> -----Original Message----- > From: Yann Ylavic [mailto:ylavic....@gmail.com] > Sent: Donnerstag, 11. August 2016 22:40 > To: httpd-dev > Subject: Re: HTTP/1.1 strict ruleset > > On Thu, Aug 11, 2016 at 6:56 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > > > I haven't dug terribly deeply into the proxy mechanics yet, but the same > > parser for headers is used for response header processing as well as the > > request processing. > > They don't share the same code, though, ap_proxy_read_headers() would > need the same "strictification" than ap_get_mime_headers(_ex)() > currently, or be replaced by the latter. > > > It seems that the two need some potentially different > > rulesets. If you are running a forward proxy, you would want to be quite > > strict about the responses. If you are only a gateway of trusted backend > > servers and apps, you might want to be more tolerant (although Roy and > > Jim may disagree with me on this.) > > +1, behind 2.2 proxies (but possibly 2.4 too), there are some outdated > backends/applications (supporting SSLv3 only...) that don't receive > many (if any) maintenance but just work, and for that reason where > placed behing a proxy.
So I guess we should be strict on the client side on every branch, but have an opt out for the backend of a gateway in 2.2 / 2.4. Regards Rüdiger
