From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 16 Feb 2026 15:33:41 +0000 (+0100)
Subject: BUG/MEDIUM: h3: reject frontend CONNECT as currently not implemented
X-Git-Tag: v3.4-dev5~64
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c275c7d17605a1c1a0bc16e251a4a27cc102308;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h3: reject frontend CONNECT as currently not implemented

HTTP/3 CONNECT transcoding is not properly implemented on the frontend
side. Neither tunnel mode of application nor extended connect are
currently functional.

Clarify this situation by rejecting any CONNETC attempts on the frontend
side. The stream is thus now closed via a RESET_STREAM with error code
REQUEST_REJECTED.

This should be backported to every stable versions.
---

diff --git a/src/h3.c b/src/h3.c
index 79266457d..849bba2a6 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -812,6 +812,11 @@ static ssize_t h3_req_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
 			goto out;
 		}
 	}
+	else {
+		h3s->err = H3_ERR_REQUEST_REJECTED;
+		len = -1;
+		goto out;
+	}
 
 	flags |= HTX_SL_F_VER_11;
 	flags |= HTX_SL_F_XFER_LEN;