Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

frang: http_trailer_split_allowed does not work correctly for http2 #2106

Open
RomanBelozerov opened this issue Apr 23, 2024 · 1 comment · May be fixed by #2125
Open

frang: http_trailer_split_allowed does not work correctly for http2 #2106

RomanBelozerov opened this issue Apr 23, 2024 · 1 comment · May be fixed by #2125
Assignees
@biathlon3
Labels
bug good to start Start form this tasks if you're new in Tempesta FW h2
Milestone
0.9 - LA

Comments

@RomanBelozerov
Copy link
Contributor

Tempesta - d665692

For frang_limits:

http_trailer_split_allowed false;
http_strict_host_checking false;

I send request with HEADERS frame:

(":authority", "example.com"),
(":path", "/"),
(":scheme", "https"),
(":method", "POST"),
("trailer", "x-my-hdr"),
("x-my-hdr", "value")

and trailer:

# example with using DeproxyClientH2
tf = HeadersFrame(
    stream_id=client.stream_id,
    data=client.h2_connection.encoder.encode([("x-my-hdr", "value")]),
    flags=["END_STREAM"],
)
cf = ContinuationFrame(
    stream_id=client.stream_id,
    data=client.h2_connection.encoder.encode([("x-my-hdr", "value")]),
    flags=["END_HEADERS"],
)
client.send_bytes(data=tf.serialize() + cf.serialize(), expect_response=True)

AR: Tempesta returns a 400 response (if trailer contains CONTINUATION frame) or a 200 response (if trailer contains only HEADERS frame)
ER: Tempesta returns a 403 response and warning in dmesg

Depends on #1881

Testing

t_frang.test_http_trailer_split_allowed.TestFrangHttpTrailerSplitAllowedH2
@RomanBelozerov RomanBelozerov added bug h2 good to start Start form this tasks if you're new in Tempesta FW labels Apr 23, 2024
@krizhanovsky
Copy link
Contributor

Please also add to the wiki the reason why the option is required, preferably with an attack example. From the brief description on https://tempesta-tech.com/knowledge-base/HTTP-security/ it's unclear why the option is required.

@krizhanovsky krizhanovsky added this to the 0.9 - LA milestone Apr 23, 2024
@biathlon3 biathlon3 linked a pull request May 24, 2024 that will close this issue
Implement trailer checking for HTTP/2 #2125
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@biathlon3 biathlon3

Labels
bug good to start Start form this tasks if you're new in Tempesta FW h2
Projects
None yet
Milestone
0.9 - LA
Development

Successfully merging a pull request may close this issue.

Implement trailer checking for HTTP/2 tempesta-tech/tempesta
3 participants
@krizhanovsky @RomanBelozerov @biathlon3