HAProxy community

Bad request returned for unencoded characters

I recently moved a domain into HAProxy. Most of the HTTP requests go through fine but some requests that have un-encoded characters in their URL are thrown with 400 Bad Request
an example of such a URL is
http://www.domain.com/push.asp?Message=א
Note that the Message parameter value has a Hebrew letter as a value but it is not encoded. if I change the Hebrew letter to any English letter the request is passed to the backend without any issue. but this request is rejected as Bad Request.
Since I know my webserver (IIS in this case) can handle the request, is there a way to tell HAProxy to skip validation of the HTTP request?
My frontend in this case is working in HTTP mode

I should also note that testing this “bad” URL from a web browser works as the browser encodes the URL. only when the URL contains 1 byte on the wire for this letter (0xE0 in this case) the request is rejected

Thanks

Update: I found the “option accept-invalid-http-request” option and was wondering if there is some way to incorporate that with an ACL?

No, you can only configure it per frontend.

Can two frontends share the same port? I am currently using a large frontend for all my sites splitting traffic between servers as needed.
Can I create another frontend on port 80 & 443 for this specific domain? if I can is it possible to have the 1st frontend serve domain.com except when the url is push.asp and the 2nd frontend only server push.asp with the option accept-invalid-http-request?

Another option: Can I add custom replace logic before the request is thrown as 400 Bad Request to replace א with %E0 so it validates correctly? In theory I could write a replace for all the Hebrew letters until the caller fixes his side and encodes the requests as needed.

On the same IP address no (if you do that, kernel will load-balance between the two ports, which is not what you want).

On a different IP address, sure, just bind to the specific IP address in both frontends and make sure everything is unique.

If you want to do it on the same ip address, you can enable option accept-invalid-http-request on the frontend, create a dedicated backend for the domains where you want to reject invalid requests and use that backend to reiterate to a new, dedicated frontend (on loopback on a different port) where option accept-invalid-http-request is not enabled.

That’s a whole lot of configuration and complexity though.

No, you cannot modify the request before parsing it.