Welcome! Log In Create A New Profile

Advanced

HTTP Authorization header problem with v1.7.1

Posted by Brian Glogower 
Brian Glogower
HTTP Authorization header problem with v1.7.1
January 11, 2017 03:20AM
Hi all,

I noticed that after upgrading to haproxy v1.7.1, haproxy returning 400s
for certain requests that include the HTTP Authorization header. The
following is the output from 'show errors'. I am not seeing this behavior
with haproxy v1.5 or v1.6.

#########

[10/Jan/2017:21:19:24.823] frontend default (#5): invalid request
backend <NONE> (#-1), server <NONE> (#-1), event #0
src 10.0.11.35:54090, session #14974, session flags 0x00000080
HTTP msg state 26, msg flags 0x00000000, tx flags 0x80000000
HTTP chunk len 0 bytes, HTTP body len 0 bytes
buffer flags 0x00808002, out 0 bytes, total 2498 bytes
pending 2498 bytes, wrapping at 65536, error at position 2471:

..
..
..

00357 Authorization: Bearer
eyJ4NWMiOlsiTUlJQytEQ0NBcCtnQXdJQkFnSUJBREFLQmdn
00427+
cWhrak9QUVFEQWpCR01VUXdRZ1lEVlFRREV6dFJORm96T2tkWE4wazZXRlJRUkRwSVRUUl
..
..
..
02387+
6wDJLOs4_jM9AfISLrv74o0QhU2-DN2P-Q-xWiz_pteTvouLXJNce0p3E6z3wRZRlCVmcz
02457+ prRvj84YkyrgrA\r\n
02473 Accept-Encoding: gzip\r\n
02496 \r\n

#########

Is this a known problem for v1.7? I couldn't find any mention of this in
the mailing list archive.

-Brian
Willy Tarreau
Re: HTTP Authorization header problem with v1.7.1
January 11, 2017 12:20PM
Hi Brian,

On Wed, Jan 11, 2017 at 02:08:39AM +0000, Brian Glogower wrote:
> Hi all,
>
> I noticed that after upgrading to haproxy v1.7.1, haproxy returning 400s
> for certain requests that include the HTTP Authorization header. The
> following is the output from 'show errors'. I am not seeing this behavior
> with haproxy v1.5 or v1.6.

We've found this nasty regression that I introduced late in 1.7, it's
now fixed in the devel branch and in the latest 1.7 snapshots. I'm now
working on collecting and backporting all the latest fixes we need to
emit a new 1.7 release.

In fact the issue you faced is worse, you'll randomly get some invalid
requests when requests come in multiple packets, it's just that
authorization requests increase the likeliness that they appear under
low traffic.

In the mean time you can deploy the latest snapshot, but I hope to be
able to issue 1.7.2 today (keeping fingers crossed).

Willy
Brian Glogower
Re: HTTP Authorization header problem with v1.7.1
January 11, 2017 08:10PM
Hi Willy,

Thanks for your quick reply and explanation.

Cheers,
Brian

On Wed, Jan 11, 2017 at 3:11 AM Willy Tarreau <w@1wt.eu> wrote:

> Hi Brian,
>
> On Wed, Jan 11, 2017 at 02:08:39AM +0000, Brian Glogower wrote:
> > Hi all,
> >
> > I noticed that after upgrading to haproxy v1.7.1, haproxy returning 400s
> > for certain requests that include the HTTP Authorization header. The
> > following is the output from 'show errors'. I am not seeing this behavior
> > with haproxy v1.5 or v1.6.
>
> We've found this nasty regression that I introduced late in 1.7, it's
> now fixed in the devel branch and in the latest 1.7 snapshots. I'm now
> working on collecting and backporting all the latest fixes we need to
> emit a new 1.7 release.
>
> In fact the issue you faced is worse, you'll randomly get some invalid
> requests when requests come in multiple packets, it's just that
> authorization requests increase the likeliness that they appear under
> low traffic.
>
> In the mean time you can deploy the latest snapshot, but I hope to be
> able to issue 1.7.2 today (keeping fingers crossed).
>
> Willy
>
Sorry, only registered users may post in this forum.

Click here to login