id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2615 Don't proxy connection-specific headers by default Sam Bull "== Problem == If you set up a proxy to another server, the proxy connection can only be done with HTTP 1.0/1.1. In most cases, a browser will then connect to nginx with HTTP/2.0. The proxy server will then likely respond with an Upgrade header. Nginx then passes this header to the client. But, in HTTP/2 these connection-specific headers are invalid and some clients will reject the message (according to the specs, all clients should be rejecting the message). https://www.rfc-editor.org/rfc/rfc9113#section-8.2.2-1 == Solution == Even if the HTTP version is the same, these connection-specific headers apply to the connection between nginx and the proxy only. They should not have any relation to the client's connection and therefore should not be passed through. Disabling passing of these headers by default will make configuration easier and result in users experiencing less issues when trying to create a proxy." enhancement new major nginx-module 1.22.x "nginx version: nginx/1.22.1 built with OpenSSL 3.0.8 7 Feb 2023 (running with OpenSSL 3.0.11 19 Sep 2023) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-AoTv4W/nginx-1.22.1=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_geoip_module=dynamic --with-http_image_filter_module=dynamic --with-http_perl_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --with-stream_geoip_module=dynamic"