Opened 10 months ago

#2615 new enhancement

Don't proxy connection-specific headers by default

Reported by: Sam Bull Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.22.x
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.22.1
built with OpenSSL 3.0.8 7 Feb 2023 (running with OpenSSL 3.0.11 19 Sep 2023)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-AoTv4W/nginx-1.22.1=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_geoip_module=dynamic --with-http_image_filter_module=dynamic --with-http_perl_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --with-stream_geoip_module=dynamic

Description

Problem

If you set up a proxy to another server, the proxy connection can only be done with HTTP 1.0/1.1. In most cases, a browser will then connect to nginx with HTTP/2.0.

The proxy server will then likely respond with an Upgrade header. Nginx then passes this header to the client. But, in HTTP/2 these connection-specific headers are invalid and some clients will reject the message (according to the specs, all clients should be rejecting the message).
https://www.rfc-editor.org/rfc/rfc9113#section-8.2.2-1

Solution

Even if the HTTP version is the same, these connection-specific headers apply to the connection between nginx and the proxy only. They should not have any relation to the client's connection and therefore should not be passed through.

Disabling passing of these headers by default will make configuration easier and result in users experiencing less issues when trying to create a proxy.

Change History (0)

Note: See TracTickets for help on using tickets.