What are NGINX reverse proxy users doing to prevent HTTP Request smuggling?

Maxim Dounin mdounin at mdounin.ru
Mon Dec 13 22:18:21 UTC 2021


On Fri, Dec 10, 2021 at 11:46:48AM +0000, Sai Vishnu Soudri (ssoudri) wrote:

> Hi everyone,
> I'm a new NGINX user and I want to understand what NGINX reverse 
> proxy users are doing to mitigate HTTP request smuggling 
> vulnerability. I understand that NGINX does not support sending 
> HTTP/2 requests upstream.
> Since the best way to prevent HTTP Request Smuggling is by 
> sending HTTP/2 requests end to end. I believe NGINX when used as 
> a reverse proxy could expose my backend server to HTTP request 
> smuggling when it converts incoming HTTP/2 requests to HTTP/1.1 
> before sending it upstream.
> Apart from the web application firewall (WAF) from NGINX App 
> Protect, is there any other solution to tackle this 
> vulnerability? I am relatively new to NGINX and reverse proxies, 
> if NGINX or its users does have an alternate solution, please do 
> share.

There are no know vulnerabilities in nginx which make request 
smuggling possible.  In particular, HTTP/2 code properly rejects 
things like ":" or newlines in headers and checks the request body 
length from the very start.

Further, various mitigations introduced in nginx 1.21.x are 
believed to stop most, if not all, known attacks even assuming 
various known vulnerabilities of a server in front of nginx and/or 
behind nginx.

Probably the only thing to care about are inherently insecure 
settings like "ignore_invalid_headers off;"[1] and 
"underscores_in_headers on;"[2].  These are better to be kept in 
their default values unless you understand possible implications 
in your particular setup.

[1] http://nginx.org/r/ignore_invalid_headers
[2] http://nginx.org/r/underscores_in_headers

Maxim Dounin

More information about the nginx mailing list