#2553 closed defect (invalid)

Nginx Allows any server_version starting with the number 1, HTTP/1.X

Reported by: JKrehling@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.25.x
Keywords: server_protocol Cc:
uname -a: Linux nginx-deployment-544dc8b7c4-jtcr2 5.15.128 #1 SMP Thu Oct 5 19:04:09 UTC 2023 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.25.3
built by gcc 12.2.0 (Debian 12.2.0-14)
built with OpenSSL 3.0.9 30 May 2023 (running with OpenSSL 3.0.11 19 Sep 2023)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.3/debian/debuild-base/nginx-1.25.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Found that if I use telnet to send non existent server protocols to my server nginx proxies it through even if its not a valid server_version. In this example I pass HTTP/1.4

telnet localhost 81
Trying ::1...
Connected to localhost.
Escape character is ']'

GET /Hello HTTP/1.4
Host: myhostheader.com

::1 - - [27/Oct/2023:19:51:19 +0000] "GET /Hello HTTP/1.4" 404 714 "-" "-" "-"
HTTP/1.1 404
Server: nginx/1.25.3
Date: Fri, 27 Oct 2023 19:51:19 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 714
Connection: keep-alive
Content-Language: en

<!doctype html>....</html>

I'm not doing anything fancy to do this. I just used the nginx image and added proxy_pass

# configuration file /etc/nginx/conf.d/default.conf:
server {

listen 81;
listen [::]:81;
server_name localhost;

location / {

root /usr/share/nginx/html;
proxy_pass http://myupstream:80;
index index.html index.htm;

}

error_page 500 502 503 504 /50x.html;
location = /50x.html {

root /usr/share/nginx/html;

}

}

I would expect it to return 505 like if I enter a random other digit
telnet localhost 81
Trying ::1...
Connected to localhost.
Escape character is ']'.
GET /Hello HTTP/5.4
Host: myhostheader.comHTTP/1.1 505 HTTP Version Not Supported
Server: nginx/1.25.3
Date: Fri, 27 Oct 2023 19:54:00 GMT
Content-Type: text/html
Content-Length: 187
Connection: close

<html>
<head><title>505 HTTP Version Not Supported</title></head>
<body>
<center><h1>505 HTTP Version Not Supported</h1></center>
<hr><center>nginx/1.25.3</center>
</body>
</html>
::1 - - [27/Oct/2023:19:54:00 +0000] "GET /Hello HTTP/5.4" 505 187 "-" "-" "-"
Connection closed by foreign host.

Change History (1)

comment:1 by Maxim Dounin, 14 months ago

Resolution: invalid
Status: newclosed

HTTP uses version numbering designed to make it possible to understand future communications, and valid clients using any future HTTP/1.x protocol, with the same major version, such as HTTP/1.4 in your example, are expected to be able to talk to HTTP/1.1 servers. Similarly to how HTTP/1.1 clients can talk to HTTP/1.0 servers (or HTTP/1.0 clients to HTTP/1.1 servers). The 505 (HTTP Version Not Supported) error is only returned when major version is not supported by the server.

Please see RFC 9110, 2.5. Protocol Version for details on protocol versions in HTTP. Additionally, RFC 2145 might be interesting.

Note: See TracTickets for help on using tickets.