RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-18 17:34:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
5541d4995d
haproxy/doc
History
Willy Tarreau 2dab1ba84b MEDIUM: h1: allow to preserve keep-alive on T-E + C-L 
In 2.5-dev9, commit 631c7e866 ("MEDIUM: h1: Force close mode for invalid
uses of T-E header") enforced a recently arrived new security rule in the
HTTP specification aiming at preventing a class of content-smuggling
attacks involving HTTP/1.0 agents. It consists in handling the very rare
T-E + C-L requests or responses in close mode.

It happens it does have an impact of a rare few and very old clients
(probably running insecure TLS stacks by the way) that continue to send
both with their POST requests. The impact is that for each and every
request they'll have to reconnect, possibly negotiating a full TLS
handshake that becomes harmful to the machine in terms of CPU computation.

This commit adds a new option "h1-do-not-close-on-insecure-transfer-encoding"
that does exactly what it says, it just asks not to close on such messages,
even though the message continues to be sanitized and C-L dropped. It means
that the risk is only between the sender and haproxy, which is limited, and
might be the only acceptable solution for such environments having to deal
with broken implementations.

The cases are so rare that it should not need to be backported, or in the
worst case, to the latest LTS if there is any demand.
2024-07-26 15:59:35 +02:00
..
design-thoughts DOC: design: write first notes about ring-v2 2024-03-09 11:23:52 +01:00
internals MAJOR: import: update mt_list to support exponential back-off (try #2) 2024-07-09 16:46:38 +02:00
lua-api BUG/MINOR: hlua: use CertCache.set() from various hlua contexts 2024-06-03 17:00:00 +02:00
51Degrees-device-detection.txt DOC: 51d: updated 51Degrees repo URL for v3.2.10 2023-11-23 16:26:13 +01:00
acl.fig
coding-style.txt
configuration.txt MEDIUM: h1: allow to preserve keep-alive on T-E + C-L 2024-07-26 15:59:35 +02:00
cookie-options.txt
DeviceAtlas-device-detection.txt CLEANUP: assorted typo fixes in the code and comments 2024-03-05 11:50:34 +01:00
gpl.txt
haproxy.1
HAProxyCommunityEdition_60px.png DOC: replace the README by a markdown version 2024-05-30 13:53:46 +02:00
intro.txt [RELEASE] Released version 3.1-dev0 2024-05-29 15:00:02 +02:00
lgpl.txt
linux-syn-cookies.txt
lua.txt [RELEASE] Released version 2.9-dev9 2023-11-04 09:38:16 +01:00
management.txt DOC: management: document ptr lookup for table commands 2024-06-19 10:28:10 +02:00
netscaler-client-ip-insertion-protocol.txt
network-namespaces.txt
peers-v2.0.txt MEDIUM: stick-tables: add a new stored type for glitch_cnt and glitch_rate 2024-02-08 15:51:49 +01:00
peers.txt
proxy-protocol.txt
queuing.fig
regression-testing.txt CLEANUP: assorted typo fixes in the code and comments 2023-11-23 16:23:14 +01:00
seamless_reload.txt
SOCKS4.protocol.txt
SPOE.txt DOC: spoe: Update SPOE documentation to reflect recent refactoring 2024-07-12 16:38:49 +02:00
WURFL-device-detection.txt