Hi John, On Wed, Mar 22, 2023 at 05:25:19PM -0400, John Lauro wrote: > Assuming no direct access to apache servers, does anyone know if > haproxy would by default protect against these vulnerabilities?
For others, the descriptions are here: https://httpd.apache.org/security/vulnerabilities_24.html I don't know, but it *seems* to me that the issue is rather between Apache and the next hop so unless you're able to block the undesired characters at the front (e.g. by dropping byte pairs starting with "%0" and "%1" in the URI to drop ctrl chars) I don't think just placing a proxy upfront could be sufficient here. But you could probably experiment with something like this: http-request reject if { url -m reg %[01] } Maybe it would be sufficient to handle req.path by the way. It would even avoid matching in the query string in case it's needed to let some such chars pass there. Just an idea... Willy
