What are NGINX reverse proxy users doing to prevent HTTP Request smuggling?

Sai Vishnu Soudri (ssoudri) ssoudri at cisco.com
Fri Dec 10 11:46:48 UTC 2021


Hi everyone,

I'm a new NGINX user and I want to understand what NGINX reverse proxy users are doing to mitigate HTTP request smuggling vulnerability. I understand that NGINX does not support sending HTTP/2 requests upstream.

Since the best way to prevent HTTP Request Smuggling is by sending HTTP/2 requests end to end. I believe NGINX when used as a reverse proxy could expose my backend server to HTTP request smuggling when it converts incoming HTTP/2 requests to HTTP/1.1 before sending it upstream.

Apart from the web application firewall (WAF) from NGINX App Protect, is there any other solution to tackle this vulnerability? I am relatively new to NGINX and reverse proxies, if NGINX or its users does have an alternate solution, please do share.

Thank you.
Regards,
Sai Vishnu Soudri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20211210/4af288e9/attachment.htm>


More information about the nginx mailing list