Re: HAProxy responds with bad request when cookie header is incorrect.

From: Willy Tarreau <w#1wt.eu>
Date: Mon, 26 Dec 2011 22:40:21 +0100


Hi,

On Mon, Dec 26, 2011 at 10:22:31PM +0100, Baptiste wrote:
> Hi,
>
> this is normal behavior of HAProxy since it validates both requests
> and responses against HTTP rfc.
> In order to let your request pass, you can try to use "option
> accept-invalid-http-request" on the frontend to disable it.

Option accept-invalid-http-request will not help here, as it's not only a matter of invalid character, the header is so wrongly formated that it's a framing and security issue at the same time. I find it strange that nginx let this pass, because nginx is known for doing things pretty right. Maybe you were running a patched version ?

Here, if you have two proxies or servers which behave differently, you can be subject to content-smuggling attacks. For instance, you could have a first proxy which considers it's continuation of previous line and ignores it while another one would consider it holds valuable contents such as a content-length. Needless to say the first layer could be fooled and manipulated this way.

I don't think this request would be accepted by Apache, Squid nor Varnish either.

What I would suggest you would be to replace the error 400 message with a redirect or something the user can see which asks him to update his app. Check errorloc for redirects, and errorfile to send contents. Doing so would both help you get rid of the old buggy version and avoid opening security issues on your server side.

Regards,
Willy Received on 2011/12/26 22:40

This archive was generated by hypermail 2.2.0 : 2011/12/26 22:45 CET