nginx.git/src/http/v2, branch release-1.29.7 nginx Changed interface of ngx_http_validate_host(). 2025-11-26T15:51:40+00:00 Sergey Kandaurov pluknet@nginx.com 2025-11-05T12:15:12+00:00 6446f99107fff83469145b16983ebec99261a2db This allows to process a port subcomponent and save it in r->port in a unified way, similar to r->headers_in.server. For HTTP/1.x request line in the absolute form, r->host_end now includes a port subcomponent, which is also consistent with HTTP/2 and HTTP/3. 
This allows to process a port subcomponent and save it in r->port
in a unified way, similar to r->headers_in.server.  For HTTP/1.x
request line in the absolute form, r->host_end now includes a port
subcomponent, which is also consistent with HTTP/2 and HTTP/3.
HTTP/2: extended guard for NULL buffer and zero length. 2025-11-19T14:52:54+00:00 Sergey Kandaurov pluknet@nginx.com 2025-11-14T14:14:18+00:00 6ed1188411882086e3518eda779ab782d8ab4d3f In addition to moving memcpy() under the length condition in 15bf6d8cc, which addressed a reported UB due to string function conventions, this is repeated for advancing an input buffer, to make the resulting code more clean and readable. Additionally, although considered harmless for both string functions and additive operators, as previously discussed in GitHub PR 866, this fixes the main source of annoying sanitizer reports in the module. Prodded by UndefinedBehaviorSanitizer (pointer-overflow). 
In addition to moving memcpy() under the length condition in 15bf6d8cc,
which addressed a reported UB due to string function conventions, this
is repeated for advancing an input buffer, to make the resulting code
more clean and readable.

Additionally, although considered harmless for both string functions and
additive operators, as previously discussed in GitHub PR 866, this fixes
the main source of annoying sanitizer reports in the module.

Prodded by UndefinedBehaviorSanitizer (pointer-overflow).
Added $request_port and $is_request_port variables. 2025-10-23T14:40:05+00:00 Roman Arutyunyan arut@nginx.com 2025-09-29T16:47:27+00:00 c8c7beb96f61e2251abbc345357116131cf91c22 The $request_port variable contains the port passed by the client in the request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and HTTP/3). If the request line contains no host, or ":authority" is missing, then $request_port is taken from the "Host" header, similar to the $host variable. The $is_request_port variable contains ":" if $request_port is non-empty, and is empty otherwise. 
The $request_port variable contains the port passed by the client in the
request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and
HTTP/3).  If the request line contains no host, or ":authority" is missing,
then $request_port is taken from the "Host" header, similar to the $host
variable.

The $is_request_port variable contains ":" if $request_port is non-empty,
and is empty otherwise.
Updated ngx_http_process_multi_header_lines() comments. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-31T17:31:27+00:00 f4005126d78d19f1efd4f8fb4cad916d8976d97a Missed in fcf4331a0. 
Missed in fcf4331a0.
HTTP/2: fixed handling of the ":authority" header. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-23T10:54:07+00:00 ede5623b1529131fcc3f994e6a6f0692954fa26b Previously, it misused the Host header processing resulting in 400 (Bad Request) errors for a valid request that contains both ":authority" and Host headers with the same value, treating it after 37984f0be as if client sent more than one Host header. Such an overly strict handling violates RFC 9113. The fix is to process ":authority" as a distinct header, similarly to processing an authority component in the HTTP/1.x request line. This allows to disambiguate and compare Host and ":authority" values after all headers were processed. With this change, the ngx_http_process_request_header() function can no longer be used here, certain parts were inlined similar to the HTTP/3 module. To provide compatibility for misconfigurations that use $http_host to return the value of the ":authority" header, the Host header, if missing, is now reconstructed from ":authority". 
Previously, it misused the Host header processing resulting in
400 (Bad Request) errors for a valid request that contains both
":authority" and Host headers with the same value, treating it
after 37984f0be as if client sent more than one Host header.
Such an overly strict handling violates RFC 9113.

The fix is to process ":authority" as a distinct header, similarly
to processing an authority component in the HTTP/1.x request line.
This allows to disambiguate and compare Host and ":authority"
values after all headers were processed.

With this change, the ngx_http_process_request_header() function
can no longer be used here, certain parts were inlined similar to
the HTTP/3 module.

To provide compatibility for misconfigurations that use $http_host
to return the value of the ":authority" header, the Host header,
if missing, is now reconstructed from ":authority".
HTTP/2: factored out constructing the Host header. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-23T10:32:34+00:00 a238bb3d22c251647d04cf07b35c218994ab1ff5 No functional changes. 
No functional changes.
HTTP/2: fixed flushing early hints over SSL. 2025-07-28T17:06:48+00:00 Roman Arutyunyan arut@nginx.com 2025-07-24T14:29:21+00:00 50932c3c6c1d2c442ef08241443162c7a3ed58b3 Previously, when using HTTP/2 over SSL, an early hints HEADERS frame was queued in SSL buffer, and might not be immediately flushed. This resulted in a delay of early hints delivery until the main response was sent. The fix is to set the flush flag for the early hints HEADERS frame buffer. 
Previously, when using HTTP/2 over SSL, an early hints HEADERS frame was
queued in SSL buffer, and might not be immediately flushed.  This resulted
in a delay of early hints delivery until the main response was sent.

The fix is to set the flush flag for the early hints HEADERS frame buffer.
Upstream: early hints support. 2025-06-19T06:19:57+00:00 Roman Arutyunyan arut@nginx.com 2024-11-15T04:23:53+00:00 662c1dd2a97afd6c7ca09b8f5a74347ee017b86b The change implements processing upstream early hints response in ngx_http_proxy_module and ngx_http_grpc_module. A new directive "early_hints" enables sending early hints to the client. By default, sending early hints is disabled. Example: map $http_sec_fetch_mode $early_hints { navigate $http2$http3; } early_hints $early_hints; proxy_pass http://example.com; 
The change implements processing upstream early hints response in
ngx_http_proxy_module and ngx_http_grpc_module.  A new directive
"early_hints" enables sending early hints to the client.  By default,
sending early hints is disabled.

Example:

    map $http_sec_fetch_mode $early_hints {
        navigate $http2$http3;
    }

    early_hints $early_hints;

    proxy_pass http://example.com;
HTTP/2: added function declaration. 2025-06-19T06:19:57+00:00 Roman Arutyunyan arut@nginx.com 2025-06-18T15:48:19+00:00 ea001feb10a294ccd53c896b9919f17f5cbda468 






Fixed -Wunterminated-string-initialization with gcc15.
2025-04-17T15:12:59+00:00

Roman Arutyunyan
arut@nginx.com

2025-04-16T12:56:44+00:00

444954abacef1d77f3dc6e9b1878684c7e6fe5b3