I think the problem here is that we currently "absolutize" all requests ( code <https://github.com/akka/akka/blob/release-2.3-dev/akka-http-core/src/main/scala/akka/http/impl/engine/server/HttpServerBluePrint.scala#L71-L78> ).
This will always fail with HTTP/1.0 request as they are always relative and don't carry a host header. I think the requestPreparation Flow in HttpServerBluePrint needs its own shortcut that sends 400 responses on exceptions. On Monday, July 20, 2015 at 3:18:29 AM UTC+2, Ernesto Menéndez wrote: > > Hi √, > > Just for the sake of having a regression test. I can set up another > akka-http app in DigitalOcean designed to log/debug this kind of attack. > > How can I make a service that logs the HTTP request in a useful way? > Would the "logRequest" directive be enough? > > On Sunday, July 19, 2015 at 1:33:24 PM UTC-6, √ wrote: >> >> Do you have a copy of the actual HTTP request that we could use as a >> regression test? >> >> On Sun, Jul 19, 2015 at 8:26 PM, Ernesto Menéndez <pya...@gmail.com> >> wrote: >> >>> I received the same request several times when I was hosting my service >>> at DigitalOcean using akka-http RC4. I had to restart the service each time. >>> >>> Now that I moved my service to another provider and updated to akka-http >>> 1.0, I still haven't got this kind of request or maybe I just haven't >>> noticed as It has been working fine for a couple of hours. I'll let you >>> know if I see the problem again. >>> >>> >>> >>> On Sunday, July 19, 2015 at 9:53:47 AM UTC-6, Nicolau Werneck wrote: >>>> >>>> I am working on this pet project of mine, and I had an HTTP service >>>> built with akka-http on-line. The other day I found out it was >>>> unavailable, >>>> and when I checked in the logs it appears I was a victim of this attack: >>>> >>>> http://www.skepticism.us/2015/05/13/ >>>> >>>> I lost the error message, but it was pretty clear that the described >>>> request dropped my server, and the problem was the absence of the `Host` >>>> header. >>>> >>>> Now, isn't this something akka-http, or any HTTP server or framework, >>>> should be robust to? Is there anything I should or could have done as a >>>> user to prevent this problem, or should I be filing a bug report? Also, >>>> what is a proper way to keep the service running? I was just calling sbt >>>> from the command line, really experimental, I know there are better ways >>>> out there but I don't know where to start. >>>> >>>> Thanks, >>>> ++nic >>>> >>> -- >>> >>>>>>>>>> Read the docs: http://akka.io/docs/ >>> >>>>>>>>>> Check the FAQ: >>> http://doc.akka.io/docs/akka/current/additional/faq.html >>> >>>>>>>>>> Search the archives: >>> https://groups.google.com/group/akka-user >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Akka User List" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to akka-user+...@googlegroups.com. >>> To post to this group, send email to akka...@googlegroups.com. >>> Visit this group at http://groups.google.com/group/akka-user. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Cheers, >> √ >> > -- >>>>>>>>>> Read the docs: http://akka.io/docs/ >>>>>>>>>> Check the FAQ: >>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.
