undefined | Better HN

0 pointsyakshaving_jgt2y ago0 comments

Another issue with nginx IIRC is that it allows HTTP request smuggling, which is a critical security vulnerability.

0 comments

That's been fixed for years. The CVE I can find was resolved in 1.17.7 (Dec 2019), and further hardening was applied in 1.21.1 (Jul 2021).

yakshaving_jgtOP2y ago

Can nginx send requests upstream over HTTP/2?

I see this question has remained unanswered for a couple of years.

https://security.stackexchange.com/questions/257823/what-are...

callahad2y ago

It cannot. There's more detailed reasoning at https://trac.nginx.org/nginx/ticket/923, but the tl;dr is:

> nginx is already good at mitigating HTTP desync / request smuggling attacks, even without using HTTP/2 to backends. In particular because it normalizes Content-Length and Transfer-Encoding while routing requests (and also does not reuse connections to backend servers unless explicitly configured to do so)

j / k navigate · click thread line to collapse

0 comments

callahad2y ago

That's been fixed for years. The CVE I can find was resolved in 1.17.7 (Dec 2019), and further hardening was applied in 1.21.1 (Jul 2021).

yakshaving_jgtOP2y ago

Can nginx send requests upstream over HTTP/2?

I see this question has remained unanswered for a couple of years.

https://security.stackexchange.com/questions/257823/what-are...

callahad2y ago

It cannot. There's more detailed reasoning at https://trac.nginx.org/nginx/ticket/923, but the tl;dr is:

j / k navigate · click thread line to collapse