Thanks Guys for having a look at the problem. I am sure we don't use patched nginx, but I agree it is not a thing haproxy should worry about. It needs a fix somewhere else.
For now we are going to make all the old android apps go directly to nginx and not use haproxy. Hopefully they will all upgrade to the fixed version of the android app soon. cheers sreekanth. On Tue, Dec 27, 2011 at 3:10 AM, Willy Tarreau <[email protected]> wrote: > Hi, > > On Mon, Dec 26, 2011 at 10:22:31PM +0100, Baptiste wrote: > > Hi, > > > > this is normal behavior of HAProxy since it validates both requests > > and responses against HTTP rfc. > > In order to let your request pass, you can try to use "option > > accept-invalid-http-request" on the frontend to disable it. > > Option accept-invalid-http-request will not help here, as it's not > only a matter of invalid character, the header is so wrongly formated > that it's a framing and security issue at the same time. I find it > strange that nginx let this pass, because nginx is known for doing > things pretty right. Maybe you were running a patched version ? > > Here, if you have two proxies or servers which behave differently, > you can be subject to content-smuggling attacks. For instance, you > could have a first proxy which considers it's continuation of > previous line and ignores it while another one would consider it > holds valuable contents such as a content-length. Needless to say > the first layer could be fooled and manipulated this way. > > I don't think this request would be accepted by Apache, Squid nor > Varnish either. > > What I would suggest you would be to replace the error 400 message > with a redirect or something the user can see which asks him to > update his app. Check errorloc for redirects, and errorfile to send > contents. Doing so would both help you get rid of the old buggy > version and avoid opening security issues on your server side. > > Regards, > Willy > >
