Re: range queries (my favourite)
On Thu, May 28, 2020 at 10:18:58AM +0200, Olivier D wrote: > Le jeu. 28 mai 2020 à 09:48, Willy Tarreau a écrit : > > > No you're not :-) hdr_cnt() counts *values*. So : > > > > Range: bytes=0-,0-,0-,0- > > > > decomposes as the following values around the comma delimiter: > > > > "bytes=0-", "0-", "0-", "0-" > > > > And actually if you'd send several Range headers with such values they > > could be remerged and interpreted as above. So in this case it's quite > > convenient for us. > > > > My bad :( > You made me realize I never used correctly this function. I was "counting" > duplicate headers with it, and it worked because headers are merged and > final behaviour matches what I was expecting. If you need to count multiple occurrences of a given header field, instead please use req.fhdr_cnt() which counts full headers (hence consider any value as a single value and doesn't try to iterate around commas). > Thank you ! You're welcome :-) Willy
Re: range queries (my favourite)
Le jeu. 28 mai 2020 à 09:48, Willy Tarreau a écrit : > No you're not :-) hdr_cnt() counts *values*. So : > > Range: bytes=0-,0-,0-,0- > > decomposes as the following values around the comma delimiter: > > "bytes=0-", "0-", "0-", "0-" > > And actually if you'd send several Range headers with such values they > could be remerged and interpreted as above. So in this case it's quite > convenient for us. > My bad :( You made me realize I never used correctly this function. I was "counting" duplicate headers with it, and it worked because headers are merged and final behaviour matches what I was expecting. Thank you ! Olivier
Re: range queries (my favourite)
Hi Olivier,
On Thu, May 28, 2020 at 09:44:13AM +0200, Olivier D wrote:
> Hello,
>
>
> Le jeu. 28 mai 2020 à 09:17, Willy Tarreau a écrit :
>
> > http-request del-header range if { req.hdr_cnt(range) gt 1 }
> >
>
> This will only filter if header "Range" is present multiple times, not this
> one :
> Range: bytes=0-,0-,0-,0-
>
> Am I correct ?
No you're not :-) hdr_cnt() counts *values*. So :
Range: bytes=0-,0-,0-,0-
decomposes as the following values around the comma delimiter:
"bytes=0-", "0-", "0-", "0-"
And actually if you'd send several Range headers with such values they
could be remerged and interpreted as above. So in this case it's quite
convenient for us.
Willy
Re: range queries (my favourite)
Hello,
Le jeu. 28 mai 2020 à 09:17, Willy Tarreau a écrit :
> http-request del-header range if { req.hdr_cnt(range) gt 1 }
>
This will only filter if header "Range" is present multiple times, not this
one :
Range: bytes=0-,0-,0-,0-
Am I correct ?
Olivier
Re: range queries (my favourite)
Hi Ilya,
On Wed, May 27, 2020 at 10:48:28PM +0500, ??? wrote:
> hello,
>
> how does haproxy serves queries like that:
>
> Range: bytes=0-,0-,0-,0-,
>
> more info:
> https://www.zdnet.com/article/rangeamp-attacks-can-take-down-websites-and-cdn-servers/
Well, range attacks are pretty common, this is just yet-another one.
Haproxy has no use of the Range header so it's not sensitive to this.
However, it could trivially stop such attacks at the edge by deleting
Range headers if they appear with multiple values (which is not common
quite frankly). I guess something like this would do it pretty efficiently:
http-request del-header range if { req.hdr_cnt(range) gt 1 }
The effect will be that those requesting more than one range will simply
get the whole file once instead.
Willy
range queries (my favourite)
hello, how does haproxy serves queries like that: Range: bytes=0-,0-,0-,0-, more info: https://www.zdnet.com/article/rangeamp-attacks-can-take-down-websites-and-cdn-servers/ Cheers, Ilya Shipitcin
