id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2053	ignore_invalid_headers required, but only for websockets	feld@…		"Hello,

The Fediverse (Mastodon, Pleroma, etc) has been using ActivityPub and the HTTP Signatures draft[1] in the wild for some time now.

We've been building out an optimized federation strategy over Websockets so we can sign the session and continue sending data, limiting the overhead. It seems that we require `ignore_invalid_headers on;` when this data is passed over a WebSocket due to the header `(request-target)`, as defined in the draft.

This header exists for normal HTTP/1.1 and HTTP/2.0 federation and does not cause any problems. It only causes issues for the Websocket sessions.

The only other HTTP server/proxy I've tested with is Varnish which has not exhibited any problems with this header over Websockets.


[1] https://tools.ietf.org/html/draft-cavage-http-signatures-10"	defect	closed	minor		documentation	1.18.x	invalid			FreeBSD nginx 12.1-RELEASE-p7 FreeBSD 12.1-RELEASE-p7 GENERIC  amd64	"nginx version: nginx/1.18.0
built with OpenSSL 1.1.1d-freebsd  10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-pcre --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-mail=dynamic --with-stream=dynamic"