[PATCH] Add strict Host validation
Gena Makhomed
gmm at csdoc.com
Tue Jan 13 14:13:11 UTC 2015
On 13.01.2015 14:39, Ruslan Ermilov wrote:
>> $ curl -I nginx.org -H"Host: \$"
>> curl: (52) Empty reply from server
>>
>> You cannot possibly tell me that's correct and/or expected behavior?
>> And that's not even a control character.
>
> That's because this site is configured to reject unknown server
> names, like here:
>
> http://nginx.org/en/docs/http/server_names.html#miscellaneous_names
>
> : In catch-all server examples the strange name “_” can be seen:
> :
> : server {
> : listen 80 default_server;
> : server_name _;
> : return 444;
> : }
As it described in http://tools.ietf.org/html/rfc7230#section-5.4
nginx in this case MUST respond with a 400 (Bad Request) status code
to be compliant with HTTP/1.1 spec:
: A server MUST respond with a 400 (Bad Request) status code to any
: HTTP/1.1 request message that lacks a Host header field and to any
: request message that contains more than one Host header field or a
: Host header field with an invalid field-value.
May be it will be better to fix documentation examples
to make these examples compatible with HTTP/1.1 RFCs ?
--
Best regards,
Gena
More information about the nginx-devel
mailing list