Opened 6 months ago
Closed 5 months ago
#2551 closed defect (duplicate)
HTTP3 Reverse Proxy does not pass on Host Header
| Reported by: | https://stackoverflow.com/users/7362396/tobias-k | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | http/3 | Version: | 1.25.x |
| Keywords: | proxy, vhost | Cc: | |
| uname -a: |
Linux c3602a6c712b 6.2.0-33-generic #33-Ubuntu SMP PREEMPT_DYNAMIC Tue Sep 5 14:49:19 UTC 2023 x86_64 GNU/Linux
(debian:11 Docker image on Ubuntu 23.04 host, same issue happens on native debian11 host), amd64 |
||
| nginx -V: |
nginx version: nginx/1.25.2
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 1.1.1n 15 Mar 2022 (running with OpenSSL 1.1.1w 11 Sep 2023) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.2/debian/debuild-base/nginx-1.25.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' linux_packages site |
||
Description
Hi,
I've encountered an issue with the HTTP/3 / QUIC setup:
The minimal testsetup is the default installation with a server as from the docs + reverse proxy:
server {
listen 443 quic reuseport;
listen 443 ssl;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
location / {
add_header Alt-Svc 'h3=":443"; ma=86400';
proxy_pass ht tp:// dm-devel.hosts.dm-intern.de; # spaced up for link limit in trac
}
}
I test this setup using:
curl -vik --http3-only htt ps:// localhost:443 -H "Host: exvhost"
and also tracing the proxy requests using
tcpdump 'port 80'
It produces the following backend request:
GET / HTTP/1.0
Host: dm-devel.hosts.dm-intern.de <-- not the originally requested header, probably the expected behaviour
Connection: close
user-agent: ..
accept: ..
Adding "proxy_set_header Host $http_host;" :
GET / HTTP/1.0 <-- no Host header at all here though!
Connection: close
user-agent: ..
accept: ..
Using curl --http2 or --http1.1 it works:
GET / HTTP/1.0
Host: exvhost <-- our requested Host
Connection: close
User-Agent: ..
Accept: ..
Change History (3)
comment:1 by , 6 months ago
comment:2 by , 5 months ago
$http_host is also empty for http3 connections, if used in conditionals (if ( $http_host ...)
Apparently it works when using $host instead as mentioned in some other tickets like #2281