Opened 4 months ago

Closed 3 months ago

#2551 closed defect (duplicate)

HTTP3 Reverse Proxy does not pass on Host Header

Reported by: https://stackoverflow.com/users/7362396/tobias-k Owned by:
Priority: minor Milestone:
Component: http/3 Version: 1.25.x
Keywords: proxy, vhost Cc:
uname -a: Linux c3602a6c712b 6.2.0-33-generic #33-Ubuntu SMP PREEMPT_DYNAMIC Tue Sep 5 14:49:19 UTC 2023 x86_64 GNU/Linux

(debian:11 Docker image on Ubuntu 23.04 host, same issue happens on native debian11 host), amd64
nginx -V: nginx version: nginx/1.25.2
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1n 15 Mar 2022 (running with OpenSSL 1.1.1w 11 Sep 2023)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.2/debian/debuild-base/nginx-1.25.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

linux_packages site

Description

Hi,
I've encountered an issue with the HTTP/3 / QUIC setup:
The minimal testsetup is the default installation with a server as from the docs + reverse proxy:

server {

listen 443 quic reuseport;
listen 443 ssl;

ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

location / {

add_header Alt-Svc 'h3=":443"; ma=86400';
proxy_pass ht tp:// dm-devel.hosts.dm-intern.de; # spaced up for link limit in trac

}

}

I test this setup using:

curl -vik --http3-only htt ps:// localhost:443 -H "Host: exvhost"

and also tracing the proxy requests using

tcpdump 'port 80'

It produces the following backend request:
GET / HTTP/1.0
Host: dm-devel.hosts.dm-intern.de <-- not the originally requested header, probably the expected behaviour
Connection: close
user-agent: ..
accept: ..

Adding "proxy_set_header Host $http_host;" :

GET / HTTP/1.0 <-- no Host header at all here though!
Connection: close
user-agent: ..
accept: ..

Using curl --http2 or --http1.1 it works:

GET / HTTP/1.0
Host: exvhost <-- our requested Host
Connection: close
User-Agent: ..
Accept: ..

Change History (3)

comment:1 by https://stackoverflow.com/users/7362396/tobias-k, 4 months ago

Apparently it works when using $host instead as mentioned in some other tickets like #2281

comment:2 by Avamander@…, 3 months ago

$http_host is also empty for http3 connections, if used in conditionals (if ( $http_host ...)

comment:3 by Maxim Dounin, 3 months ago

Resolution: duplicate
Status: newclosed

Duplicate of #2281.

Note: See TracTickets for help on using tickets.