2

According to this, including %H in your LogFormat is supposed to log the HTTP protocol version, however, it appears to be unreliable.

As an example, one can telnet to port 80 of the web server and issue a GET / HTTP/2.0, which will cause Apache to log it as HTTP/2.0, however, this is not valid HTTP2 traffic considering that HTTP2 is a binary protocol and can't (realistically) be executed by a human over telnet. It's easy to demonstrate that the aforementioned request is not actually handled by mod_http2 because nothing changes if the module is disabled, Apache will still process it and still misleadingly log it as if it were actually HTTP2.

Likewise, telnetting to port 80 and issuing a GET / HTTP/9.0 will cause Apache to log the request as HTTP/9.0 even though no such protocol exists.

I think what I really want to log is whether the traffic was actually handled by mod_http2 or not, as that information should come from Apache itself and not be vulnerable to client-side spoofing. Apache should know whether or not the traffic hit that module, but I haven't found a way to log based on that.

There doesn't seem to be anything relevant in the mod_http2 documentation

I am running Apache 2.4.41 on Ubuntu LTS 20.04.5

Displayname71
  • 109
  • 1
  • 7
  • It is how http protocol works, another thing is subsequent requests are not compliant with the spec you will get a 400 response (malformed request). Considering this I am not sure why you are concerned of client spoofing http protocol if they end up not sending malformed requests, or if you refer to uncomplete cases just like the one you mention, which will end up in 400 response and are really no concern. – Daniel Ferradal Oct 08 '22 at 10:31

1 Answers1

0

The HTTP version is specified as part of the HTTP header. Therefore, the HTTP version in an HTTP request is specified by the client in the HTTP request header.

Yes, someone could put an arbitrary value, but it should be irrelevant from a server point of view: either the proposed value is acceptable, which means the server will use it to reply (and if the client doesn't really support that, too bad for them!), or it is not acceptable, in which case the server should return a 505 error or similar.

A. Darwin
  • 582
  • 2
  • 7
  • It seems a little more complex than that. If I telnet to port 80 of an Apache server, and issue a "GET / HTTP/2.0" along with a valid Host header, Apache will respond with a "HTTP/1.1 200 OK", because the request isn't real HTTP2 and isn't being processed by mod_http2, it's being treated as HTTP1.1. And yet Apache will incorrectly log it as HTTP2. This will happen even if mod_http2 is disabled. – Displayname71 Oct 08 '22 at 18:57