Bug #421

mod_proxy vulnerable to resource starvation

Added by Anonymous about 14 years ago. Updated almost 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


Mod_proxy was recently changed to NOT forward the "Connection" header to the backend, since we currently rely on the server to close the connection as soon as the request finishes.

However, the header removal should be even more strict than that, if we are to assume HTTP/1.0 behaviour.

  • Forwarding the "Keep-Alive" and/or "Host" header confuses some servers to go into 1.1 mode and/or keep the connection although there is no "Connection" header.
  • Header comparison of "Connection" is performed in a case-sensitive style. Many webservers parse their headers in a case-INsensitive way. Therefore a user can potentially cause a DoS simply by initiating lots of connections toward a proxied URL and include a header like "connection: keep-alive" (with lower caps).

-- conny


lighttpd.mod_proxy.caseless-compare.patch (912 Bytes) lighttpd.mod_proxy.caseless-compare.patch [PATCH] Remove forwarding "Connection", "Host" and "Keep-Alive" -- conny Anonymous, 2005-12-21 15:07

Updated by Anonymous about 14 years ago

The "stalled" state (waiting for server to close channel) is similar to the one reported in #415.

-- conny


Updated by gstrauss almost 4 years ago

Submitted pull request to unconditionally set Connection: close with proxied HTTP/1.0 request. The client request headers Connection and Proxy-Connection were already being filtered.


Updated by stbuehler almost 4 years ago

  • Description updated (diff)
  • Assignee deleted (jan)
  • Target version set to 1.4.40

oO. It seems no one cared about the case-sensitive header comparison for a long time...


Updated by stbuehler almost 4 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r3093.

Also available in: Atom