nginx.git/src/http/v2, branch release-1.29.2 nginx Updated ngx_http_process_multi_header_lines() comments. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-31T17:31:27+00:00 f4005126d78d19f1efd4f8fb4cad916d8976d97a Missed in fcf4331a0. 
Missed in fcf4331a0.
HTTP/2: fixed handling of the ":authority" header. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-23T10:54:07+00:00 ede5623b1529131fcc3f994e6a6f0692954fa26b Previously, it misused the Host header processing resulting in 400 (Bad Request) errors for a valid request that contains both ":authority" and Host headers with the same value, treating it after 37984f0be as if client sent more than one Host header. Such an overly strict handling violates RFC 9113. The fix is to process ":authority" as a distinct header, similarly to processing an authority component in the HTTP/1.x request line. This allows to disambiguate and compare Host and ":authority" values after all headers were processed. With this change, the ngx_http_process_request_header() function can no longer be used here, certain parts were inlined similar to the HTTP/3 module. To provide compatibility for misconfigurations that use $http_host to return the value of the ":authority" header, the Host header, if missing, is now reconstructed from ":authority". 
Previously, it misused the Host header processing resulting in
400 (Bad Request) errors for a valid request that contains both
":authority" and Host headers with the same value, treating it
after 37984f0be as if client sent more than one Host header.
Such an overly strict handling violates RFC 9113.

The fix is to process ":authority" as a distinct header, similarly
to processing an authority component in the HTTP/1.x request line.
This allows to disambiguate and compare Host and ":authority"
values after all headers were processed.

With this change, the ngx_http_process_request_header() function
can no longer be used here, certain parts were inlined similar to
the HTTP/3 module.

To provide compatibility for misconfigurations that use $http_host
to return the value of the ":authority" header, the Host header,
if missing, is now reconstructed from ":authority".
HTTP/2: factored out constructing the Host header. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-23T10:32:34+00:00 a238bb3d22c251647d04cf07b35c218994ab1ff5 No functional changes. 
No functional changes.
HTTP/2: fixed flushing early hints over SSL. 2025-07-28T17:06:48+00:00 Roman Arutyunyan arut@nginx.com 2025-07-24T14:29:21+00:00 50932c3c6c1d2c442ef08241443162c7a3ed58b3 Previously, when using HTTP/2 over SSL, an early hints HEADERS frame was queued in SSL buffer, and might not be immediately flushed. This resulted in a delay of early hints delivery until the main response was sent. The fix is to set the flush flag for the early hints HEADERS frame buffer. 
Previously, when using HTTP/2 over SSL, an early hints HEADERS frame was
queued in SSL buffer, and might not be immediately flushed.  This resulted
in a delay of early hints delivery until the main response was sent.

The fix is to set the flush flag for the early hints HEADERS frame buffer.
Upstream: early hints support. 2025-06-19T06:19:57+00:00 Roman Arutyunyan arut@nginx.com 2024-11-15T04:23:53+00:00 662c1dd2a97afd6c7ca09b8f5a74347ee017b86b The change implements processing upstream early hints response in ngx_http_proxy_module and ngx_http_grpc_module. A new directive "early_hints" enables sending early hints to the client. By default, sending early hints is disabled. Example: map $http_sec_fetch_mode $early_hints { navigate $http2$http3; } early_hints $early_hints; proxy_pass http://example.com; 
The change implements processing upstream early hints response in
ngx_http_proxy_module and ngx_http_grpc_module.  A new directive
"early_hints" enables sending early hints to the client.  By default,
sending early hints is disabled.

Example:

    map $http_sec_fetch_mode $early_hints {
        navigate $http2$http3;
    }

    early_hints $early_hints;

    proxy_pass http://example.com;
HTTP/2: added function declaration. 2025-06-19T06:19:57+00:00 Roman Arutyunyan arut@nginx.com 2025-06-18T15:48:19+00:00 ea001feb10a294ccd53c896b9919f17f5cbda468 






Fixed -Wunterminated-string-initialization with gcc15.
2025-04-17T15:12:59+00:00

Roman Arutyunyan
arut@nginx.com

2025-04-16T12:56:44+00:00

444954abacef1d77f3dc6e9b1878684c7e6fe5b3












HTTP/2: close connections initialized during graceful shutdown.
2024-07-18T13:43:25+00:00

Kasei Wang
kasei@kasei.im

2024-07-18T13:43:25+00:00

145b228530c364452c14d3184f1eee5e09b324aa

In some rare cases, graceful shutdown may happen while initializing an HTTP/2
connection.  Previously, such a connection ignored the shutdown and remained
active.  Now it is gracefully closed prior to processing any streams to
eliminate the shutdown delay.





In some rare cases, graceful shutdown may happen while initializing an HTTP/2
connection.  Previously, such a connection ignored the shutdown and remained
active.  Now it is gracefully closed prior to processing any streams to
eliminate the shutdown delay.







HTTP/2: fixed buffer management with HTTP/2 auto-detection.
2023-10-21T14:48:24+00:00

Sergey Kandaurov
pluknet@nginx.com

2023-10-21T14:48:24+00:00

b19bc2e0fa60100ee8170acf161bc9b8f01cce26

As part of normal HTTP/2 processing, incomplete frames are saved in the
control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFER_SIZE.
For this matter, two state buffers are reserved in the HTTP/2 recv buffer.

As part of HTTP/2 auto-detection on plain TCP connections, initial data
is first read into a buffer specified by the client_header_buffer_size
directive that doesn't have state reservation.  Previously, this made it
possible to over-read the buffer as part of saving the state.

The fix is to read the available buffer size rather than a fixed size.
Although memcpy of a fixed size can produce a better optimized code,
handling of incomplete frames isn't a common execution path, so it was
sacrificed for the sake of simplicity of the fix.





As part of normal HTTP/2 processing, incomplete frames are saved in the
control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFER_SIZE.
For this matter, two state buffers are reserved in the HTTP/2 recv buffer.

As part of HTTP/2 auto-detection on plain TCP connections, initial data
is first read into a buffer specified by the client_header_buffer_size
directive that doesn't have state reservation.  Previously, this made it
possible to over-read the buffer as part of saving the state.

The fix is to read the available buffer size rather than a fixed size.
Although memcpy of a fixed size can produce a better optimized code,
handling of incomplete frames isn't a common execution path, so it was
sacrificed for the sake of simplicity of the fix.







HTTP/2: per-iteration stream handling limit.
2023-10-10T12:13:39+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-10-10T12:13:39+00:00

6ceef192e7af1c507826ac38a2d43f08bf265fb9

To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced.  This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.

Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.





To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced.  This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.

Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.