What are NGINX reverse proxy users doing to prevent HTTP Request smuggling?

Maxim Dounin mdounin at mdounin.ru
Tue Dec 14 22:16:51 UTC 2021


On Tue, Dec 14, 2021 at 02:50:19PM +0000, Sai Vishnu Soudri (ssoudri) wrote:

> Thanks a lot for your reply. Just to clarify, by "There are no 
> know vulnerabilities in nginx which make request smuggling 
> possible" you mean after the 1.21.x release right?
> I am using OpenResty and the latest version of OpenResty is 
> based on mainline nginx core 1.19.9.

Supported releases are 1.20.2 stable and 1.21.4 mainline, see 
http://nginx.org/en/download.html.  Though 1.19.9 isn't much 

> Currently, the approach I'm taking to mitigate HTTP Request 
> Smuggling is blocking all incoming HTTP/1.1 requests. I was 
> worried if incoming HTTP/2 requests would pose a vulnerability 
> as nginx converts it before sending upstream, but with your 
> reply I believe that should not be a problem anymore.
> Since OpenResty is not able to leverage the new changes added in 
> 1.21.x, do you suggest I continue with this approach till 
> OpenResty can leverage the changes made in 1.21.x or is it 
> mandatory to use 1.21.x and block HTTP/1.1 requests to prevent 
> request smuggling.

I don't think you need to do anything special to prevent request 
smuggling unless you are using a buggy server in front of nginx.

Maxim Dounin

More information about the nginx mailing list