1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
# This test ensures that h2 requests with invalid pseudo-headers are properly
# rejected. Also, the host header must be ignored if authority is present. This
# is necessary to avoid http/2 desync attacks through haproxy as described here
# https://portswigger.net/research/http2
varnishtest "h2 desync attacks"
feature ignore_unknown_macro
server s1 {
rxreq
expect req.http.host == "hostname"
txresp
} -start
# haproxy frontend
haproxy hap -conf {
defaults
timeout client 30s
timeout server 30s
timeout connect 30s
mode http
listen feSrvH1
bind "fd@${feSrvH1}"
http-request return status 200
listen feSrvH2
bind "fd@${feSrvH2}" proto h2
http-request return status 200
listen fe1
bind "fd@${fe1}" proto h2
server srv-hapSrv "${hap_feSrvH1_addr}:${hap_feSrvH1_port}"
listen fe2
bind "fd@${fe2}" proto h2
server srv-hapSrv "${hap_feSrvH2_addr}:${hap_feSrvH2_port}" proto h2
listen fe3
bind "fd@${fe3}" proto h2
server s1 "${s1_addr}:${s1_port}"
} -start
# valid request
client c1 -connect ${hap_fe1_sock} {
txpri
stream 0 {
txsettings
rxsettings
txsettings -ack
rxsettings
expect settings.ack == true
} -run
stream 1 {
txreq \
-method "GET" \
-scheme "http" \
-url "/"
rxresp
expect resp.status == 200
} -run
} -run
# valid request
client c2 -connect ${hap_fe2_sock} {
txpri
stream 0 {
txsettings
rxsettings
txsettings -ack
rxsettings
expect settings.ack == true
} -run
stream 1 {
txreq \
-method "GET" \
-scheme "http" \
-url "/"
rxresp
expect resp.status == 200
} -run
} -run
# invalid path
client c3-path -connect ${hap_fe1_sock} {
txpri
stream 0 {
txsettings
rxsettings
txsettings -ack
rxsettings
expect settings.ack == true
} -run
stream 1 {
txreq \
-method "GET" \
-scheme "http" \
-url "hello-world"
rxrst
} -run
} -run
# invalid scheme
client c4-scheme -connect ${hap_fe1_sock} {
txpri
stream 0 {
txsettings
rxsettings
txsettings -ack
rxsettings
expect settings.ack == true
} -run
stream 1 {
txreq \
-method "GET" \
-scheme "http://localhost/?" \
-url "/"
rxresp
expect resp.status == 400
} -run
} -run
# invalid method
client c5-method -connect ${hap_fe2_sock} {
txpri
stream 0 {
txsettings
rxsettings
txsettings -ack
rxsettings
expect settings.ack == true
} -run
stream 1 {
txreq \
-method "GET?" \
-scheme "http" \
-url "/"
rxresp
expect resp.status == 400
} -run
} -run
# different authority and host headers
# in this case, host should be ignored in favor of the authority
client c6-host-authority -connect ${hap_fe3_sock} {
txpri
stream 0 {
txsettings
rxsettings
txsettings -ack
rxsettings
expect settings.ack == true
} -run
stream 1 {
txreq \
-method "GET" \
-scheme "http" \
-url "/" \
-hdr ":authority" "hostname" \
-hdr "host" "other_host"
} -run
} -run
server s1 -wait
|
