NGINX and RFC7540 (http2) violation
lucas at lucasrolff.com
Thu Dec 28 19:16:29 UTC 2017
I was playing around with nginx and haproxy recently to decide whether to go for nginx or haproxy in a specific environment.
One of the requirements was http2 support which both pieces of software support (with nginx having supported it for a lot longer than haproxy).
However, one thing I saw, is that according to the http2 specification section 184.108.40.206 (https://tools.ietf.org/html/rfc7540#section-220.127.116.11 ), HTTP2 does not use the Connection header field to indicate connection-specific headers in the protocol.
If a client sends a Connection: keep-alive the client effectively violates the specification which surely should not happen, but in case the client actually would send the Connection header the server MUST treat the messages containing the connection header as malformed.
I saw that this is not the case for nginx in any way, which causes it to not follow the actual specification.
Can I ask why it was decided to implement it to simply “ignore” the fact that a client might violate the spec? And is there any plans to make nginx compliant with the current http2 specification?
I’ve found that both Firefox and Safari violates this very specific section, and they’re violated because servers implementing the http2 specification allowed them to do so, effectively causing the specification not to be followed.
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx