Opened 19 months ago
Closed 19 months ago
#2468 closed defect (duplicate)
The value of variable `$http_host` will not fallback to the value of `:authority` pseudo-header when the client not providing the request header `Host`
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | nginx-1.23.4 |
Component: | http/3 | Version: | 1.23.x |
Keywords: | host header BCbreak HTTP_HOST | Cc: | n0099@… |
uname -a: | Linux azure 5.15.0-67-generic #74-Ubuntu SMP Wed Feb 22 14:14:39 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.23.4 (nginx-quic-def8e398d7c5)
built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1) built with OpenSSL 3.0.7+quic 1 Nov 2022 (running with OpenSSL 3.0.8+quic 7 Feb 2023) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --build=nginx-quic-def8e398d7c5 --with-http_v3_module --with-stream_quic_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-quic-1.23.4/debian/debuild-base/nginx-quic-1.23.4=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/quictls' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/usr/lib/x86_64-linux-gnu/quictls -lssl -lcrypto' |
Description
This ticket was originally posted at github.com/nginx-quic/nginx-quic/issues/3
*plz replace example
with a testing domain that is backed by nginx-quic
to reproduce this backward compatibility break*
server { server_name example; listen 443 http3 reuseport; add_header Alt-Svc 'h3=":$server_port"; ma=86400'; add_header X-HTTP-Host "value=$http_host"; add_header X-Host "value=$host"; }
$ curl --http1.1 -sIw '%{stderr}using %{http_version}\n' example | grep -i host using 1.1 X-HTTP-Host: value=example X-Host: value=example $ curl --http2 -sIw '%{stderr}using %{http_version}\n' example | grep -i host x-http-host: value=example x-host: value=example using 2 $ docker run -it --rm ymuski/curl-http3 bash -c "curl --http3 -sIw '%{stderr}using %{http_version}\n' example | grep -i host" x-http-host: value= x-host: value=example using 3
Note curl --http3
is sending the Host
header:
$ docker run -it --rm ymuski/curl-http3 curl --http3 -vso /dev/null example ... * using HTTP/3 * h2h3 [:method: GET] * h2h3 [:path: /] * h2h3 [:scheme: https] * h2h3 [:authority: example] * h2h3 [user-agent: curl/7.88.1-DEV] * h2h3 [accept: */*] * Using HTTP/3 Stream ID: 0 (easy handle 0x55a0d0982900) > GET / HTTP/3 > Host: example > user-agent: curl/7.88.1-DEV > accept: */* >
Note:
See TracTickets
for help on using tickets.
Avoid using
$http_host
, it returns the value of theHost
header, and not the:authority
pseudo-header (or the authority component from the request line in HTTP/1.x). Use$host
instead, it represents the host value nginx is actually using from the request.Duplicate of #2281.