On Wednesday, July 5, 2023 8:25:35 PM CEST Shawn Heisey wrote: > I have a backend in haproxy for my Solr server. Solr lives unencrypted > on port 8983, haproxy provides TLS for it, on a name like > `solr.example.com`. > > Everything works fully as expected with HTTP 1.1, 2, or 3. > > If I send a request with curl using any HTTP version to > https://solr.example.com/, it results in a 302 response. > > If the request is HTTP/1.0, Solr is revealing the internal IP address -- > the location header is https://172.31.8.104:8983/solr/ which will not > work -- the port isn't exposed to the Internet, isn't using TLS, and the > private IP address is only valid within the AWS VPC. An interesting > detail: If I send the HTTP/1.0 request directly to Solr, it does NOT > reveal the internal address. That only happens for requests relayed by > haproxy. > > The backend connection is HTTP/2, as I have "proto h2" on the server line. > > The curl command gets a response that's HTTP/1.1 even though it sent 1.0. > > What I would like to do is deny HTTP/1.0 requests, but I have not been > able to figure out a way to do that.
There is a list of pre-defined ACLs, see http://docs.haproxy.org/2.8/configuration.html#7.4, and in that list you have HTTP_1.0 acl to match traffic for that version of HTTP protocol. So, you can add below snippet to block traffic for HTTP 1.0 version http-request deny if HTTP_1.0. I hope it helps, Pavlos