Re: Matching URLs at layer 7

From: Willy Tarreau <w#1wt.eu>
Date: Wed, 28 Apr 2010 21:43:43 +0200


On Wed, Apr 28, 2010 at 09:21:31PM +0930, Andrew Commons wrote:
> Hi Beni,
>
> A few things to digest here.
>
> What was leading me up this path was a bit of elementary (and probably naïve) white-listing with respect to the contents of the Host header and the URI/L supplied by the user. Tools like Fiddler make request manipulation trivial so filtering out 'obvious' manipulation attempts would be a good idea. With this in mind my thinking (if it can be considered as such) was that:
>
> (1) user request is for http://www.example.com/whatever
> (2) Host header is www.example.com
> (3) All is good! Pass request on to server.
>
> Alternatively:
>
> (1) user request is for http://www.example.com/whatever
> (2) Host header is www.whatever.com
> (3) All is NOT good! Flick request somewhere harmless.
>
> I'm not sure whether your solution supports this, and if your interpretation is correct maybe HAProxy doesn't support it either.
>
> I'll do some more experimenting and I hope I don't lock myself out ;-)

I'm not sure what you're trying to achieve. Requests beginning with "http://" are normally for proxy servers, though they're also valid on origin servers. If what you want is to explicitly match any of those, then you must consider that HTTP/1.1 declares a requests with a host field which does not match the one in the URL as invalid. So in practice you could always just use the Host header as the one to perform your switching on, and never use the URL part. You can even decide to block any request beginning with "http://". No browser will send that to you anyway.

Regards,
Willy Received on 2010/04/28 21:43

This archive was generated by hypermail 2.2.0 : 2010/04/28 22:00 CEST