Having dot in the header name
Maxim Dounin
mdounin at mdounin.ru
Fri Jan 22 22:25:50 MSK 2010
Hello!
On Sat, Jan 23, 2010 at 12:08:08AM +0530, Vinay Y S wrote:
> Hi,
> I see that nginx as proxy rejects headers with name like "auth.client" or
> "auth.token" (with dot in their name) and stops parsing further headers.
> Thus the request to the upstream server doesn't contain these headers. From
> the logs, it says "client sent invalid header line".
>
> Why is having a dot in the header name considered invalid? I searched the
> relevant RFCs (2616 and 822) and they don't seem to exclude dot. May I know
> the reason for nginx to reject headers with dot while other servers like
> Apache httpd parse headers with dot just fine.
>
> Also, in the nginx source I noticed a undocumented directive
> "ignore_invalid_headers" which is on by default. It when set to off, makes
> nginx passes such headers to the upstream server properly.
>
> Is it safe to use this directive? Are there any side-effects, performance
> issues related to using it?
Basically nginx does this because:
1. they aren't generally used (http itself only uses alphanumeric
and "-" in headers);
2. they are likely to cause issues, including security ones, with
translations like CGI does (X-Blah -> HTTP_X_BLAH, X_Blah ->
HTTP_X_BLAH, X.Blah -> HTTP_X_BLAH); note that nginx itself uses
similar translation for $http_* variables and AFAIR while passing
headers to fastcgi backends.
As long as you are ok with the above - it should be mostly ok to
switch off ignore_invalid_headers.
Maxim Dounin
More information about the nginx
mailing list