Opened 4 years ago

Closed 4 years ago

#2078 closed defect (duplicate)

Hop-specific HTTP headers (e.g. Upgrade) from origin server being forwarded by proxy module

Reported by: hsivonen@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.19.x
Keywords: Cc: hsivonen@…
uname -a: Linux nginx 4.4.0-193-lowlatency #224-Ubuntu SMP PREEMPT Tue Oct 6 18:25:21 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.19.4
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'


I had set up proxying with

proxy_pass https://redacted.example:443;
proxy_ssl_trusted_certificate /etc/nginx/redacted.crt;
proxy_ssl_verify on;
proxy_set_header Host $host;
proxy_buffering off;
proxy_http_version 1.1;

The origin server runs Apache/2.4.41 as bundled with Ubuntu 20.04.

With this setup, Safari refuses to load pages proxied by nginx from the Apache origin server even though requests served directly by nginx or proxied from Jetty work OK.

The problem is solved by adding

proxy_hide_header Upgrade;

Since Upgrade is a per-hop HTTP header, nginx should, by default, not forward it. (It seems that sending the header is an Apache bug.)

See also

Change History (1)

comment:1 by Maxim Dounin, 4 years ago

Resolution: duplicate
Status: newclosed

Duplicate of #915.

Note: See TracTickets for help on using tickets.