nginx.git/src/http/modules, branch release-1.29.5 nginx Proxy: fixed sending HTTP/2 buffered request body on next upstream. 2026-01-29T10:52:41+00:00 Sergey Kandaurov pluknet@nginx.com 2025-12-24T18:59:40+00:00 cd12dc4f12489257e851654ec1883cf06fa0b095 If a buffered request body wasn't fully sent, such as on early upstream response or limited by flow control, unsent buffers could remain in the input or busy chains when switching to the next upstream server. This resulted either in the invalid request sent or a stalled connection. The fix is to reset chains similar to ngx_http_upstream_reinit(). 
If a buffered request body wasn't fully sent, such as on early upstream
response or limited by flow control, unsent buffers could remain in the
input or busy chains when switching to the next upstream server.  This
resulted either in the invalid request sent or a stalled connection.

The fix is to reset chains similar to ngx_http_upstream_reinit().
Range filter: reasonable limit on multiple ranges. 2026-01-21T16:39:00+00:00 Sergey Kandaurov pluknet@nginx.com 2026-01-13T12:51:07+00:00 cb9252ae6537d8c24addcf0822267804fc73db43 A total response length with multiple ranges can be larger than the source response size due to multipart boundary headers. This change extends max ranges limit imposed in c2c3e3105 (1.1.2) by accounting boundary headers. Notably, this covers suspicious requests with a lot of small ranges that have an increased processing overhead and are susceptible to range based amplification attacks. The limit disables ranges as long as a total response length comes close to the source size, additionally penalizing small size ranges on a large source size where a processing overhead prevails, while leaving a room for more ranges on a small source size, such that it should not affect well-behaving applications. The limit can be altered with the "max_ranges" directive. Closes #988 on GitHub. 
A total response length with multiple ranges can be larger than the
source response size due to multipart boundary headers.  This change
extends max ranges limit imposed in c2c3e3105 (1.1.2) by accounting
boundary headers.  Notably, this covers suspicious requests with a
lot of small ranges that have an increased processing overhead and
are susceptible to range based amplification attacks.

The limit disables ranges as long as a total response length comes
close to the source size, additionally penalizing small size ranges
on a large source size where a processing overhead prevails, while
leaving a room for more ranges on a small source size, such that it
should not affect well-behaving applications.  The limit can be
altered with the "max_ranges" directive.

Closes #988 on GitHub.
Uwsgi: ensure HTTP_HOST is set to the requested target host. 2026-01-15T23:04:38+00:00 Andrew Clayton a.clayton@nginx.com 2025-12-13T07:05:27+00:00 8ea6eb5108f72f40975a812fa084703b21198cb4 Previously, the HTTP_HOST environment variable was constructed from the Host request header field, which doesn't work well with HTTP/2 and HTTP/3 where Host may be supplanted by the ":authority" pseudo-header field per RFC 9110, section 7.2. Also, it might give an incorrect HTTP_HOST value from HTTP/1.x requests given in the absolute form, in which case the Host header must be ignored by the server, per RFC 9112, section 3.2.2. The fix is to redefine the HTTP_HOST default from a protocol-specific value given in the $host variable. This will now use the Host request header field, ":authority" pseudo-header field, or request line target URI depending on request HTTP version. Also the CGI specification (RFC 3875, 4.1.18) notes The server SHOULD set meta-variables specific to the protocol and scheme for the request. Interpretation of protocol-specific variables depends on the protocol version in SERVER_PROTOCOL. 
Previously, the HTTP_HOST environment variable was constructed from the
Host request header field, which doesn't work well with HTTP/2 and
HTTP/3 where Host may be supplanted by the ":authority" pseudo-header
field per RFC 9110, section 7.2. Also, it might give an incorrect
HTTP_HOST value from HTTP/1.x requests given in the absolute form, in
which case the Host header must be ignored by the server, per RFC 9112,
section 3.2.2.

The fix is to redefine the HTTP_HOST default from a protocol-specific
value given in the $host variable. This will now use the Host request
header field, ":authority" pseudo-header field, or request line target
URI depending on request HTTP version.

Also the CGI specification (RFC 3875, 4.1.18) notes

  The server SHOULD set meta-variables specific to the protocol and
  scheme for the request. Interpretation of protocol-specific
  variables depends on the protocol version in SERVER_PROTOCOL.
SCGI: ensure HTTP_HOST is set to the requested target host. 2026-01-15T23:04:38+00:00 Andrew Clayton a.clayton@nginx.com 2025-12-13T07:05:27+00:00 d8d092a49da88c42b192b7b5d88f7e628ab30560 Previously, the HTTP_HOST environment variable was constructed from the Host request header field, which doesn't work well with HTTP/2 and HTTP/3 where Host may be supplanted by the ":authority" pseudo-header field per RFC 9110, section 7.2. Also, it might give an incorrect HTTP_HOST value from HTTP/1.x requests given in the absolute form, in which case the Host header must be ignored by the server, per RFC 9112, section 3.2.2. The fix is to redefine the HTTP_HOST default from a protocol-specific value given in the $host variable. This will now use the Host request header field, ":authority" pseudo-header field, or request line target URI depending on request HTTP version. Also the CGI specification (RFC 3875, 4.1.18) notes The server SHOULD set meta-variables specific to the protocol and scheme for the request. Interpretation of protocol-specific variables depends on the protocol version in SERVER_PROTOCOL. 
Previously, the HTTP_HOST environment variable was constructed from the
Host request header field, which doesn't work well with HTTP/2 and
HTTP/3 where Host may be supplanted by the ":authority" pseudo-header
field per RFC 9110, section 7.2. Also, it might give an incorrect
HTTP_HOST value from HTTP/1.x requests given in the absolute form, in
which case the Host header must be ignored by the server, per RFC 9112,
section 3.2.2.

The fix is to redefine the HTTP_HOST default from a protocol-specific
value given in the $host variable. This will now use the Host request
header field, ":authority" pseudo-header field, or request line target
URI depending on request HTTP version.

Also the CGI specification (RFC 3875, 4.1.18) notes

  The server SHOULD set meta-variables specific to the protocol and
  scheme for the request. Interpretation of protocol-specific
  variables depends on the protocol version in SERVER_PROTOCOL.
FastCGI: ensure HTTP_HOST is set to the requested target host. 2026-01-15T23:04:38+00:00 Andrew Clayton a.clayton@nginx.com 2025-12-13T07:05:27+00:00 71b18973b2b5ea29ed27b47fc0e619b4df533b60 Previously, the HTTP_HOST environment variable was constructed from the Host request header field, which doesn't work well with HTTP/2 and HTTP/3 where Host may be supplanted by the ":authority" pseudo-header field per RFC 9110, section 7.2. Also, it might give an incorrect HTTP_HOST value from HTTP/1.x requests given in the absolute form, in which case the Host header must be ignored by the server, per RFC 9112, section 3.2.2. The fix is to redefine the HTTP_HOST default from a protocol-specific value given in the $host variable. This will now use the Host request header field, ":authority" pseudo-header field, or request line target URI depending on request HTTP version. Also the CGI specification (RFC 3875, 4.1.18) notes The server SHOULD set meta-variables specific to the protocol and scheme for the request. Interpretation of protocol-specific variables depends on the protocol version in SERVER_PROTOCOL. Closes: https://github.com/nginx/nginx/issues/256 Closes: https://github.com/nginx/nginx/issues/455 Closes: https://github.com/nginx/nginx/issues/912 
Previously, the HTTP_HOST environment variable was constructed from the
Host request header field, which doesn't work well with HTTP/2 and
HTTP/3 where Host may be supplanted by the ":authority" pseudo-header
field per RFC 9110, section 7.2. Also, it might give an incorrect
HTTP_HOST value from HTTP/1.x requests given in the absolute form, in
which case the Host header must be ignored by the server, per RFC 9112,
section 3.2.2.

The fix is to redefine the HTTP_HOST default from a protocol-specific
value given in the $host variable. This will now use the Host request
header field, ":authority" pseudo-header field, or request line target
URI depending on request HTTP version.

Also the CGI specification (RFC 3875, 4.1.18) notes

  The server SHOULD set meta-variables specific to the protocol and
  scheme for the request. Interpretation of protocol-specific
  variables depends on the protocol version in SERVER_PROTOCOL.

Closes: https://github.com/nginx/nginx/issues/256
Closes: https://github.com/nginx/nginx/issues/455
Closes: https://github.com/nginx/nginx/issues/912
Proxy: cache support for HTTP/2. 2025-12-08T03:49:16+00:00 Zhidao HONG z.hong@f5.com 2025-11-30T16:35:31+00:00 61690b5dc04ac31e4b402695cfc71c504be489dd 






Proxy: buffering support for HTTP/2.
2025-12-08T03:49:16+00:00

Zhidao HONG
z.hong@f5.com

2025-11-30T16:32:15+00:00

17fd964f99b7c28155dc0aadbadeb3b739951cf3












Proxy: extracted control frame and skip functions for HTTP/2.
2025-12-08T03:49:16+00:00

Zhidao HONG
z.hong@f5.com

2025-11-30T16:27:26+00:00

fdd8e97558b3e4002affd11fedc88cdf4ad4796c












Proxy: extracted ngx_http_proxy_v2_process_frames() function.
2025-12-08T03:49:16+00:00

Zhidao HONG
z.hong@f5.com

2025-11-30T16:24:24+00:00

2a0342a17ddfe32ee984177dc313c8de14cb1de2












Proxy: added HTTP/2 proxy module.
2025-12-08T03:49:16+00:00

Zhidao HONG
z.hong@f5.com

2025-07-15T15:35:39+00:00

9bf758ea4d5db1101296cc111f6d782045148727

The module allows to use HTTP/2 protocol for proxying.
HTTP/2 proxying is enabled by specifying "proxy_http_version 2".

Example:

    server {
        listen 8000;

        location / {
            proxy_http_version 2;
            proxy_pass https://127.0.0.1:8443;
        }
    }

    server {
        listen 8443 ssl;
        http2 on;

        ssl_certificate certs/example.com.crt;
        ssl_certificate_key certs/example.com.key;

        location / {
            return 200 foo;
        }
    }





The module allows to use HTTP/2 protocol for proxying.
HTTP/2 proxying is enabled by specifying "proxy_http_version 2".

Example:

    server {
        listen 8000;

        location / {
            proxy_http_version 2;
            proxy_pass https://127.0.0.1:8443;
        }
    }

    server {
        listen 8443 ssl;
        http2 on;

        ssl_certificate certs/example.com.crt;
        ssl_certificate_key certs/example.com.key;

        location / {
            return 200 foo;
        }
    }