Hello all
I have the following log :
Jan 9 09:55:10 advance haproxy[4697]: 8.222.220.181:11074 [09/Jan/2025:09:55:10.366] public~ tomcat/tomcat 0/0/0/0/+0 400 +2532 - - ---- 147/147/1/1/0 0/0 {www.mydomain.com|Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0} "GET /download/Newsletters/Announcement_2_CFP/drapeaux-345.jpg?rev=1.1#22 HTTP/1.1"
which results with my tomcat backend to answer with a 400 error code.
#22 in haproxy log seems to be the URL encoded version of " character (cf https://meyerweb.com/eric/tools/dencoder/ ).
So, per HAProxy version 2.6-dev3 - Configuration Manual :
[...] the list of characters allowed to appear in a URI is well defined by RFC3986, and
chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
not allowed at all. HAProxy always blocks a number of them (0..32, 127). The
remaining ones are blocked by default [...]
Why is this request not blocked by haproxy ?
Debian 12 with haproxy version 2.6.12-1+deb12u1
Thanks for your time