#2468 closed defect (duplicate)

The value of variable `$http_host` will not fallback to the value of `:authority` pseudo-header when the client not providing the request header `Host`

Reported by: n0099@… Owned by:
Priority: minor Milestone: nginx-1.23.4
Component: http/3 Version: 1.23.x
Keywords: host header BCbreak HTTP_HOST Cc: n0099@…
uname -a: Linux azure 5.15.0-67-generic #74-Ubuntu SMP Wed Feb 22 14:14:39 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.23.4 (nginx-quic-def8e398d7c5)
built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1)
built with OpenSSL 3.0.7+quic 1 Nov 2022 (running with OpenSSL 3.0.8+quic 7 Feb 2023)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --build=nginx-quic-def8e398d7c5 --with-http_v3_module --with-stream_quic_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-quic-1.23.4/debian/debuild-base/nginx-quic-1.23.4=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/quictls' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie -L/usr/lib/x86_64-linux-gnu/quictls -lssl -lcrypto'

Description

This ticket was originally posted at github.com/nginx-quic/nginx-quic/issues/3

*plz replace example with a testing domain that is backed by nginx-quic to reproduce this backward compatibility break*

server {
        server_name example;
        listen 443 http3 reuseport;
        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
        add_header X-HTTP-Host "value=$http_host";
        add_header X-Host "value=$host";
}
$ curl --http1.1 -sIw '%{stderr}using %{http_version}\n' example | grep -i host
using 1.1
X-HTTP-Host: value=example
X-Host: value=example
$ curl --http2 -sIw '%{stderr}using %{http_version}\n' example | grep -i host
x-http-host: value=example
x-host: value=example
using 2
$ docker run -it --rm ymuski/curl-http3 bash -c "curl --http3 -sIw '%{stderr}using %{http_version}\n' example | grep -i host"
x-http-host: value=
x-host: value=example
using 3

Note curl --http3 is sending the Host header:

$ docker run -it --rm ymuski/curl-http3 curl --http3 -vso /dev/null example
...
* using HTTP/3
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: example]
* h2h3 [user-agent: curl/7.88.1-DEV]
* h2h3 [accept: */*]
* Using HTTP/3 Stream ID: 0 (easy handle 0x55a0d0982900)
> GET / HTTP/3
> Host: example
> user-agent: curl/7.88.1-DEV
> accept: */*
>

Change History (1)

comment:1 by Maxim Dounin, 19 months ago

Resolution: duplicate
Status: newclosed

Avoid using $http_host, it returns the value of the Host header, and not the :authority pseudo-header (or the authority component from the request line in HTTP/1.x). Use $host instead, it represents the host value nginx is actually using from the request.

Duplicate of #2281.

Note: See TracTickets for help on using tickets.