nginx.git/src/http/v2/ngx_http_v2.c, branch release-1.30.0 nginx Added max_headers directive. 2026-04-06T10:08:36+00:00 Maxim Dounin mdounin@mdounin.ru 2024-05-23T21:20:01+00:00 365694160a85229a7cb006738de9260d49ff5fa2 The directive limits the number of request headers accepted from clients. While the total amount of headers is believed to be sufficiently limited by the existing buffer size limits (client_header_buffer_size and large_client_header_buffers), the additional limit on the number of headers might be beneficial to better protect backend servers. Requested by Maksim Yevmenkin. Signed-off-by: Elijah Zupancic <e.zupancic@f5.com> Origin: <https://freenginx.org/hg/nginx/rev/199dc0d6b05be814b5c811876c20af58cd361fea> 
The directive limits the number of request headers accepted from clients.
While the total amount of headers is believed to be sufficiently limited
by the existing buffer size limits (client_header_buffer_size and
large_client_header_buffers), the additional limit on the number of headers
might be beneficial to better protect backend servers.

Requested by Maksim Yevmenkin.

Signed-off-by: Elijah Zupancic <e.zupancic@f5.com>
Origin: <https://freenginx.org/hg/nginx/rev/199dc0d6b05be814b5c811876c20af58cd361fea>
Changed interface of ngx_http_validate_host(). 2025-11-26T15:51:40+00:00 Sergey Kandaurov pluknet@nginx.com 2025-11-05T12:15:12+00:00 6446f99107fff83469145b16983ebec99261a2db This allows to process a port subcomponent and save it in r->port in a unified way, similar to r->headers_in.server. For HTTP/1.x request line in the absolute form, r->host_end now includes a port subcomponent, which is also consistent with HTTP/2 and HTTP/3. 
This allows to process a port subcomponent and save it in r->port
in a unified way, similar to r->headers_in.server.  For HTTP/1.x
request line in the absolute form, r->host_end now includes a port
subcomponent, which is also consistent with HTTP/2 and HTTP/3.
HTTP/2: extended guard for NULL buffer and zero length. 2025-11-19T14:52:54+00:00 Sergey Kandaurov pluknet@nginx.com 2025-11-14T14:14:18+00:00 6ed1188411882086e3518eda779ab782d8ab4d3f In addition to moving memcpy() under the length condition in 15bf6d8cc, which addressed a reported UB due to string function conventions, this is repeated for advancing an input buffer, to make the resulting code more clean and readable. Additionally, although considered harmless for both string functions and additive operators, as previously discussed in GitHub PR 866, this fixes the main source of annoying sanitizer reports in the module. Prodded by UndefinedBehaviorSanitizer (pointer-overflow). 
In addition to moving memcpy() under the length condition in 15bf6d8cc,
which addressed a reported UB due to string function conventions, this
is repeated for advancing an input buffer, to make the resulting code
more clean and readable.

Additionally, although considered harmless for both string functions and
additive operators, as previously discussed in GitHub PR 866, this fixes
the main source of annoying sanitizer reports in the module.

Prodded by UndefinedBehaviorSanitizer (pointer-overflow).
Added $request_port and $is_request_port variables. 2025-10-23T14:40:05+00:00 Roman Arutyunyan arut@nginx.com 2025-09-29T16:47:27+00:00 c8c7beb96f61e2251abbc345357116131cf91c22 The $request_port variable contains the port passed by the client in the request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and HTTP/3). If the request line contains no host, or ":authority" is missing, then $request_port is taken from the "Host" header, similar to the $host variable. The $is_request_port variable contains ":" if $request_port is non-empty, and is empty otherwise. 
The $request_port variable contains the port passed by the client in the
request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and
HTTP/3).  If the request line contains no host, or ":authority" is missing,
then $request_port is taken from the "Host" header, similar to the $host
variable.

The $is_request_port variable contains ":" if $request_port is non-empty,
and is empty otherwise.
Updated ngx_http_process_multi_header_lines() comments. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-31T17:31:27+00:00 f4005126d78d19f1efd4f8fb4cad916d8976d97a Missed in fcf4331a0. 
Missed in fcf4331a0.
HTTP/2: fixed handling of the ":authority" header. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-23T10:54:07+00:00 ede5623b1529131fcc3f994e6a6f0692954fa26b Previously, it misused the Host header processing resulting in 400 (Bad Request) errors for a valid request that contains both ":authority" and Host headers with the same value, treating it after 37984f0be as if client sent more than one Host header. Such an overly strict handling violates RFC 9113. The fix is to process ":authority" as a distinct header, similarly to processing an authority component in the HTTP/1.x request line. This allows to disambiguate and compare Host and ":authority" values after all headers were processed. With this change, the ngx_http_process_request_header() function can no longer be used here, certain parts were inlined similar to the HTTP/3 module. To provide compatibility for misconfigurations that use $http_host to return the value of the ":authority" header, the Host header, if missing, is now reconstructed from ":authority". 
Previously, it misused the Host header processing resulting in
400 (Bad Request) errors for a valid request that contains both
":authority" and Host headers with the same value, treating it
after 37984f0be as if client sent more than one Host header.
Such an overly strict handling violates RFC 9113.

The fix is to process ":authority" as a distinct header, similarly
to processing an authority component in the HTTP/1.x request line.
This allows to disambiguate and compare Host and ":authority"
values after all headers were processed.

With this change, the ngx_http_process_request_header() function
can no longer be used here, certain parts were inlined similar to
the HTTP/3 module.

To provide compatibility for misconfigurations that use $http_host
to return the value of the ":authority" header, the Host header,
if missing, is now reconstructed from ":authority".
HTTP/2: factored out constructing the Host header. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-23T10:32:34+00:00 a238bb3d22c251647d04cf07b35c218994ab1ff5 No functional changes. 
No functional changes.
HTTP/2: close connections initialized during graceful shutdown. 2024-07-18T13:43:25+00:00 Kasei Wang kasei@kasei.im 2024-07-18T13:43:25+00:00 145b228530c364452c14d3184f1eee5e09b324aa In some rare cases, graceful shutdown may happen while initializing an HTTP/2 connection. Previously, such a connection ignored the shutdown and remained active. Now it is gracefully closed prior to processing any streams to eliminate the shutdown delay. 
In some rare cases, graceful shutdown may happen while initializing an HTTP/2
connection.  Previously, such a connection ignored the shutdown and remained
active.  Now it is gracefully closed prior to processing any streams to
eliminate the shutdown delay.
HTTP/2: fixed buffer management with HTTP/2 auto-detection. 2023-10-21T14:48:24+00:00 Sergey Kandaurov pluknet@nginx.com 2023-10-21T14:48:24+00:00 b19bc2e0fa60100ee8170acf161bc9b8f01cce26 As part of normal HTTP/2 processing, incomplete frames are saved in the control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFER_SIZE. For this matter, two state buffers are reserved in the HTTP/2 recv buffer. As part of HTTP/2 auto-detection on plain TCP connections, initial data is first read into a buffer specified by the client_header_buffer_size directive that doesn't have state reservation. Previously, this made it possible to over-read the buffer as part of saving the state. The fix is to read the available buffer size rather than a fixed size. Although memcpy of a fixed size can produce a better optimized code, handling of incomplete frames isn't a common execution path, so it was sacrificed for the sake of simplicity of the fix. 
As part of normal HTTP/2 processing, incomplete frames are saved in the
control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFER_SIZE.
For this matter, two state buffers are reserved in the HTTP/2 recv buffer.

As part of HTTP/2 auto-detection on plain TCP connections, initial data
is first read into a buffer specified by the client_header_buffer_size
directive that doesn't have state reservation.  Previously, this made it
possible to over-read the buffer as part of saving the state.

The fix is to read the available buffer size rather than a fixed size.
Although memcpy of a fixed size can produce a better optimized code,
handling of incomplete frames isn't a common execution path, so it was
sacrificed for the sake of simplicity of the fix.
HTTP/2: per-iteration stream handling limit. 2023-10-10T12:13:39+00:00 Maxim Dounin mdounin@mdounin.ru 2023-10-10T12:13:39+00:00 6ceef192e7af1c507826ac38a2d43f08bf265fb9 To ensure that attempts to flood servers with many streams are detected early, a limit of no more than 2 * max_concurrent_streams new streams per one event loop iteration was introduced. This limit is applied even if max_concurrent_streams is not yet reached - for example, if corresponding streams are handled synchronously or reset. Further, refused streams are now limited to maximum of max_concurrent_streams and 100, similarly to priority_limit initial value, providing some tolerance to clients trying to open several streams at the connection start, yet low tolerance to flooding attempts. 
To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced.  This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.

Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.