nginx.git/src/http, branch release-1.29.1 nginx Auth basic: fixed file descriptor leak on memory allocation error. 2025-08-11T16:57:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-08-08T15:44:27+00:00 034f15bbc251ed72018d8396e7eeb3bf30fd789b Found by Coverity (CID 1662016). 
Found by Coverity (CID 1662016).
SSL: support for compressed server certificates with OpenSSL. 2025-08-03T15:15:16+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-09T15:02:09+00:00 251444fcf4434bfddbe3394a568c51d4f7bd857f The ssl_certificate_compression directive allows to send compressed server certificates. In OpenSSL, they are pre-compressed on startup. To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION option is automatically cleared if certificates were pre-compressed. SSL_CTX_compress_certs() may return an error in legitimate cases, e.g., when none of compression algorithms is available or if the resulting compressed size is larger than the original one, thus it is silently ignored. Certificate compression is supported in Chrome with brotli only, in Safari with zlib only, and in Firefox with all listed algorithms. It is supported since Ubuntu 24.10, which has OpenSSL with enabled zlib and zstd support. The actual list of algorithms supported in OpenSSL depends on how the library was configured; it can be brotli, zlib, zstd as listed in RFC 8879. 
The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.
Updated ngx_http_process_multi_header_lines() comments. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-31T17:31:27+00:00 f4005126d78d19f1efd4f8fb4cad916d8976d97a Missed in fcf4331a0. 
Missed in fcf4331a0.
HTTP/3: improved invalid ":authority" error message. 2025-08-03T06:07:07+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-30T13:43:44+00:00 372659114ed9b7a406093890ec2bdf437925ce64 






Made ngx_http_process_request_header() static again.
2025-08-03T06:07:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-23T11:56:37+00:00

4d857aaf435975d3c34e41d7a9cb50c0f87879ec

The function contains mostly HTTP/1.x specific request processing,
which has no use in other protocols.  After the previous change in
HTTP/2, it can now be hidden.

This is an API change.





The function contains mostly HTTP/1.x specific request processing,
which has no use in other protocols.  After the previous change in
HTTP/2, it can now be hidden.

This is an API change.







HTTP/2: fixed handling of the ":authority" header.
2025-08-03T06:07:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-23T10:54:07+00:00

ede5623b1529131fcc3f994e6a6f0692954fa26b

Previously, it misused the Host header processing resulting in
400 (Bad Request) errors for a valid request that contains both
":authority" and Host headers with the same value, treating it
after 37984f0be as if client sent more than one Host header.
Such an overly strict handling violates RFC 9113.

The fix is to process ":authority" as a distinct header, similarly
to processing an authority component in the HTTP/1.x request line.
This allows to disambiguate and compare Host and ":authority"
values after all headers were processed.

With this change, the ngx_http_process_request_header() function
can no longer be used here, certain parts were inlined similar to
the HTTP/3 module.

To provide compatibility for misconfigurations that use $http_host
to return the value of the ":authority" header, the Host header,
if missing, is now reconstructed from ":authority".





Previously, it misused the Host header processing resulting in
400 (Bad Request) errors for a valid request that contains both
":authority" and Host headers with the same value, treating it
after 37984f0be as if client sent more than one Host header.
Such an overly strict handling violates RFC 9113.

The fix is to process ":authority" as a distinct header, similarly
to processing an authority component in the HTTP/1.x request line.
This allows to disambiguate and compare Host and ":authority"
values after all headers were processed.

With this change, the ngx_http_process_request_header() function
can no longer be used here, certain parts were inlined similar to
the HTTP/3 module.

To provide compatibility for misconfigurations that use $http_host
to return the value of the ":authority" header, the Host header,
if missing, is now reconstructed from ":authority".







HTTP/2: factored out constructing the Host header.
2025-08-03T06:07:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-23T10:32:34+00:00

a238bb3d22c251647d04cf07b35c218994ab1ff5

No functional changes.





No functional changes.







HTTP/2: fixed flushing early hints over SSL.
2025-07-28T17:06:48+00:00

Roman Arutyunyan
arut@nginx.com

2025-07-24T14:29:21+00:00

50932c3c6c1d2c442ef08241443162c7a3ed58b3

Previously, when using HTTP/2 over SSL, an early hints HEADERS frame was
queued in SSL buffer, and might not be immediately flushed.  This resulted
in a delay of early hints delivery until the main response was sent.

The fix is to set the flush flag for the early hints HEADERS frame buffer.





Previously, when using HTTP/2 over SSL, an early hints HEADERS frame was
queued in SSL buffer, and might not be immediately flushed.  This resulted
in a delay of early hints delivery until the main response was sent.

The fix is to set the flush flag for the early hints HEADERS frame buffer.







HTTP/3: fixed handling of :authority and Host with port.
2025-07-24T16:15:55+00:00

Roman Arutyunyan
arut@nginx.com

2025-06-26T16:19:59+00:00

4da771108282cd233ddc37f83ba8bd01981beeb7

RFC 9114, Section 4.3.1. specifies a restriction for :authority and Host
coexistence in an HTTP/3 request:

: If both fields are present, they MUST contain the same value.

Previously, this restriction was correctly enforced only for portless
values.  When Host contained a port, the request failed as if :authority
and Host were different, regardless of :authority presence.

This happens because the value of r->headers_in.server used for :authority
has port stripped.  The fix is to use r->host_start / r->host_end instead.





RFC 9114, Section 4.3.1. specifies a restriction for :authority and Host
coexistence in an HTTP/3 request:

: If both fields are present, they MUST contain the same value.

Previously, this restriction was correctly enforced only for portless
values.  When Host contained a port, the request failed as if :authority
and Host were different, regardless of :authority presence.

This happens because the value of r->headers_in.server used for :authority
has port stripped.  The fix is to use r->host_start / r->host_end instead.







HTTP/3: fixed potential type overflow in string literal parser.
2025-07-23T13:24:43+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-09-05T15:35:43+00:00

3739fe94d1c3c844708b219776f1921bff16b56f

This might happen for Huffman encoded string literals as the result
of length expansion.  Notably, the maximum length of string literals
is already limited with the "large_client_header_buffers" directive,
so this was only possible with nonsensically large configured limits.





This might happen for Huffman encoded string literals as the result
of length expansion.  Notably, the maximum length of string literals
is already limited with the "large_client_header_buffers" directive,
so this was only possible with nonsensically large configured limits.