feat: expose flag 'h1-accept-payload-with-any-method'

Author: maxmoehl

ci/release_notes.md

@@ -3,6 +3,7 @@
 
 # New Features
 - socat is directly executable due to a symlink
+- expose `h1-accept-payload-with-any-method` as `ha_proxy.always_allow_body_http10`
 
 # Upgrades
 - HAProxy 2.5.4 -> 2.5.7

haproxy-patches/disable-http10-body-in-get-request.patch

@@ -677,3 +677,6 @@ properties:
   ha_proxy.enable_http2:
     description: Enables ingress (frontend) and egress (backend) HTTP/2 ALPN negotiation. Egress (backend) HTTP protocol version may be overriden by `ha_proxy.backend_ssl`, `ha_proxy.disable_backend_http2_websockets` and `ha_proxy.backend_match_http_protocol`.
     default: false
+  ha_proxy.always_allow_body_http10:
+    description: Always allow a body to be sent when using HTTP/1.0. By default HAProxy denies GET/HEAD/DELETE requests with a body when using HTTP/1.0 due to potential request smuggling attacks. See https://github.com/haproxy/haproxy/commit/e136bd12a32970bc90d862d5fe09ea1952b62974
+    default: false

jobs/haproxy/spec

@@ -276,6 +276,9 @@ global
   <%- if backend_match_http_protocol && backends.length == 2 -%>
     set-var proc.h2_alpn_tag str(h2)
   <%- end -%>
+  <%- if p("ha_proxy.always_allow_body_http10") %>
+    h1-accept-payload-with-any-method
+  <%- end %>
 
 defaults
     log global

jobs/haproxy/templates/haproxy.config.erb

@@ -491,4 +491,16 @@
       expect(defaults).to include('option allbackups')
     end
   end
+
+  context 'when ha_proxy.always_allow_body_http10 is true' do
+    let(:properties) do
+      {
+        'always_allow_body_http10' => true
+      }
+    end
+
+    it 'sets the global option' do
+      expect(global).to include('h1-accept-payload-with-any-method')
+    end
+  end
 end