Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not flow the Connection header? #439

Closed
Tratcher opened this issue Sep 24, 2020 · 2 comments · Fixed by #977
Closed

Do not flow the Connection header? #439

Tratcher opened this issue Sep 24, 2020 · 2 comments · Fixed by #977
Assignees
@alnikola
Labels
tenet-performance Impacting performance Type: Bug Something isn't working
Milestone
YARP 1.0.0

Comments

@Tratcher
Copy link
Member

https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.10

The Connection header is per hop and shouldn't be forwarded through a proxy. Note most of the spec concerns here apply to traditional forward proxies, but they might still be useful for a reverse proxy. E.g. Forwarding a Connection: close header would allow the client to terminate the proxy's connection to the destination and negatively impact performance.

Note for WebSockets we do need to forward the Connection: Upgrade header, so we can't ban Connection outright.
@Tratcher Tratcher added the Type: Bug Something isn't working label Sep 24, 2020
@karelz karelz added the tenet-performance Impacting performance label Oct 1, 2020
@karelz
Copy link
Member

karelz commented Oct 1, 2020
edited
Loading

Triage: Motivation protect performance - we should filter out Connection: close (we don't have more at the moment).
1.0. because it is DoS problem.

@karelz karelz added this to the 1.0.0 milestone Oct 1, 2020
@samsp-msft samsp-msft mentioned this issue Oct 22, 2020
Closed
5 tasks
@Tratcher Tratcher mentioned this issue Nov 29, 2020
Closed
@MihaZupan MihaZupan mentioned this issue Jan 12, 2021
Merged
@Tratcher Tratcher mentioned this issue Mar 29, 2021
Closed
@Tratcher Tratcher assigned Tratcher and unassigned Tratcher Apr 6, 2021
@Tratcher
Copy link
Member Author

Keep-Alive should also be removed from requests. We already remove it from HTTP/2 responses.

@alnikola alnikola self-assigned this May 3, 2021
@alnikola alnikola mentioned this issue May 5, 2021
Merged
@alnikola alnikola mentioned this issue May 13, 2021
Closed
alnikola added a commit that referenced this issue May 18, 2021
@alnikola
Filter out disallowed connection-related request/response headers (#977)
a4b85d7 
It removes most of the connection-related request and response headers to shield the YARP against malicious clients and downstream servers which can try to manipulate HTTP connections controlled by YARP. Headers required for WebSockets protocol upgrade are exempted from this policy.

Fixes #439
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alnikola alnikola

Labels
tenet-performance Impacting performance Type: Bug Something isn't working
Projects
None yet
Milestone
YARP 1.0.0
Development

Successfully merging a pull request may close this issue.

Filter out disallowed connection-related request headers
3 participants
@Tratcher @karelz @alnikola