Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Losing data with multiple HTTP headers with same key #112

Open
jacowessels opened this issue Sep 18, 2019 · 0 comments
Open

Losing data with multiple HTTP headers with same key #112

jacowessels opened this issue Sep 18, 2019 · 0 comments

Comments

@jacowessels
Copy link

Good day,

I am running into an issue with the HTTP input filter. We would like the full list of X-Forwarder-For IP's from the front-end to our device accessible in the header map. We are receiving HTTP messages from an HaProxy device that adds it's IP to the requests. However, HaProxy does not edit the existing X-Forwarded-For header by appending it's IP to the value of the existing header - it purely adds a new X-Forwarded-For header to the request. That means those requests that come into Logstash have more than one header with the same value (X-Forwarded-For.) As far as I can tell this is, in fact, allowed according to the HTTP specifications (RFC7230) since this case (multiple headers with the same key) can be treated by the intermediary device as a singular header with a comma-separated list as the value. This has been raised on HaProxy's GitHub (haproxy/haproxy#44) and they are insisting that they are in fact doing it correctly according to spec.

As it stands I believe the Logstash Http input plugin just takes whatever the last value it for that Header key. Would it be possible to check for duplicate headers in input and if a header exists to add the value to the existing item in the hashmap (comma-separated?)

Details:
Logstash 6.6.0 running in Docker container.

Config file (input section):
input{
http {
port => 12211
add_field => {
"facility" => "qos"
}
}
}

Regards,
Jaco

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant