monitor fail - X X -
monitor-uri X X X -
option abortonclose (*) X - X X
-option accept-invalid-http-request (*) X X X -
-option accept-invalid-http-response (*) X - X X
+option accept-invalid-http-request (deprecated) (*) X X X -
+option accept-invalid-http-response (deprecated) (*) X - X X
+option accept-unsafe-violations-in-http-request (*) X X X -
+option accept-unsafe-violations-in-http-response (*) X - X X
option allbackups (*) X - X X
option checkcache (*) X - X X
option clitcpka (*) X X X -
See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
-option accept-invalid-http-request
-no option accept-invalid-http-request
+option accept-invalid-http-request (deprecated)
+no option accept-invalid-http-request (deprecated)
+ Enable or disable relaxing of HTTP request parsing
+
+ The "accept-invalid-http-request" keyword is deprecated, use "option
+ accept-unsafe-violations-in-http-request" instead.
+
+
+option accept-invalid-http-response (deprecated)
+no option accept-invalid-http-response (deprecated)
+ Enable or disable relaxing of HTTP response parsing
+
+ The "accept-invalid-http-response" keyword is deprecated, use "option
+ accept-unsafe-violations-in-http-response" instead.
+
+
+option accept-unsafe-violations-in-http-request
+no option accept-unsafe-violations-in-http-request
Enable or disable relaxing of HTTP request parsing
May be used in the following contexts: http
If this option has been enabled in a "defaults" section, it can be disabled
in a specific instance by prepending the "no" keyword before it.
- See also : "option accept-invalid-http-response" and "show errors" on the
- stats socket.
+ See also : "option accept-unsafe-violations-in-http-response" and "show
+ errors" on the stats socket.
-option accept-invalid-http-response
-no option accept-invalid-http-response
+option accept-unsafe-violations-in-http-response
+no option accept-unsafe-violations-in-http-response
Enable or disable relaxing of HTTP response parsing
May be used in the following contexts: http
Arguments : none
- Similarly to "option accept-invalid-http-request", this option may be used to
- relax parsing rules of HTTP responses. It should only be enabled for trusted
- legacy servers to accept some invalid responses. Most of rules concern the H1
- parsing for historical reason. Newer HTTP versions tends to be cleaner and
- applications follow more stickly these protocols.
+ Similarly to "option accept-unsafe-violations-in-http-request", this option
+ may be used to relax parsing rules of HTTP responses. It should only be
+ enabled for trusted legacy servers to accept some invalid responses. Most of
+ rules concern the H1 parsing for historical reason. Newer HTTP versions tends
+ to be cleaner and applications follow more stickly these protocols.
When this option is set, the following rules are observed:
If this option has been enabled in a "defaults" section, it can be disabled
in a specific instance by prepending the "no" keyword before it.
- See also : "option accept-invalid-http-request" and "show errors" on the
- stats socket.
+ See also : "option accept-unsafe-violations-in-http-request" and "show
+ errors" on the stats socket.
option allbackups
the derivative forms. See also the "url" and "base" fetch methods. Please
note that any fragment reference in the URI ('#' after the path) is strictly
forbidden by the HTTP standard and will be rejected. However, if the frontend
- receiving the request has "option accept-invalid-http-request", then this
- fragment part will be accepted and will also appear in the path.
+ receiving the request has "option accept-unsafe-violations-in-http-request",
+ then this fragment part will be accepted and will also appear in the path.
ACL derivatives :
path : exact string match
result in both cases. Please note that any fragment reference in the URI ('#'
after the path) is strictly forbidden by the HTTP standard and will be
rejected. However, if the frontend receiving the request has "option
- accept-invalid-http-request", then this fragment part will be accepted and
- will also appear in the path.
+ accept-unsafe-violations-in-http-request", then this fragment part will be
+ accepted and will also appear in the path.
query : string
This extracts the request's query string, which starts after the first
also "path" and "base". Please note that any fragment reference in the URI
('#' after the path) is strictly forbidden by the HTTP standard and will be
rejected. However, if the frontend receiving the request has "option
- accept-invalid-http-request", then this fragment part will be accepted and
- will also appear in the url.
+ accept-unsafe-violations-in-http-request", then this fragment part will be
+ accepted and will also appear in the url.
ACL derivatives :
url : exact string match
report the last captured faulty request and response for each frontend and
backend, with all the necessary information to indicate precisely the first
character of the input stream that was rejected. This is sometimes needed to
-prove to customers or to developers that a bug is present in their code. In
-this case it is often possible to relax the checks (but still keep the
-captures) using "option accept-invalid-http-request" or its equivalent for
-responses coming from the server "option accept-invalid-http-response". Please
-see the configuration manual for more details.
+prove to customers or to developers that a bug is present in their code. In this
+case it is often possible to relax the checks (but still keep the captures)
+using "option accept-unsafe-violations-in-http-request" or its equivalent for
+responses coming from the server "option
+accept-unsafe-violations-in-http-response". Please see the configuration manual
+for more details.
Example :
frontend fe_fragment_strip
bind "fd@${fe_fragment_strip}"
- option accept-invalid-http-request
+ option accept-unsafe-violations-in-http-request
http-request set-var(txn.before) url
http-request normalize-uri fragment-strip
frontend fe_fragment_encode
bind "fd@${fe_fragment_encode}"
- option accept-invalid-http-request
+ option accept-unsafe-violations-in-http-request
http-request set-var(txn.before) url
http-request normalize-uri fragment-encode
goto out;
}
}
+ else if (strcmp(args[1], "accept-invalid-http-request") == 0 ||
+ strcmp(args[1], "accept-invalid-http-response") == 0) {
+ unsigned int val;
+
+ if (alertif_too_many_args_idx(0, 1, file, linenum, args, &err_code))
+ goto out;
+ if (warnifnotcap(curproxy, PR_MODE_HTTP, file, linenum, args[1], NULL)) {
+ err_code |= ERR_WARN;
+ goto out;
+ }
+
+ if (args[1][22] == 'q') {
+ ha_alert("parsing [%s:%d]: option '%s' is deprecated. please use 'option accept-unsafe-violations-in-http-request' if absolutely needed.\n",
+ file, linenum, args[1]);
+ val = PR_O2_REQBUG_OK;
+ }
+ else {
+ ha_alert("parsing [%s:%d]: option '%s' is deprecated. please use 'option accept-unsafe-violations-in-http-response' if absolutely needed.\n",
+ file, linenum, args[1]);
+ val = PR_O2_RSPBUG_OK;
+ }
+
+ curproxy->no_options2 &= ~val;
+ curproxy->options2 &= ~val;
+
+ switch (kwm) {
+ case KWM_STD:
+ curproxy->options2 |= val;
+ break;
+ case KWM_NO:
+ curproxy->no_options2 |= val;
+ break;
+ case KWM_DEF: /* already cleared */
+ break;
+ }
+
+ err_code |= ERR_WARN;
+ goto out;
+ }
else {
const char *best = proxy_find_best_option(args[1], common_options);
}
if (likely((unsigned char)*ptr >= 128)) {
/* non-ASCII chars are forbidden unless option
- * accept-invalid-http-request is enabled in the frontend.
+ * accept-unsafe-violations-in-http-request is enabled in the frontend.
* In any case, we capture the faulty char.
*/
if (h1m->err_pos < -1)
{
/* RFC7230#2.6 has enforced the format of the HTTP version string to be
* exactly one digit "." one digit. This check may be disabled using
- * option accept-invalid-http-request.
+ * option accept-unsafe-violations-in-http-request.
*/
if (h1m->err_pos == -2) { /* PR_O2_REQBUG_OK not set */
if (sl->rq.v.len != 8)
{
/* RFC7230#2.6 has enforced the format of the HTTP version string to be
* exactly one digit "." one digit. This check may be disabled using
- * option accept-invalid-http-request.
+ * option accept-unsafe-violations-in-http-response.
*/
- if (h1m->err_pos == -2) { /* PR_O2_REQBUG_OK not set */
+ if (h1m->err_pos == -2) { /* PR_O2_RSPBUG_OK not set */
if (sl->st.v.len != 8)
return 0;
* will be used to create a linked list, so its contents may be destroyed.
*
* When <relaxed> is non-nul, some non-dangerous checks will be ignored. This
- * is in order to satisfy "option accept-invalid-http-request" for
+ * is in order to satisfy "option accept-unsafe-violations-in-http-request" for
* interoperability purposes.
*/
int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len, int relaxed)
if (!relaxed) {
/* we need to reject any control chars or '#' from the path,
- * unless option accept-invalid-http-request is set.
+ * unless option accept-unsafe-violations-in-http-request is set.
*/
ctl = ist_find_range(list[hdr_idx].v, 0, '#');
if (unlikely(ctl) && http_path_has_forbidden_char(list[hdr_idx].v, ctl)) {
{ "splice-response", 0, 0, 0, 0 },
{ "splice-auto", 0, 0, 0, 0 },
#endif
- { "accept-invalid-http-request", PR_O2_REQBUG_OK, PR_CAP_FE, 0, PR_MODE_HTTP },
- { "accept-invalid-http-response", PR_O2_RSPBUG_OK, PR_CAP_BE, 0, PR_MODE_HTTP },
+ { "accept-unsafe-violations-in-http-request", PR_O2_REQBUG_OK, PR_CAP_FE, 0, PR_MODE_HTTP },
+ { "accept-unsafe-violations-in-http-response", PR_O2_RSPBUG_OK, PR_CAP_BE, 0, PR_MODE_HTTP },
{ "dontlog-normal", PR_O2_NOLOGNORM, PR_CAP_FE, 0, 0 },
{ "log-separate-errors", PR_O2_LOGERRORS, PR_CAP_FE, 0, 0 },
{ "log-health-checks", PR_O2_LOGHCHKS, PR_CAP_BE, 0, 0 },
projects / thirdparty / haproxy.git / commitdiff
