aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddyhttp/reverseproxy
diff options
context:
space:
mode:
authorMatt Holt <[email protected]>2024-07-05 10:46:20 -0600
committerGitHub <[email protected]>2024-07-05 10:46:20 -0600
commitc3fb5f4d3fb3eed9136f766cb88f2d8ac54de685 (patch)
treee5b791a071ef8853ab620156fe6b9b2ea15919ec /modules/caddyhttp/reverseproxy
parent15d986e1c9decae4d753d7cbec41275264697b2f (diff)
downloadcaddy-c3fb5f4d3fb3eed9136f766cb88f2d8ac54de685.tar.gz
caddy-c3fb5f4d3fb3eed9136f766cb88f2d8ac54de685.zip
caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data header when proxying (#6427)
* caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data header when proxying See RFC 8470: https://httpwg.org/specs/rfc8470.html Thanks to Michael Wedl (@MWedl) at the University of Applied Sciences St. Poelten for reporting this. * Don't return value for {remote} placeholder in early data * Add Caddyfile support
Diffstat (limited to 'modules/caddyhttp/reverseproxy')
-rw-r--r--modules/caddyhttp/reverseproxy/reverseproxy.go12
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/caddyhttp/reverseproxy/reverseproxy.go b/modules/caddyhttp/reverseproxy/reverseproxy.go
index 1a559e5dd..4f97edead 100644
--- a/modules/caddyhttp/reverseproxy/reverseproxy.go
+++ b/modules/caddyhttp/reverseproxy/reverseproxy.go
@@ -605,6 +605,18 @@ func (h Handler) prepareRequest(req *http.Request, repl *caddy.Replacer) (*http.
req.Header.Set("User-Agent", "")
}
+ // Indicate if request has been conveyed in early data.
+ // RFC 8470: "An intermediary that forwards a request prior to the
+ // completion of the TLS handshake with its client MUST send it with
+ // the Early-Data header field set to “1” (i.e., it adds it if not
+ // present in the request). An intermediary MUST use the Early-Data
+ // header field if the request might have been subject to a replay and
+ // might already have been forwarded by it or another instance
+ // (see Section 6.2)."
+ if req.TLS != nil && !req.TLS.HandshakeComplete {
+ req.Header.Set("Early-Data", "1")
+ }
+
reqUpType := upgradeType(req.Header)
removeConnectionHeaders(req.Header)
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 13:33:05 +0000