mirror of
https://github.com/haproxy/haproxy.git
synced 2026-03-05 06:40:33 -05:00
18c13d3bd8
The "http-restrict-req-hdr-names" option can now be set to restrict allowed
characters in the request header names to the "[a-zA-Z0-9-]" charset.
Idea of this option is to not send header names with non-alphanumeric or
hyphen character. It is especially important for FastCGI application because
all those characters are converted to underscore. For instance,
"X-Forwarded-For" and "X_Forwarded_For" are both converted to
"HTTP_X_FORWARDED_FOR". So, header names can be mixed up by FastCGI
applications. And some HAProxy rules may be bypassed by mangling header
names. In addition, some non-HTTP compliant servers may incorrectly handle
requests when header names contain characters ouside the "[a-zA-Z0-9-]"
charset.
When this option is set, the policy must be specify:
* preserve: It disables the filtering. It is the default mode for HTTP
proxies with no FastCGI application configured.
* delete: It removes request headers with a name containing a character
outside the "[a-zA-Z0-9-]" charset. It is the default mode for
HTTP backends with a configured FastCGI application.
* reject: It rejects the request with a 403-Forbidden response if it
contains a header name with a character outside the
"[a-zA-Z0-9-]" charset.
The option is evaluated per-proxy and after http-request rules evaluation.
This patch may be backported to avoid any secuirty issue with FastCGI
application (so as far as 2.2).
|
||
|---|---|---|
| .. | ||
| 1k.txt | ||
| acl_cli_spaces.vtc | ||
| agents.acl | ||
| converters_ipmask_concat_strcmp_field_word.map | ||
| converters_ipmask_concat_strcmp_field_word.vtc | ||
| default_rules.vtc | ||
| del_header.vtc | ||
| except-forwardfor-originalto.vtc | ||
| h1_to_h1c.vtc | ||
| h1or2_to_h1c.vtc | ||
| http_after_response.vtc | ||
| http_return.vtc | ||
| lf-file.txt | ||
| map_redirect-be.map | ||
| map_redirect.map | ||
| map_redirect.vtc | ||
| map_regm_with_backref.map | ||
| map_regm_with_backref.vtc | ||
| normalize_uri.vtc | ||
| path_and_pathq.vtc | ||
| restrict_req_hdr_names.vtc | ||
| strict_rw_mode.vtc | ||