id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2329 Unexpected request routing when Host header value contains colon Pēteris Caune "Here's my nginx.conf: {{{ user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; } http { include /etc/nginx/mime.types; default_type application/octet-stream; error_log /var/log/nginx/error.log; server { listen 80; server_name foo.com; location / { default_type text/plain; return 200 ""hello from foo.com""; } error_page 500 502 503 504 /500.html; } server { listen 80 default_server; server_name _; location / { return 403 ""sorry""; } } } }}} I'm expecting the server to return ""sorry"" if the ""Host"" header is anything but ""foo.com"". Somebody's apparently running Burp Suite on my server, and I noticed and interesting behavior when they send a ""Host: foo.com:more-stuff-here"" header: NGINX routes the request to the first ""server"" section. It looks as if it ignores the colon and everything after it in the header value. I can reproduce it locally with the above nginx.conf: {{{ $ curl -H ""Host: foo.com"" http://127.0.0.1 hello from foo.com $ curl -H ""Host: foo.com:z"" http://127.0.0.1 hello from foo.com $ curl -H ""Host: foo.comz"" http://127.0.0.1 sorry }}} Why does NGINX do this? Is this an expected behavior? What should I change in nginx.conf to ensure requests with ""Host: foo.com:more-stuff-here"" header go to the default block? " defect closed minor nginx-core 1.18.x wontfix Linux ubuntu-impish 5.13.0-28-generic #31-Ubuntu SMP Thu Jan 13 17:41:06 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.18.0 (Ubuntu) built with OpenSSL 1.1.1l 24 Aug 2021 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-wlVHrx/nginx-1.18.0=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-wlVHrx/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module"