On Thu, Aug 11, 2016 at 11:49 AM, Eric Covener <cove...@gmail.com> wrote:
> On Thu, Aug 11, 2016 at 12:44 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > Since I've heard little support in these past weeks for leaving an HTTP > > strict > > 'logging-only' option, I'm going to rip that out, but replace it with > > options to > > independently toggle HTTPUnsafe and HTTPResponseUnsafe values, so that > > the server can continue to deliberately process oddball backends that > don't > > conform, while requiring strict behavior of originating user-agents. > > Does the latter refer stuff being read from origins in mod_proxy_http > or just what we're willing to put on the wire in general vs. what we > parse on the way in? > I haven't dug terribly deeply into the proxy mechanics yet, but the same parser for headers is used for response header processing as well as the request processing. It seems that the two need some potentially different rulesets. If you are running a forward proxy, you would want to be quite strict about the responses. If you are only a gateway of trusted backend servers and apps, you might want to be more tolerant (although Roy and Jim may disagree with me on this.)
