nginx.git/src/http/v3/ngx_http_v3_request.c, branch release-1.28.2 nginx HTTP/3: fixed handling of :authority and Host with port. 2025-12-23T18:40:33+00:00 Roman Arutyunyan arut@nginx.com 2025-06-26T16:19:59+00:00 bbf65b6e87dfc7f3a42651a55406e214a783808c RFC 9114, Section 4.3.1. specifies a restriction for :authority and Host coexistence in an HTTP/3 request: : If both fields are present, they MUST contain the same value. Previously, this restriction was correctly enforced only for portless values. When Host contained a port, the request failed as if :authority and Host were different, regardless of :authority presence. This happens because the value of r->headers_in.server used for :authority has port stripped. The fix is to use r->host_start / r->host_end instead. 
RFC 9114, Section 4.3.1. specifies a restriction for :authority and Host
coexistence in an HTTP/3 request:

: If both fields are present, they MUST contain the same value.

Previously, this restriction was correctly enforced only for portless
values.  When Host contained a port, the request failed as if :authority
and Host were different, regardless of :authority presence.

This happens because the value of r->headers_in.server used for :authority
has port stripped.  The fix is to use r->host_start / r->host_end instead.
HTTP/3: decoder stream pre-creation. 2024-05-28T13:18:28+00:00 Roman Arutyunyan arut@nginx.com 2024-05-28T13:18:28+00:00 0fd59c8b565c4577f7c25b9e6450bd311d18f5e2 Previously a decoder stream was created on demand for sending Section Acknowledgement, Stream Cancellation and Insert Count Increment. If conditions for sending any of these instructions never happen, a decoder stream is not created at all. These conditions include client not using the dynamic table and no streams abandoned by server (RFC 9204, Section 2.2.2.2). However RFC 9204, Section 4.2 defines only one condition for not creating a decoder stream: An endpoint MAY avoid creating a decoder stream if its decoder sets the maximum capacity of the dynamic table to zero. The change enables pre-creation of the decoder stream at HTTP/3 session initialization if maximum dynamic table capacity is not zero. Note that this value is currently hardcoded to 4096 bytes and is not configurable, so the stream is now always created. Also, the change fixes a potential stack overflow when creating a decoder stream in ngx_http_v3_send_cancel_stream() while draining a request stream by ngx_drain_connections(). Creating a decoder stream involves calling ngx_get_connection(), which calls ngx_drain_connections(), which will drain the same request stream again. If client's MAX_STREAMS for uni stream is high enough, these recursive calls will continue until we run out of stack. Otherwise, decoder stream creation will fail at some point and the request stream connection will be drained. This may result in use-after-free, since this connection could still be referenced up the stack. 
Previously a decoder stream was created on demand for sending Section
Acknowledgement, Stream Cancellation and Insert Count Increment.  If conditions
for sending any of these instructions never happen, a decoder stream is not
created at all.  These conditions include client not using the dynamic table and
no streams abandoned by server (RFC 9204, Section 2.2.2.2).  However RFC 9204,
Section 4.2 defines only one condition for not creating a decoder stream:

   An endpoint MAY avoid creating a decoder stream if its decoder sets
   the maximum capacity of the dynamic table to zero.

The change enables pre-creation of the decoder stream at HTTP/3 session
initialization if maximum dynamic table capacity is not zero.  Note that this
value is currently hardcoded to 4096 bytes and is not configurable, so the
stream is now always created.

Also, the change fixes a potential stack overflow when creating a decoder
stream in ngx_http_v3_send_cancel_stream() while draining a request stream by
ngx_drain_connections().  Creating a decoder stream involves calling
ngx_get_connection(), which calls ngx_drain_connections(), which will drain the
same request stream again.  If client's MAX_STREAMS for uni stream is high
enough, these recursive calls will continue until we run out of stack.
Otherwise, decoder stream creation will fail at some point and the request
stream connection will be drained.  This may result in use-after-free, since
this connection could still be referenced up the stack.
HTTP/3: fixed handling of malformed request body length. 2024-05-03T16:28:32+00:00 Sergey Kandaurov pluknet@nginx.com 2024-05-03T16:28:32+00:00 a7e3cd52e0a03286267177aa9b88d64232fbaeaf Previously, a request body larger than declared in Content-Length resulted in a 413 status code, because Content-Length was mistakenly used as the maximum allowed request body, similar to client_max_body_size. Following the HTTP/3 specification, such requests are now rejected with the 400 error as malformed. 
Previously, a request body larger than declared in Content-Length resulted in
a 413 status code, because Content-Length was mistakenly used as the maximum
allowed request body, similar to client_max_body_size.  Following the HTTP/3
specification, such requests are now rejected with the 400 error as malformed.
HTTP/3: postponed session creation to init() callback. 2023-09-14T10:13:43+00:00 Roman Arutyunyan arut@nginx.com 2023-09-14T10:13:43+00:00 26e606a6bcdfa4001bfb6bd24612e8aafa6513b2 Now the session object is assigned to c->data while ngx_http_connection_t object is referenced by its http_connection field, similar to ngx_http_v2_connection_t and ngx_http_request_t. The change allows to eliminate v3_session field from ngx_http_connection_t. The field was under NGX_HTTP_V3 macro, which was a source of binary compatibility problems when nginx/module is build with/without HTTP/3 support. Postponing is essential since c->data should retain the reference to ngx_http_connection_t object throughout QUIC handshake, because SSL callbacks ngx_http_ssl_servername() and ngx_http_ssl_alpn_select() rely on this. 
Now the session object is assigned to c->data while ngx_http_connection_t
object is referenced by its http_connection field, similar to
ngx_http_v2_connection_t and ngx_http_request_t.

The change allows to eliminate v3_session field from ngx_http_connection_t.
The field was under NGX_HTTP_V3 macro, which was a source of binary
compatibility problems when nginx/module is build with/without HTTP/3 support.

Postponing is essential since c->data should retain the reference to
ngx_http_connection_t object throughout QUIC handshake, because SSL callbacks
ngx_http_ssl_servername() and ngx_http_ssl_alpn_select() rely on this.
HTTP/3: moved variable initialization. 2023-09-13T13:57:13+00:00 Roman Arutyunyan arut@nginx.com 2023-09-13T13:57:13+00:00 ec37134416d4fd98d8cb8f02776a711c50398684 






QUIC: "handshake_timeout" configuration parameter.
2023-09-13T13:59:37+00:00

Roman Arutyunyan
arut@nginx.com

2023-09-13T13:59:37+00:00

33dca887925d9cec7153252dcd5380c394090936

Previously QUIC did not have such parameter and handshake duration was
controlled by HTTP/3.  However that required creating and storing HTTP/3
session on first client datagram.  Apparently there's no convenient way to
store the session object until QUIC handshake is complete.  In the followup
patches session creation will be postponed to init() callback.





Previously QUIC did not have such parameter and handshake duration was
controlled by HTTP/3.  However that required creating and storing HTTP/3
session on first client datagram.  Apparently there's no convenient way to
store the session object until QUIC handshake is complete.  In the followup
patches session creation will be postponed to init() callback.







HTTP/3: removed "http3" parameter of "listen" directive.
2023-05-11T09:22:10+00:00

Roman Arutyunyan
arut@nginx.com

2023-05-11T09:22:10+00:00

2ce3eeeeb76318e414b62d399da70872d2de23d8

The parameter has been deprecated since c851a2ed5ce8.





The parameter has been deprecated since c851a2ed5ce8.







HTTP/3: "quic" parameter of "listen" directive.
2023-02-27T10:00:56+00:00

Roman Arutyunyan
arut@nginx.com

2023-02-27T10:00:56+00:00

815ef96124176baef4e940c4beaec158305b368a

Now "listen" directve has a new "quic" parameter which enables QUIC protocol
for the address.  Further, to enable HTTP/3, a new directive "http3" is
introduced.  The hq-interop protocol is enabled by "http3_hq" as before.
Now application protocol is chosen by ALPN.

Previously used "http3" parameter of "listen" is deprecated.





Now "listen" directve has a new "quic" parameter which enables QUIC protocol
for the address.  Further, to enable HTTP/3, a new directive "http3" is
introduced.  The hq-interop protocol is enabled by "http3_hq" as before.
Now application protocol is chosen by ALPN.

Previously used "http3" parameter of "listen" is deprecated.







HTTP/3: insert count block timeout.
2023-01-05T15:03:22+00:00

Roman Arutyunyan
arut@nginx.com

2023-01-05T15:03:22+00:00

0065ba68b08b8cf4eaf3c18266d1a93182f196ed

Previously, there was no timeout for a request stream blocked on insert count,
which could result in infinite wait.  Now client_header_timeout is set when
stream is first blocked.





Previously, there was no timeout for a request stream blocked on insert count,
which could result in infinite wait.  Now client_header_timeout is set when
stream is first blocked.







HTTP/3: trigger 400 (Bad Request) on stream error while blocked.
2023-01-05T14:15:46+00:00

Roman Arutyunyan
arut@nginx.com

2023-01-05T14:15:46+00:00

faa655f211612fcdac938d58095a4ab7f03969a9

Previously, stream was closed with NGX_HTTP_CLOSE.  However, in a similar case
when recv() returns eof or error, status 400 is triggered.





Previously, stream was closed with NGX_HTTP_CLOSE.  However, in a similar case
when recv() returns eof or error, status 400 is triggered.