nginx.git/src/http/v2, branch release-1.21.1 nginx Disabled control characters and space in header names. 2021-06-28T15:01:18+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:18+00:00 9ab4d368af63e9c4a0bebc0eda82d668adaa560a Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in header names. The only somewhat valid use is header continuation which nginx never supported and which is explicitly obsolete by RFC 7230. Previously, such headers were considered invalid and were ignored by default (as per ignore_invalid_headers directive). With this change, such headers are unconditionally rejected. It is expected to make nginx more resilient to various attacks, in particular, with ignore_invalid_headers switched off (which is inherently unsecure, though nevertheless sometimes used in the wild). 
Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in
header names.  The only somewhat valid use is header continuation which nginx
never supported and which is explicitly obsolete by RFC 7230.

Previously, such headers were considered invalid and were ignored by default
(as per ignore_invalid_headers directive).  With this change, such headers
are unconditionally rejected.

It is expected to make nginx more resilient to various attacks, in particular,
with ignore_invalid_headers switched off (which is inherently unsecure, though
nevertheless sometimes used in the wild).
Added CONNECT method rejection. 2021-06-28T15:01:04+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:04+00:00 5f85bb3714a81d158f4d849ad5c61aec2737a9f0 No valid CONNECT requests are expected to appear within nginx, since it is not a forward proxy. Further, request line parsing will reject proper CONNECT requests anyway, since we don't allow authority-form of request-target. On the other hand, RFC 7230 specifies separate message length rules for CONNECT which we don't support, so make sure to always reject CONNECTs to avoid potential abuse. 
No valid CONNECT requests are expected to appear within nginx, since it
is not a forward proxy.  Further, request line parsing will reject
proper CONNECT requests anyway, since we don't allow authority-form of
request-target.  On the other hand, RFC 7230 specifies separate message
length rules for CONNECT which we don't support, so make sure to always
reject CONNECTs to avoid potential abuse.
Introduced the "keepalive_time" directive. 2021-04-07T21:15:48+00:00 Maxim Dounin mdounin@mdounin.ru 2021-04-07T21:15:48+00:00 d9996d6f27150bfb9c9c00d77fac940712aa1d28 Similar to lingering_time, it limits total connection lifetime before keepalive is switched off. The default is 1 hour, which is close to the total maximum connection lifetime possible with default keepalive_requests and keepalive_timeout. 
Similar to lingering_time, it limits total connection lifetime before
keepalive is switched off.  The default is 1 hour, which is close to
the total maximum connection lifetime possible with default
keepalive_requests and keepalive_timeout.
HTTP/2: relaxed PRIORITY frames limit. 2021-04-06T23:03:29+00:00 Maxim Dounin mdounin@mdounin.ru 2021-04-06T23:03:29+00:00 5599731c00bd152f765c7cea24a7d257bf13320c Firefox uses several idle streams for PRIORITY frames[1], and "http2_max_concurrent_streams 1;" results in "client sent too many PRIORITY frames" errors when a connection is established by Firefox. Fix is to relax the PRIORITY frames limit to use at least 100 as the initial value (which is the recommended by the HTTP/2 protocol minimum limit on the number of concurrent streams, so it is not unreasonable for clients to assume that similar number of idle streams can be used for prioritization). [1] https://hg.mozilla.org/mozilla-central/file/32a9e6e145d6e3071c3993a20bb603a2f388722b/netwerk/protocol/http/Http2Stream.cpp#l1270 
Firefox uses several idle streams for PRIORITY frames[1], and
"http2_max_concurrent_streams 1;" results in "client sent too many
PRIORITY frames" errors when a connection is established by Firefox.

Fix is to relax the PRIORITY frames limit to use at least 100 as
the initial value (which is the recommended by the HTTP/2 protocol
minimum limit on the number of concurrent streams, so it is not
unreasonable for clients to assume that similar number of idle streams
can be used for prioritization).

[1] https://hg.mozilla.org/mozilla-central/file/32a9e6e145d6e3071c3993a20bb603a2f388722b/netwerk/protocol/http/Http2Stream.cpp#l1270
HTTP/2: improved handling of "keepalive_timeout 0". 2021-03-25T22:44:57+00:00 Maxim Dounin mdounin@mdounin.ru 2021-03-25T22:44:57+00:00 1f5271cd61a102514070c0d22ce5001cf0a70d61 Without explicit handling, a zero timer was actually added, leading to multiple unneeded syscalls. Further, sending GOAWAY frame early might be beneficial for clients. Reported by Sergey Kandaurov. 
Without explicit handling, a zero timer was actually added, leading to
multiple unneeded syscalls.  Further, sending GOAWAY frame early might
be beneficial for clients.

Reported by Sergey Kandaurov.
HTTP/2: client_header_timeout before first request (ticket #2142). 2021-03-01T14:31:28+00:00 Maxim Dounin mdounin@mdounin.ru 2021-03-01T14:31:28+00:00 0f5d0c5798eacb60407bcf0a76fc0b2c39e356bb With this change, behaviour of HTTP/2 becomes even closer to HTTP/1.x, and client_header_timeout instead of keepalive_timeout is used before the first request is received. This fixes HTTP/2 connections being closed even before the first request if "keepalive_timeout 0;" was used in the configuration; the problem appeared in f790816a0e87 (1.19.7). 
With this change, behaviour of HTTP/2 becomes even closer to HTTP/1.x,
and client_header_timeout instead of keepalive_timeout is used before
the first request is received.

This fixes HTTP/2 connections being closed even before the first request
if "keepalive_timeout 0;" was used in the configuration; the problem
appeared in f790816a0e87 (1.19.7).
HTTP/2: removed http2_max_field_size and http2_max_header_size. 2021-02-11T18:52:26+00:00 Maxim Dounin mdounin@mdounin.ru 2021-02-11T18:52:26+00:00 51fea093e4374dbd857dc437ff9588060ef56471 Instead, size of one large_client_header_buffers buffer and all large client header buffers are used. 
Instead, size of one large_client_header_buffers buffer and all large
client header buffers are used.
HTTP/2: keepalive_timeout now armed once between requests. 2021-02-11T18:52:24+00:00 Maxim Dounin mdounin@mdounin.ru 2021-02-11T18:52:24+00:00 94567a8f849c02c70ee7f51307fa0372c94c925b Previously, PINGs and other frames extended possible keepalive time, making it possible to keep an open HTTP/2 connection for a long time. Now the connection is always closed as long as keepalive_timeout expires, similarly to how it happens in HTTP/1.x. Note that as a part of this change, incomplete frames are no longer trigger a separate timeout, so http2_recv_timeout (replaced by client_header_timeout in previous patches) is essentially cancelled. The client_header_timeout is, however, used for SSL handshake and while reading HEADERS frames. 
Previously, PINGs and other frames extended possible keepalive time,
making it possible to keep an open HTTP/2 connection for a long time.
Now the connection is always closed as long as keepalive_timeout expires,
similarly to how it happens in HTTP/1.x.

Note that as a part of this change, incomplete frames are no longer
trigger a separate timeout, so http2_recv_timeout (replaced by
client_header_timeout in previous patches) is essentially cancelled.
The client_header_timeout is, however, used for SSL handshake and
while reading HEADERS frames.
HTTP/2: removed http2_idle_timeout and http2_max_requests. 2021-02-11T18:52:23+00:00 Maxim Dounin mdounin@mdounin.ru 2021-02-11T18:52:23+00:00 49ab3312448495f0ee8e00143a29624dde46ef5c Instead, keepalive_timeout and keepalive_requests are now used. This is expected to simplify HTTP/2 code and usage. This also matches directives used by upstream module for all protocols. In case of default settings, this effectively changes maximum number of requests per connection from 1000 to 100. This looks acceptable, especially given that HTTP/2 code now properly supports lingering close. Further, this changes default keepalive timeout in HTTP/2 from 300 seconds to 75 seconds. This also looks acceptable, and larger than PING interval used by Firefox (network.http.spdy.ping-threshold defaults to 58s), the only browser to use PINGs. 
Instead, keepalive_timeout and keepalive_requests are now used.  This
is expected to simplify HTTP/2 code and usage.  This also matches
directives used by upstream module for all protocols.

In case of default settings, this effectively changes maximum number
of requests per connection from 1000 to 100.  This looks acceptable,
especially given that HTTP/2 code now properly supports lingering close.

Further, this changes default keepalive timeout in HTTP/2 from 300 seconds
to 75 seconds.  This also looks acceptable, and larger than PING interval
used by Firefox (network.http.spdy.ping-threshold defaults to 58s),
the only browser to use PINGs.
HTTP/2: removed http2_recv_timeout. 2021-02-11T18:52:20+00:00 Maxim Dounin mdounin@mdounin.ru 2021-02-11T18:52:20+00:00 d18e066d650bff39f1705d3038804873584007af Instead, the client_header_timeout is now used for HTTP/2 reading. Further, the timeout is changed to be set once till no further data left to read, similarly to how client_header_timeout is used in other places. 
Instead, the client_header_timeout is now used for HTTP/2 reading.
Further, the timeout is changed to be set once till no further data
left to read, similarly to how client_header_timeout is used in other
places.