0

If a HTTP client sends a GET request with a body that would generate a 400 Bad Request response, should the load balancer forward that request to the backend or deal with it immediately? Is there any advantage in NOT dealing with it at the load balancing layer?

Recently, an application team complained that a load balancer was returning 400 Bad Request when the application itself would return 405 Method Not Allowed. It seemed the load balancer was right and the application team had a misunderstanding but that left me wondering when the load balancer should more forgiving and forward crap to backends anyway.

gtirloni
  • 5,746
  • 3
  • 25
  • 52

1 Answers1

1

Why not both? A http request can be both malformed, and the verb attempted not supported in that context. 400 is easier to check with just a parser, so the load balancer can reject non compliant headers without knowing what the request really means.

Defense in depth applies. A bad, possibly malicious, request rejected by a front end is one a back end never has to see. Possibly stopping an attack that the backend would not by itself.

haproxy, for example, is of the opinion that their option accept-invalid-http-request and option accept-invalid-http-response should be left disabled. That is, standards compliant. Of course, as configurable as haproxy is, it can be set to a relaxed mode to deal with broken things.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34