nginx.git/src/http/ngx_http_request.c, branch release-1.29.7 nginx Proxy authentication definitions. 2026-03-11T15:33:12+00:00 Roman Arutyunyan arut@nginx.com 2026-03-10T12:43:41+00:00 e23e7dd83a75b073773c3bc1e57bdb36c27bcc3f 






Changed interface of ngx_http_validate_host().
2025-11-26T15:51:40+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-05T12:15:12+00:00

6446f99107fff83469145b16983ebec99261a2db

This allows to process a port subcomponent and save it in r->port
in a unified way, similar to r->headers_in.server.  For HTTP/1.x
request line in the absolute form, r->host_end now includes a port
subcomponent, which is also consistent with HTTP/2 and HTTP/3.





This allows to process a port subcomponent and save it in r->port
in a unified way, similar to r->headers_in.server.  For HTTP/1.x
request line in the absolute form, r->host_end now includes a port
subcomponent, which is also consistent with HTTP/2 and HTTP/3.







Improved host header validation.
2025-11-26T15:51:40+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-04T12:34:32+00:00

511abb19e1e1b127f6d0943ccac346211a490a35

Validation is rewritten to follow RFC 3986 host syntax, based on
ngx_http_parse_request_line().  The following is now rejected:
- the rest of gen-delims "#", "?", "@", "[", "]"
- other unwise delims <">, "<", ">", "\", "^", "`', "{", "|", "}"
- IP literals with a trailing dot, missing closing bracket, or pct-encoded
- a port subcomponent with invalid values
- characters in upper half





Validation is rewritten to follow RFC 3986 host syntax, based on
ngx_http_parse_request_line().  The following is now rejected:
- the rest of gen-delims "#", "?", "@", "[", "]"
- other unwise delims <">, "<", ">", "\", "^", "`', "{", "|", "}"
- IP literals with a trailing dot, missing closing bracket, or pct-encoded
- a port subcomponent with invalid values
- characters in upper half







CONNECT method support for HTTP/1.1.
2025-10-23T14:40:05+00:00

Roman Arutyunyan
arut@nginx.com

2025-09-23T11:03:52+00:00

42ca3a4576a32d0a912b0bba4088b8169f55ab2d

The change allows modules to use the CONNECT method with HTTP/1.1 requests.
To do so, they need to set the "allow_connect" flag in the core server
configuration.





The change allows modules to use the CONNECT method with HTTP/1.1 requests.
To do so, they need to set the "allow_connect" flag in the core server
configuration.







Added $request_port and $is_request_port variables.
2025-10-23T14:40:05+00:00

Roman Arutyunyan
arut@nginx.com

2025-09-29T16:47:27+00:00

c8c7beb96f61e2251abbc345357116131cf91c22

The $request_port variable contains the port passed by the client in the
request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and
HTTP/3).  If the request line contains no host, or ":authority" is missing,
then $request_port is taken from the "Host" header, similar to the $host
variable.

The $is_request_port variable contains ":" if $request_port is non-empty,
and is empty otherwise.





The $request_port variable contains the port passed by the client in the
request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and
HTTP/3).  If the request line contains no host, or ":authority" is missing,
then $request_port is taken from the "Host" header, similar to the $host
variable.

The $is_request_port variable contains ":" if $request_port is non-empty,
and is empty otherwise.







SNI: support for early ClientHello callback with BoringSSL.
2025-09-25T15:25:08+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-09-22T15:55:16+00:00

7f9ced0ce0d70ae60f46ef3ed759efa75e711db4

This brings feature parity with OpenSSL after the previous change,
making it possible to set SSL protocols per virtual server.





This brings feature parity with OpenSSL after the previous change,
making it possible to set SSL protocols per virtual server.







SNI: using the ClientHello callback.
2025-09-25T15:25:08+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-01-27T20:53:15+00:00

0373fe5d98c1515640e74fa6f4d32fac1f1d3ab2

The change introduces an SNI based virtual server selection during
early ClientHello processing.  The callback is available since
OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour
is kept.

Using the ClientHello callback sets a reasonable processing order
for the "server_name" TLS extension.  Notably, session resumption
decision now happens after applying server configuration chosen by
SNI, useful with enabled verification of client certificates, which
brings consistency with BoringSSL behaviour.  The change supersedes
and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions.

In addition, since the callback is invoked prior to the protocol
version negotiation, this makes it possible to set "ssl_protocols"
on a per-virtual server basis.

To keep the $ssl_server_name variable working with TLSv1.2 resumed
sessions, as previously fixed in fd97b2a80, a limited server name
callback is preserved in order to acknowledge the extension.

Note that to allow third-party modules to properly chain the call to
ngx_ssl_client_hello_callback(), the servername callback function is
passed through exdata.





The change introduces an SNI based virtual server selection during
early ClientHello processing.  The callback is available since
OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour
is kept.

Using the ClientHello callback sets a reasonable processing order
for the "server_name" TLS extension.  Notably, session resumption
decision now happens after applying server configuration chosen by
SNI, useful with enabled verification of client certificates, which
brings consistency with BoringSSL behaviour.  The change supersedes
and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions.

In addition, since the callback is invoked prior to the protocol
version negotiation, this makes it possible to set "ssl_protocols"
on a per-virtual server basis.

To keep the $ssl_server_name variable working with TLSv1.2 resumed
sessions, as previously fixed in fd97b2a80, a limited server name
callback is preserved in order to acknowledge the extension.

Note that to allow third-party modules to properly chain the call to
ngx_ssl_client_hello_callback(), the servername callback function is
passed through exdata.







Made ngx_http_process_request_header() static again.
2025-08-03T06:07:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-23T11:56:37+00:00

4d857aaf435975d3c34e41d7a9cb50c0f87879ec

The function contains mostly HTTP/1.x specific request processing,
which has no use in other protocols.  After the previous change in
HTTP/2, it can now be hidden.

This is an API change.





The function contains mostly HTTP/1.x specific request processing,
which has no use in other protocols.  After the previous change in
HTTP/2, it can now be hidden.

This is an API change.







SNI: added restriction for TLSv1.3 cross-SNI session resumption.
2025-02-05T16:11:42+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-01-22T14:55:44+00:00

46b9f5d389447b3b822ea71f5ac86ebc316c2975

In OpenSSL, session resumption always happens in the default SSL context,
prior to invoking the SNI callback.  Further, unlike in TLSv1.2 and older
protocols, SSL_get_servername() returns values received in the resumption
handshake, which may be different from the value in the initial handshake.
Notably, this makes the restriction added in b720f650b insufficient for
sessions resumed with different SNI server name.

Considering the example from b720f650b, previously, a client was able to
request example.org by presenting a certificate for example.org, then to
resume and request example.com.

The fix is to reject handshakes resumed with a different server name, if
verification of client certificates is enabled in a corresponding server
configuration.





In OpenSSL, session resumption always happens in the default SSL context,
prior to invoking the SNI callback.  Further, unlike in TLSv1.2 and older
protocols, SSL_get_servername() returns values received in the resumption
handshake, which may be different from the value in the initial handshake.
Notably, this makes the restriction added in b720f650b insufficient for
sessions resumed with different SNI server name.

Considering the example from b720f650b, previously, a client was able to
request example.org by presenting a certificate for example.org, then to
resume and request example.com.

The fix is to reject handshakes resumed with a different server name, if
verification of client certificates is enabled in a corresponding server
configuration.







Added "keepalive_min_timeout" directive.
2025-02-05T10:08:01+00:00

Roman Arutyunyan
arut@nginx.com

2025-01-15T08:42:39+00:00

22a2a225ba87029f0e7bbc09a80ff7cdad23399d

The directive sets a timeout during which a keepalive connection will
not be closed by nginx for connection reuse or graceful shutdown.

The change allows clients that send multiple requests over the same
connection without delay or with a small delay between them, to avoid
receiving a TCP RST in response to one of them.  This excludes network
issues and non-graceful shutdown.  As a side-effect, it also addresses
the TCP reset problem described in RFC 9112, Section 9.6, when the last
sent HTTP response could be damaged by a followup TCP RST.  It is important
for non-idempotent requests, which cannot be retried by client.

It is not recommended to set keepalive_min_timeout to large values as
this can introduce an additional delay during graceful shutdown and may
restrict nginx from effective connection reuse.





The directive sets a timeout during which a keepalive connection will
not be closed by nginx for connection reuse or graceful shutdown.

The change allows clients that send multiple requests over the same
connection without delay or with a small delay between them, to avoid
receiving a TCP RST in response to one of them.  This excludes network
issues and non-graceful shutdown.  As a side-effect, it also addresses
the TCP reset problem described in RFC 9112, Section 9.6, when the last
sent HTTP response could be damaged by a followup TCP RST.  It is important
for non-idempotent requests, which cannot be retried by client.

It is not recommended to set keepalive_min_timeout to large values as
this can introduce an additional delay during graceful shutdown and may
restrict nginx from effective connection reuse.