On 12.01.22 17:06, Andrew Anderson wrote:
On Thu, Dec 30, 2021 at 10:15 PM Willy Tarreau <w...@1wt.eu <mailto:w...@1wt.eu>> wrote: On Wed, Dec 29, 2021 at 12:29:11PM +0100, Aleksandar Lazic wrote: > > 00000 CONNECT download.eclipse.org:443 HTTP/1.1\r\n > > 00043 Host: download.eclipse.org\r\n > > 00071 User-Agent: Apache-HttpClient/4.5.10 (Java/11.0.13)\r\n > > 00124 \r\n It indeed looks like a recently fixed problem related to the mandatory comparison between the authority part of the request and the Host header field, which do not match above since only one contains a port. I don't know how pervasive this issue is on non-Java clients, but the sendCONNECTRequest() method from Java's HttpURLConnection API is responsible for the authority/host mismatch when using native Java HTTP support, and has been operating this way for a very long time: /** * send a CONNECT request for establishing a tunnel to proxy server */ private void sendCONNECTRequest() throws IOException { int port = url.getPort(); requests.set(0, HTTP_CONNECT + " " + connectRequestURI(url) + " " + httpVersion, null); requests.setIfNotSet("User-Agent", userAgent); String host = url.getHost(); if (port != -1 && port != url.getDefaultPort()) { host += ":" + String.valueOf(port); } requests.setIfNotSet("Host", host); The Apache-HttpClient library has a similar issue as well (as demonstrated above). More recent versions are applying scheme-based normalization which consists in dropping the port from the comparison when it matches the scheme (which is implicitly https here). Is there an option other than using "accept-invalid-http-request" available to modify this behavior on the haproxy side in 2.4? I have also run into this with Java 8, 11 and 17 clients. Are these commits what you are referring to about scheme-based normalization available in more recent versions (2.5+): https://github.com/haproxy/haproxy/commit/89c68c8117dc18a2f25999428b4bfcef83f7069e (MINOR: http: implement http uri parser) https://github.com/haproxy/haproxy/commit/8ac8cbfd7219b5c8060ba6d7b5c76f0ec539e978 (MINOR: http: use http uri parser for scheme) https://github.com/haproxy/haproxy/commit/69294b20ac03497e33c99464a0050951bdfff737 (MINOR: http: use http uri parser for authority) If so, I can pull those into my 2.4 build and see if that works better for Java clients.
Well, looks like you want a forward proxy like squid not a reverse proxy like haproxy. https://en.wikipedia.org/wiki/HTTP_tunnel As you don't shared your config I assume you try to use option http_proxy which will be deprecated. http://cbonte.github.io/haproxy-dconv/2.5/configuration.html#4-option%20http_proxy
Andrew
Regards Alex
