I hope this is the right place to report a bug. With the rule http-request deny if { hdr_cnt(content-length) gt 0 } { hdr_val(content-length) gt 33554432 } # 32M in my haproxy.cfg, the following request gets 403 correctly:
curl -v -H"Content-Length: 33554433" localhost:8080/internal/haproxy-stats But this goes through: curl -v -H"Content-Length: 3000003554433" localhost:8080/internal/haproxy-stats I'm guessing there is an integer overflow going on somewhere. This is on haproxy 1.5.3. Full config file used: global maxconn 40000 daemon uid 99 gid 99 defaults mode http timeout connect 5s timeout queue 75s timeout client 20s timeout server 20s frontend http-test bind *:8080 use_backend backend-test backend backend-test balance leastconn http-request deny if { hdr_cnt(content-length) gt 0 } { hdr_val(content-length) gt 33554432 } # 32M stats uri /internal/haproxy-stats server localhost localhost:5050