Changaco
commented
4 years ago AWS doesn't seem to support HTTP/2 between load balancers and origin servers.
I've enabled the "Drop Invalid Header Fields" option of the load balancer.
Open Changaco opened 4 years ago
Changaco
commented
4 years ago AWS doesn't seem to support HTTP/2 between load balancers and origin servers.
I've enabled the "Drop Invalid Header Fields" option of the load balancer.
We should make sure that all our inter-server connections use HTTP/2, to eliminate the possibility of issues like #737140 Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies.
Our current server chain is: Cloudflare ↔ AWS load balancer ↔ origin server(s). We only have full control of the last chain link.Our current server chain is: Cloudflare servers ↔
cloudflared↔gunicorn. Only the last link is HTTP/1.Explanations of the HTTP/1 request smuggling vulnerabilities: