id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2158 ngx_stream_core_module Add $preread_server_name from http header.HOST Ivan "HTTP/2 Coalescing Due to the way HTTP/2 clients reuse connections, there can be problems with SNI routing if there is an overlap of server name among the names (Common Name and Subject Alternate Name) in TLS certificate of origin servers. https://miro.medium.com/max/3840/1*Fk8pDKD0O760WuDqM4ysyA.png In the above example, since the TLS certificate used by origin server 10.0.3.2 has wildcard name *.example.com, Web Browser can make a TLS connection with server name b.example.com and use the same connection for HTTP/2 requests to a.example.com. This can cause undefined behavior in web sites and applications. See: https://levelup.gitconnected.com/multiplex-tls-traffic-with-sni-routing-ece1e4e43e56 Many people use a script, but it is difficult to connect it. Difficult compilation required for ARM platform. Please add a variable $preread_server_name from http headers. == var server_name = '-'; /** * Read the server name from the HTTP stream. * * @param s * Stream. */ function read_server_name(s) { s.on('upload', function (data, flags) { if (data.length || flags.last) { s.done(); } // If we can find the Host header. var n = data.indexOf('\r\nHost: '); if (n != -1) { // Determine the start of the Host header value and of the next header. var start_host = n + 8; var next_header = data.indexOf('\r\n', start_host); // Extract the Host header value. server_name = data.substr(start_host, next_header - start_host); // Remove the port if given. var port_start = server_name.indexOf(':'); if (port_start != -1) { server_name = server_name.substr(0, port_start); } } }); } function get_server_name(s) { return server_name; } export default {read_server_name, get_server_name} " enhancement closed minor documentation 1.19.x wontfix stream proxy preread_server_name http/2 Ivan "Linux RPi4 5.4.101 #0 SMP Sun Feb 28 23:59:21 2021 aarch64 GNU/Linux " "nginx version: nginx/1.19.6 (x86_64-pc-linux-gnu) built with OpenSSL 1.1.1j 16 Feb 2021 TLS SNI support enabled configure arguments: --target=aarch64-openwrt-linux --host=aarch64-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls --crossbuild=Linux::aarch64 --prefix=/usr --conf-path=/etc/nginx/nginx.conf --with-http_ssl_module --with-ipv6 --with-http_stub_status_module --with-http_flv_module --with-http_dav_module --with-http_auth_request_module --with-http_v2_module --with-http_realip_module --with-http_secure_link_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a72_musl/nginx-all-module/nginx-1.19.6/nginx-headers-more --add-module=/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a72_musl/nginx-all-module/nginx-1.19.6/nginx-naxsi/naxsi_src --add-module=/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a72_musl/nginx-all-module/nginx-1.19.6/lua-nginx --add-module=/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a72_musl/nginx-all-module/nginx-1.19.6/nginx-dav-ext-module --add-module=/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a72_musl/nginx-all-module/nginx-1.19.6/nginx-brotli --add-module=/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a72_musl/nginx-all-module/nginx-1.19.6/nginx-rtmp --add-module=/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a72_musl/nginx-all-module/nginx-1.19.6/nginx-ts --add-module=/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a72_musl/nginx-all-module/nginx-1.19.6/nginx-ubus-module --error-log-path=stderr --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-cc=aarch64-openwrt-linux-musl-gcc --with-cc-opt='-I/builder/shared-workdir/build/sdk/staging_dir/toolchain-aarch64_cortex-a72_gcc-8.4.0_musl/usr/include -I/builder/shared-workdir/build/sdk/staging_dir/toolchain-aarch64_cortex-a72_gcc-8.4.0_musl/include/fortify -I/builder/shared-workdir/build/sdk/staging_dir/toolchain-aarch64_cortex-a72_gcc-8.4.0_musl/include -I/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a72_musl/usr/lib/libiconv-stub/include -I/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a72_musl/usr/lib/libintl-stub/include -Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -ffile-prefix-map=/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a72_musl/nginx-all-module/nginx-1.19.6=nginx-1.19.6 -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -I/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a72_musl/usr/lib/libiconv-stub/include -I/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a72_musl/usr/lib/libintl-stub/include -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK' --with-ld-opt='-L/builder/shared-workdir/build/sdk/staging_dir/toolchain-aarch64_cortex-a72_gcc-8.4.0_musl/usr/lib -L/builder/shared-workdir/build/sdk/staging_dir/toolchain-aarch64_cortex-a72_gcc-8.4.0_musl/lib -znow -zrelro -L/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a72_musl/usr/lib/libiconv-stub/lib -Wl,-rpath-link=/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a72_musl/usr/lib/libiconv-stub/lib -L/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a72_musl/usr/lib/libintl-stub/lib -Wl,-rpath-link=/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a72_musl/usr/lib/libintl-stub/lib -Wl,--gc-sections' --without-http_upstream_zone_module "