d12edebe4a
Checks are already made on H2 to detect inconsistencies between advertised content-length and transferred data (excess of data or premature END_STREAM flag on DATA frame). However, as found by Martino Spagnuolo (r3verii), a subtle case remains: if the END_STREAM appears on the HEADERS frame (i.e. a regular request for example), then the check is not made. In this case it is possible to advertise more contents than will really be transferred. If the other side uses HTTP/1.1, and the server responds before the end of the transfer, this means that the number of advertised bytes that will never be transferred and that the server will drain will be taken from the next request, effectively hiding a part of the header. In practice this can be used to force subsequent requests to fail, or when running with "http-reuse never" or when running with a totally idle server, to perform a request smuggling by constructing specially crafted request pairs where the first one is used to trigger an early response and hide parts of or all headers of the second one, to instead use a second embedded one that was not subject to analysis. The risk remains moderate given the low prevalence of "http-reuse never" in production environments, and of idle servers. The fix consists in detecting if advertised content-length remains when processing an END_STREAM flag on a HEADERS frame. It also does it for trailers, which turn out to be another way to abuse the bug. However it takes great care not to break bodyless responses (204, 304 and responses to HEAD requests) that may present a content-length that doesn't reflect the presence of a body in the response. A temporary alternative to the fix is to disable HTTP/2 by specifying "alpn http/1.1" on "bind" lines, and adding "option disable-h2-upgrade" in HTTP frontends. This must be backported to all stable versions.
HAProxy
HAProxy is a free, very fast and reliable reverse-proxy offering high availability, load balancing, and proxying for TCP and HTTP-based applications.
Installation
The INSTALL file describes how to build HAProxy. A list of packages is also available on the wiki.
Getting help
The discourse and the mailing-list are available for questions or configuration assistance. You can also use the slack or IRC channel. Please don't use the issue tracker for these.
The issue tracker is only for bug reports or feature requests.
Documentation
The HAProxy documentation has been split into a number of different files for ease of use. It is available in text format as well as HTML. The wiki is also meant to replace the old architecture guide.
Please refer to the following files depending on what you're looking for:
- INSTALL for instructions on how to build and install HAProxy
- BRANCHES to understand the project's life cycle and what version to use
- LICENSE for the project's license
- CONTRIBUTING for the process to follow to submit contributions
The more detailed documentation is located into the doc/ directory:
- doc/intro.txt for a quick introduction on HAProxy
- doc/configuration.txt for the configuration's reference manual
- doc/lua.txt for the Lua's reference manual
- doc/SPOE.txt for how to use the SPOE engine
- doc/network-namespaces.txt for how to use network namespaces under Linux
- doc/management.txt for the management guide
- doc/regression-testing.txt for how to use the regression testing suite
- doc/peers.txt for the peers protocol reference
- doc/coding-style.txt for how to adopt HAProxy's coding style
- doc/internals for developer-specific documentation (not all up to date)
License
HAProxy is licensed under GPL 2 or any later version, the headers under LGPL 2.1. See the LICENSE file for a more detailed explanation.