Willy, Am 11.09.20 um 08:07 schrieb Willy Tarreau: > On Fri, Sep 11, 2020 at 01:55:10PM +1000, Igor Cicimov wrote: >> Should we be worried? >> >> https://portswigger.net/daily-swig/http-request-smuggling-http-2-opens-a-new-attack-tunnel > > But this stuff is total non-sense. Basically the guy is complaining > that the products he tested work exactly as desired, designed and > documented! > > The principle of the upgrade at the gateway level precisely is to say > "OK both the client and the server want to speak another protocol you > agreed upon, let me retract" and let them talk over a tunnel. That's > exactly what is needed to support WebSocket for example. The simple > fact that he found that many proxies/gateways work like this should > ring a bell about the intended behavior! >
I'm very well aware about your opinion regarding access control at the edge by now, however I have 2 questions at this point. I've read the official write-up of the findings of the researcher: https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c. It contains quite a few more details and I recommend to take a look at it to answer my questions. According to the article performing a h2c upgrade via TLS is not valid according to the spec. HAProxy implements the H2 spec. Question 1: Should HAProxy reject requests that set Upgrade: h2c over TLS? I think it should. Basically the following rule should be applied automatically to my understanding. http-request deny deny_status 400 if { req.hdr(upgrade) h2c } { ssl_fc } ---- Further the article says that the HTTP2-Settings header is a hop by hop header. It should not be forwarded by a proxy. According to the article HAProxy *does* forward it. Question 2: Should HAProxy automatically strip the HTTP2-Settings header when forwarding requests? Best regards Tim Düsterhus
