[PATCH 4 of 4] HTTP/2: reject HTTP/2 requests with connection-specific headers

Piotr Sikora piotrsikora at google.com
Sat Jun 17 20:57:38 UTC 2017

Hey Maxim,

> I'm highly sceptical about the whole series in general, and this
> patch specifically.
> In particular, the "Proxy-Connection" header is not something even
> defined by any standard, and even in its non-standard [broken]
> meaning never expected to be used in connections to nginx.  Not to
> mention that Proxy-Authorization, a standard-defined hop-by-hop
> (connection-specific in terms of HTTP/2) header, is not checked
> anywhere.

Proxy-Connection is mentioned (and discouraged) in RFC7230.

> Additionally, I really think that disabling upgrades is one of the
> big mistakes of HTTP/2.  It would be much more logical to
> interpret a HTTP/2 stream as a connection to upgrade, and allow to
> multiplex arbitrary protocols via a single HTTP/2 connection.

Unfortunately, I have to agree.

> Unless there are practical reasons for these changes, I would
> rather reject the series.

The practical reason is that other implementations (e.g. nghttp2)
reject requests with those headers, which leads to a weird behavior
where NGINX accepts requests and proxies them to a HTTP/2 upstream
which rejects them because they contain one of those headers.

We could clear those headers in proxy module (I'm already doing that
for most of the headers, anyway), but it feels like a workaround for
broken clients.

Having said that, I'm fine with dropping the whole patchset.

Best regards,
Piotr Sikora

More information about the nginx-devel mailing list