr-names" option can now be set to restrict allowed
characters in the request header names to the "[a-zA-Z0-9-]" charset.

Idea of this option is to not send header names with non-alphanumeric or
hyphen character. It is especially important for FastCGI application because
all those characters are converted to underscore. For instance,
"X-Forwarded-For" and "X_Forwarded_For" are both converted to
"HTTP_X_FORWARDED_FOR". So, header names can be mixed up by FastCGI
applications. And some HAProxy rules may be bypassed by mangling header
names. In addition, some non-HTTP compliant servers may incorrectly handle
requests when header names contain characters ouside the "[a-zA-Z0-9-]"
charset.

When this option is set, the policy must be specify:

  * preserve: It disables the filtering. It is the default mode for HTTP
              proxies with no FastCGI application configured.

  * delete: It removes request headers with a name containing a character
            outside the "[a-zA-Z0-9-]" charset. It is the default mode for
            HTTP backends with a configured FastCGI application.

  * reject: It rejects the request with a 403-Forbidden response if it
            contains a header name with a character outside the
            "[a-zA-Z0-9-]" charset.

The option is evaluated per-proxy and after http-request rules evaluation.

This patch may be backported to avoid any secuirty issue with FastCGI
application (so as far as 2.2).
2022-05-16 16:00:26 +02:00
..
design-thoughts DOC: design: commit the temporary design notes on thread groups 2022-02-24 09:06:37 +01:00
internals DOC: internal: document the new cleaner approach to the appctx 2022-05-06 18:33:49 +02:00
lua-api DOC/MINOR: fix typos in the lua-api document 2022-05-13 08:40:08 +02:00
51Degrees-device-detection.txt
acl.fig
architecture.txt DOC: fix a few remainig cases of "Haproxy" and "HAproxy" in doc and comments 2021-05-09 06:50:46 +02:00
close-options.txt MINOR: config: reject long-deprecated "option forceclose" 2021-06-11 16:57:34 +02:00
coding-style.txt DOC: fix a few remainig cases of "Haproxy" and "HAproxy" in doc and comments 2021-05-09 06:50:46 +02:00
configuration.txt MEDIUM: http-ana: Add a proxy option to restrict chars in request header names 2022-05-16 16:00:26 +02:00
cookie-options.txt
DeviceAtlas-device-detection.txt MEDIUM: da: update doc and build for new scheduler mode service. 2022-01-28 07:28:53 +01:00
gpl.txt
haproxy.1
intro.txt [RELEASE] Released version 2.6-dev0 2021-11-23 15:50:11 +01:00
lgpl.txt
linux-syn-cookies.txt
lua.txt [RELEASE] Released version 2.6-dev6 2022-04-16 12:15:47 +02:00
management.txt MINOR: ssl: Add 'show ssl providers' cli command and providers list in -vv option 2022-04-21 14:54:45 +02:00
netscaler-client-ip-insertion-protocol.txt
network-namespaces.txt
peers-v2.0.txt DOC: peers: fix the protocol tag name in the doc 2021-05-09 06:38:07 +02:00
peers.txt DOC/peers: some grammar fixes for peers 2.1 spec 2021-11-02 17:28:43 +01:00
proxy-protocol.txt DOC: fix a few remainig cases of "Haproxy" and "HAproxy" in doc and comments 2021-05-09 06:50:46 +02:00
queuing.fig
regression-testing.txt DOC: fix a few remainig cases of "Haproxy" and "HAproxy" in doc and comments 2021-05-09 06:50:46 +02:00
seamless_reload.txt
SOCKS4.protocol.txt
SPOE.txt DOC: spoe: Clarify use of the event directive in spoe-message section 2021-12-03 10:18:11 +01:00
WURFL-device-detection.txt