nginx.git/src/http/v2, branch release-1.28.3 nginx HTTP/2: extended guard for NULL buffer and zero length. 2025-12-23T18:40:33+00:00 Sergey Kandaurov pluknet@nginx.com 2025-11-14T14:14:18+00:00 2b502468588835e479fcd76a2cc0d00394f2c32c In addition to moving memcpy() under the length condition in 15bf6d8cc, which addressed a reported UB due to string function conventions, this is repeated for advancing an input buffer, to make the resulting code more clean and readable. Additionally, although considered harmless for both string functions and additive operators, as previously discussed in GitHub PR 866, this fixes the main source of annoying sanitizer reports in the module. Prodded by UndefinedBehaviorSanitizer (pointer-overflow). 
In addition to moving memcpy() under the length condition in 15bf6d8cc,
which addressed a reported UB due to string function conventions, this
is repeated for advancing an input buffer, to make the resulting code
more clean and readable.

Additionally, although considered harmless for both string functions and
additive operators, as previously discussed in GitHub PR 866, this fixes
the main source of annoying sanitizer reports in the module.

Prodded by UndefinedBehaviorSanitizer (pointer-overflow).
HTTP/2: fixed handling of the ":authority" header. 2025-12-23T18:40:33+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-23T10:54:07+00:00 62e757ec60b58b915d71c1d0630c8a6384a62287 Previously, it misused the Host header processing resulting in 400 (Bad Request) errors for a valid request that contains both ":authority" and Host headers with the same value, treating it after 37984f0be as if client sent more than one Host header. Such an overly strict handling violates RFC 9113. The fix is to process ":authority" as a distinct header, similarly to processing an authority component in the HTTP/1.x request line. This allows to disambiguate and compare Host and ":authority" values after all headers were processed. With this change, the ngx_http_process_request_header() function can no longer be used here, certain parts were inlined similar to the HTTP/3 module. To provide compatibility for misconfigurations that use $http_host to return the value of the ":authority" header, the Host header, if missing, is now reconstructed from ":authority". 
Previously, it misused the Host header processing resulting in
400 (Bad Request) errors for a valid request that contains both
":authority" and Host headers with the same value, treating it
after 37984f0be as if client sent more than one Host header.
Such an overly strict handling violates RFC 9113.

The fix is to process ":authority" as a distinct header, similarly
to processing an authority component in the HTTP/1.x request line.
This allows to disambiguate and compare Host and ":authority"
values after all headers were processed.

With this change, the ngx_http_process_request_header() function
can no longer be used here, certain parts were inlined similar to
the HTTP/3 module.

To provide compatibility for misconfigurations that use $http_host
to return the value of the ":authority" header, the Host header,
if missing, is now reconstructed from ":authority".
HTTP/2: factored out constructing the Host header. 2025-12-23T18:40:33+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-23T10:32:34+00:00 86dacb7ebe16cdac04c8b5317d4c91b7267b1e75 No functional changes. 
No functional changes.
Fixed -Wunterminated-string-initialization with gcc15. 2025-04-23T11:48:54+00:00 Roman Arutyunyan arut@nginx.com 2025-04-16T12:56:44+00:00 3a97c9616cfd7c4dd3a177cb2cb583301e80404c 






HTTP/2: close connections initialized during graceful shutdown.
2024-07-18T13:43:25+00:00

Kasei Wang
kasei@kasei.im

2024-07-18T13:43:25+00:00

145b228530c364452c14d3184f1eee5e09b324aa

In some rare cases, graceful shutdown may happen while initializing an HTTP/2
connection.  Previously, such a connection ignored the shutdown and remained
active.  Now it is gracefully closed prior to processing any streams to
eliminate the shutdown delay.





In some rare cases, graceful shutdown may happen while initializing an HTTP/2
connection.  Previously, such a connection ignored the shutdown and remained
active.  Now it is gracefully closed prior to processing any streams to
eliminate the shutdown delay.







HTTP/2: fixed buffer management with HTTP/2 auto-detection.
2023-10-21T14:48:24+00:00

Sergey Kandaurov
pluknet@nginx.com

2023-10-21T14:48:24+00:00

b19bc2e0fa60100ee8170acf161bc9b8f01cce26

As part of normal HTTP/2 processing, incomplete frames are saved in the
control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFER_SIZE.
For this matter, two state buffers are reserved in the HTTP/2 recv buffer.

As part of HTTP/2 auto-detection on plain TCP connections, initial data
is first read into a buffer specified by the client_header_buffer_size
directive that doesn't have state reservation.  Previously, this made it
possible to over-read the buffer as part of saving the state.

The fix is to read the available buffer size rather than a fixed size.
Although memcpy of a fixed size can produce a better optimized code,
handling of incomplete frames isn't a common execution path, so it was
sacrificed for the sake of simplicity of the fix.





As part of normal HTTP/2 processing, incomplete frames are saved in the
control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFER_SIZE.
For this matter, two state buffers are reserved in the HTTP/2 recv buffer.

As part of HTTP/2 auto-detection on plain TCP connections, initial data
is first read into a buffer specified by the client_header_buffer_size
directive that doesn't have state reservation.  Previously, this made it
possible to over-read the buffer as part of saving the state.

The fix is to read the available buffer size rather than a fixed size.
Although memcpy of a fixed size can produce a better optimized code,
handling of incomplete frames isn't a common execution path, so it was
sacrificed for the sake of simplicity of the fix.







HTTP/2: per-iteration stream handling limit.
2023-10-10T12:13:39+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-10-10T12:13:39+00:00

6ceef192e7af1c507826ac38a2d43f08bf265fb9

To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced.  This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.

Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.





To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced.  This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.

Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.







HTTP/2: removed server push (ticket #2432).
2023-06-08T12:56:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2023-06-08T12:56:46+00:00

6915d2fb2e88e0c339fe37b37ce14f5fe446c1c6

Although it has better implementation status than HTTP/3 server push,
it remains of limited use, with adoption numbers seen as negligible.
Per IETF 102 materials, server push was used only in 0.04% of sessions.
It was considered to be "difficult to use effectively" in RFC 9113.
Its use is further limited by badly matching to fetch/cache/connection
models in browsers, see related discussions linked from [1].

Server push was disabled in Chrome 106 [2].

The http2_push, http2_push_preload, and http2_max_concurrent_pushes
directives are made obsolete.  In particular, this essentially reverts
7201:641306096f5b and 7207:3d2b0b02bd3d.

[1] https://jakearchibald.com/2017/h2-push-tougher-than-i-thought/
[2] https://chromestatus.com/feature/6302414934114304





Although it has better implementation status than HTTP/3 server push,
it remains of limited use, with adoption numbers seen as negligible.
Per IETF 102 materials, server push was used only in 0.04% of sessions.
It was considered to be "difficult to use effectively" in RFC 9113.
Its use is further limited by badly matching to fetch/cache/connection
models in browsers, see related discussions linked from [1].

Server push was disabled in Chrome 106 [2].

The http2_push, http2_push_preload, and http2_max_concurrent_pushes
directives are made obsolete.  In particular, this essentially reverts
7201:641306096f5b and 7207:3d2b0b02bd3d.

[1] https://jakearchibald.com/2017/h2-push-tougher-than-i-thought/
[2] https://chromestatus.com/feature/6302414934114304







HTTP/2: "http2" directive.
2023-05-16T12:30:08+00:00

Roman Arutyunyan
arut@nginx.com

2023-05-16T12:30:08+00:00

aefd862ab197c3ab49001fcf69be478aab5b0f4e

The directive enables HTTP/2 in the current server.  The previous way to
enable HTTP/2 via "listen ... http2" is now deprecated.  The new approach
allows to share HTTP/2 and HTTP/0.9-1.1 on the same port.

For SSL connections, HTTP/2 is now selected by ALPN callback based on whether
the protocol is enabled in the virtual server chosen by SNI.  This however only
works since OpenSSL 1.0.2h, where ALPN callback is invoked after SNI callback.
For older versions of OpenSSL, HTTP/2 is enabled based on the default virtual
server configuration.

For plain TCP connections, HTTP/2 is now auto-detected by HTTP/2 preface, if
HTTP/2 is enabled in the default virtual server.  If preface is not matched,
HTTP/0.9-1.1 is assumed.





The directive enables HTTP/2 in the current server.  The previous way to
enable HTTP/2 via "listen ... http2" is now deprecated.  The new approach
allows to share HTTP/2 and HTTP/0.9-1.1 on the same port.

For SSL connections, HTTP/2 is now selected by ALPN callback based on whether
the protocol is enabled in the virtual server chosen by SNI.  This however only
works since OpenSSL 1.0.2h, where ALPN callback is invoked after SNI callback.
For older versions of OpenSSL, HTTP/2 is enabled based on the default virtual
server configuration.

For plain TCP connections, HTTP/2 is now auto-detected by HTTP/2 preface, if
HTTP/2 is enabled in the default virtual server.  If preface is not matched,
HTTP/0.9-1.1 is assumed.







HTTP/2: finalize request as bad if header validation fails.
2023-03-10T03:47:53+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-03-10T03:47:53+00:00

ff9e426337b84ed1d9ff3bbd17e7d7632c7ba19d

Similarly to 7192:d5a535774861, this avoids spurious zero statuses
in access.log, and in line with other header-related errors.





Similarly to 7192:d5a535774861, this avoids spurious zero statuses
in access.log, and in line with other header-related errors.