Opened 10 months ago
#2615 new enhancement
Don't proxy connection-specific headers by default
Reported by: | Sam Bull | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-module | Version: | 1.22.x |
Keywords: | Cc: | ||
uname -a: | |||
nginx -V: |
nginx version: nginx/1.22.1
built with OpenSSL 3.0.8 7 Feb 2023 (running with OpenSSL 3.0.11 19 Sep 2023) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-AoTv4W/nginx-1.22.1=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_geoip_module=dynamic --with-http_image_filter_module=dynamic --with-http_perl_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --with-stream_geoip_module=dynamic |
Description
Problem
If you set up a proxy to another server, the proxy connection can only be done with HTTP 1.0/1.1. In most cases, a browser will then connect to nginx with HTTP/2.0.
The proxy server will then likely respond with an Upgrade header. Nginx then passes this header to the client. But, in HTTP/2 these connection-specific headers are invalid and some clients will reject the message (according to the specs, all clients should be rejecting the message).
https://www.rfc-editor.org/rfc/rfc9113#section-8.2.2-1
Solution
Even if the HTTP version is the same, these connection-specific headers apply to the connection between nginx and the proxy only. They should not have any relation to the client's connection and therefore should not be passed through.
Disabling passing of these headers by default will make configuration easier and result in users experiencing less issues when trying to create a proxy.