Re: haproxy can't handle http header " video/x-flv: .flv" properly

From: Willy Tarreau <w#1wt.eu>
Date: Thu, 30 Dec 2010 16:27:58 +0100


Hi,

On Thu, Dec 30, 2010 at 04:00:19PM +0800, Delta Yeh wrote:
> More tests show that Apache and Nginx work as reverse proxy is OK.
>
> For haproxy, change proto_http.c array http_is_token
>
> ['/'] = 0 to ['/'] = 1
>
> fix this issue.
>
> It seems haproxy do more strict check against RFC.
>
> Willy, would you please make haproxy not so strict with RFC?

No, a slash cannot appear in a header name and both your header and your fix are wrong. The RFC is very clear on the subject :

       token          = 1*<any CHAR except CTLs or separators>
       separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

"/" being a separator, it cannot be part of a token, so your header "video/x-flv:" is simply invalid and not HTTP compliant.

You can set the option "accept-invalid-http-responses" for the time it takes to fix the application, but you should not run that way for a long time because you have no way to know who correctly receives your data. Also, keep in mind that HTTP-based components are getting closer to RFCs every day due to the huge number of vulnerabilities implied by their lack of checking, and that what works today with such a hack might not work tomorrow after an update anywhere in the chain.

Hoping this helps,
Willy Received on 2010/12/30 16:27

This archive was generated by hypermail 2.2.0 : 2010/12/30 16:30 CET