id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2553	Nginx Allows any server_version starting with the number 1, HTTP/1.X	JKrehling@…		"Found that if I use telnet to send non existent server protocols to my server nginx proxies it through even if its not a valid server_version. In this example I pass HTTP/1.4 

telnet localhost 81
Trying ::1...
Connected to localhost.
Escape character is '^]'

GET /Hello HTTP/1.4
Host: myhostheader.com

::1 - - [27/Oct/2023:19:51:19 +0000] ""GET /Hello HTTP/1.4"" 404 714 ""-"" ""-"" ""-""
HTTP/1.1 404 
Server: nginx/1.25.3
Date: Fri, 27 Oct 2023 19:51:19 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 714
Connection: keep-alive
Content-Language: en

<!doctype html>....</html>

I'm not doing anything fancy to do this. I just used the nginx image and added proxy_pass 

# configuration file /etc/nginx/conf.d/default.conf:
server {
    listen       81;
    listen  [::]:81;
    server_name  localhost;


    location / {
        root   /usr/share/nginx/html;
	proxy_pass http://myupstream:80;
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}


I would expect it to return 505 like if I enter a random other digit 
telnet localhost 81
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET /Hello HTTP/5.4
Host: myhostheader.comHTTP/1.1 505 HTTP Version Not Supported
Server: nginx/1.25.3
Date: Fri, 27 Oct 2023 19:54:00 GMT
Content-Type: text/html
Content-Length: 187
Connection: close

<html>
<head><title>505 HTTP Version Not Supported</title></head>
<body>
<center><h1>505 HTTP Version Not Supported</h1></center>
<hr><center>nginx/1.25.3</center>
</body>
</html>
::1 - - [27/Oct/2023:19:54:00 +0000] ""GET /Hello HTTP/5.4"" 505 187 ""-"" ""-"" ""-""
Connection closed by foreign host.
"	defect	closed	major		nginx-core	1.25.x	invalid	server_protocol		Linux nginx-deployment-544dc8b7c4-jtcr2 5.15.128 #1 SMP Thu Oct 5 19:04:09 UTC 2023 x86_64 GNU/Linux	"nginx version: nginx/1.25.3
built by gcc 12.2.0 (Debian 12.2.0-14) 
built with OpenSSL 3.0.9 30 May 2023 (running with OpenSSL 3.0.11 19 Sep 2023)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.3/debian/debuild-base/nginx-1.25.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
"