git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Amaury Denoyelle <adenoyelle@haproxy.com>
	Thu, 1 Aug 2024 13:35:06 +0000 (15:35 +0200)
committer	Amaury Denoyelle <adenoyelle@haproxy.com>
	Thu, 1 Aug 2024 16:23:32 +0000 (18:23 +0200)
commit	7b89aa5b1943c1537a844cc375f7e8a86bac7942
tree	aa9a0e4f3021903e593496a7bb424056147ae525	tree \| snapshot
parent	a7a2db4ad5613d7157bd47fe662c0a62ad30ed5b	commit \| diff

BUG/MINOR: h1: do not forward h2c upgrade header token

haproxy supports tunnel establishment through HTTP Upgrade mechanism.
Since the following commit, extended CONNECT is also supported for
HTTP/2 both on frontend and backend side.

commit 9bf957335e2c385b74901481f7a89c9565dfce53
MEDIUM: mux_h2: generate Extended CONNECT from htx upgrade

As specified by HTTP/2 rfc, "h2c" can be used by an HTTP/1.1 client to
request an upgrade to HTTP/2. In haproxy, this is not supported so it
silently ignores this. However, Connection and Upgrade headers are
forwarded as-is on the backend side.

If using HTTP/1 on the backend side and the server supports this upgrade
mechanism, haproxy won't be able to parse the HTTP response. If using
HTTP/2, mux backend tries to incorrectly convert the request to an
Extended CONNECT with h2c protocol, which may also prevent the response
to be transmitted.

To fix this, flag HTTP/1 request with "h2c" or "h2" token in an upgrade
header. On converting the header list to HTX, the upgrade header is
skipped if any of this token is present and the H1_MF_CONN_UPG flag is
removed.

This issue can easily be reproduced using curl --http2 argument to
connect to an HTTP/1 frontend.

This must be backported up to 2.4 after a period of observation.

include/haproxy/h1.h		diff \| blob \| blame \| history
reg-tests/http-messaging/protocol_upgrade.vtc		diff \| blob \| blame \| history
src/h1.c		diff \| blob \| blame \| history
src/h1_htx.c		diff \| blob \| blame \| history