HTTP request smuggling

Maxim Dounin mdounin at
Wed Jun 30 19:17:32 UTC 2021


On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote:

> Thanks! That makes sense to me. I like to understand things a little 
> better and hope you can help with that:
> 1) Why is the result different when I disable keepalive in Nginx? After 
> disabling keepalive the second request isn't executed anymore.

Because multiple requests in the same connection only work with 
keepalive.  As long as keepalive is disabled, only the first 
request in the connection is processed.  To make additional 
requests the client have to open additional connections.

> 2) Do you know why Apache respond the same as Nginx with 
> keepalive disabled?

Because keepalive is disabled on the Apache server you are testing 
against?  As long as keepalive is enabled, the same requests work 
perfectly with Apache and return two responses as they should.

Maxim Dounin

More information about the nginx mailing list