Hi,
On Thu, Dec 30, 2010 at 04:00:19PM +0800, Delta Yeh wrote:
> More tests show that Apache and Nginx work as reverse proxy is OK.
>
> For haproxy, change proto_http.c array http_is_token
>
> ['/'] = 0 to ['/'] = 1
>
> fix this issue.
>
> It seems haproxy do more strict check against RFC.
>
> Willy, would you please make haproxy not so strict with RFC?
No, a slash cannot appear in a header name and both your header and your fix are wrong. The RFC is very clear on the subject :
token = 1*<any CHAR except CTLs or separators>
separators = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT
"/" being a separator, it cannot be part of a token, so your header "video/x-flv:" is simply invalid and not HTTP compliant.
You can set the option "accept-invalid-http-responses" for the time it takes to fix the application, but you should not run that way for a long time because you have no way to know who correctly receives your data. Also, keep in mind that HTTP-based components are getting closer to RFCs every day due to the huge number of vulnerabilities implied by their lack of checking, and that what works today with such a hack might not work tomorrow after an update anywhere in the chain.
Hoping this helps,
Willy
Received on 2010/12/30 16:27
This archive was generated by hypermail 2.2.0 : 2010/12/30 16:30 CET