Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a “pre-transaction” access logging path for malformed HTTP/2 request headers that are rejected before HttpSM is created, so these failures can still be recorded in squid.log (similar to HTTP/1 behavior).
Changes:
- Add
LogAccess::PreTransactionLogDataand extendLogAccessto support access log marshaling without anHttpSM. - Emit a best-effort access log entry from the HTTP/2 layer when rejecting malformed HEADERS/CONTINUATION input.
- Add gold and unit tests validating both malformed and valid HTTP/2 request logging.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/gold_tests/connect/replays/h2_malformed_request_logging.replay.yaml | Adds replay traffic for valid HTTP/2 GET and CONNECT cases used by the gold test. |
| tests/gold_tests/connect/malformed_h2_request_client.py | Adds a low-level client to send deliberately malformed HTTP/2 requests on the wire. |
| tests/gold_tests/connect/h2_malformed_request_logging.test.py | Adds an integration test that asserts malformed HTTP/2 requests are access logged and do not reach origin. |
| src/proxy/logging/unit-tests/test_LogAccess.cc | Adds Catch2 unit tests covering pre-transaction LogAccess marshaling behavior. |
| src/proxy/logging/LogAccess.cc | Implements pre-transaction initialization and adds guards/fallbacks for marshaling without HttpSM. |
| src/proxy/logging/CMakeLists.txt | Registers the new test_LogAccess executable in CMake when testing is enabled. |
| src/proxy/http2/Http2ConnectionState.cc | Logs malformed decoded request headers via Log::access() before stream reset/GOAWAY. |
| include/proxy/logging/LogAccess.h | Defines PreTransactionLogData and adds support helpers for pre-transaction logging mode. |
| include/proxy/http2/Http2Stream.h | Exposes a const accessor for the decoded receive header (get_receive_header()). |
tests/gold_tests/connect/replays/h2_malformed_request_logging.replay.yaml
Outdated
Show resolved
Hide resolved
bneradt
force-pushed
the
h2-malformed-request-txn-logging
branch
from
13273fb to
93a7fba
Compare
Unlike HTTP/1 transactions, malformed HTTP/2 requests are rejected before HttpSM creation, so they bypassed the normal transaction logging path. That left malformed h2 traffic out of squid.log even when similar h1 failures were visible. This adds a pre-transaction LogAccess path for malformed h2 request headers and emits a best-effort access log entry before resetting the stream.
bneradt
force-pushed
the
h2-malformed-request-txn-logging
branch
from
93a7fba to
fa9178b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Unlike HTTP/1 transactions, malformed HTTP/2 requests are rejected before HttpSM creation, so they bypassed the normal transaction logging path. That left malformed h2 traffic out of squid.log even when similar h1 failures were visible.
This adds a pre-transaction LogAccess path for malformed h2 request headers and emits a best-effort access log entry before resetting the stream.