nginx.git/src, branch release-1.29.5 nginx Upstream: reinit upstream after reading bad response. 2026-02-04T15:09:20+00:00 Roman Arutyunyan arut@nginx.com 2026-01-28T16:38:38+00:00 d7a249470b78a155c7548aea5f4eb959dae9fd03 Previously, when connecting to a backend, if the read event handler was called before the write event handler, and the received response triggered a next upstream condition, then ngx_http_upstream_reinit() was not called to clean up the old upstream context. This had multiple implications. For all proxy modules, since the last upstream response was not cleaned up, it was mixed with the next upstream response. This could result in ignoring the second response status code, duplicate response headers or reporting old upstream header errors. With ngx_http_grpc_module and ngx_http_proxy_v2_module, ctx->connection was left dangling since the object it referenced was allocated from the last upstream connection pool, which was deleted when freeing last upstream. This lead to use-after-free when trying to reuse this object for the next upstream. 
Previously, when connecting to a backend, if the read event handler was
called before the write event handler, and the received response triggered
a next upstream condition, then ngx_http_upstream_reinit() was not called
to clean up the old upstream context.  This had multiple implications.

For all proxy modules, since the last upstream response was not cleaned up,
it was mixed with the next upstream response.  This could result in ignoring
the second response status code, duplicate response headers or reporting
old upstream header errors.

With ngx_http_grpc_module and ngx_http_proxy_v2_module, ctx->connection
was left dangling since the object it referenced was allocated from the
last upstream connection pool, which was deleted when freeing last upstream.
This lead to use-after-free when trying to reuse this object for the next
upstream.
Upstream: detect premature plain text response from SSL backend. 2026-02-04T15:09:20+00:00 Roman Arutyunyan arut@nginx.com 2026-01-29T09:27:32+00:00 a59f5f099a89dc8eaebd48077292313f9f7e33e3 When connecting to a backend, the connection write event is triggered first in most cases. However if a response arrives quickly enough, both read and write events can be triggered together within the same event loop iteration. In this case the read event handler is called first and the write event handler is called after it. SSL initialization for backend connections happens only in the write event handler since SSL handshake starts with sending Client Hello. Previously, if a backend sent a quick plain text response, it could be parsed by the read event handler prior to starting SSL handshake on the connection. The change adds protection against parsing such responses on SSL-enabled connections. 
When connecting to a backend, the connection write event is triggered
first in most cases.  However if a response arrives quickly enough, both
read and write events can be triggered together within the same event loop
iteration.  In this case the read event handler is called first and the
write event handler is called after it.

SSL initialization for backend connections happens only in the write event
handler since SSL handshake starts with sending Client Hello.  Previously,
if a backend sent a quick plain text response, it could be parsed by the
read event handler prior to starting SSL handshake on the connection.
The change adds protection against parsing such responses on SSL-enabled
connections.
Output chain: clear the last_buf flag unless inherited. 2026-01-29T10:52:41+00:00 Sergey Kandaurov pluknet@nginx.com 2025-12-24T21:21:52+00:00 3afd85e4b5cbb0c49608b04e06ea7b5ef97b3308 For instance, the last_buf flag is used in the http proxy module when creating HTTP/2 requests to indicate the output is closed. The flag is inherited in ngx_output_chain() to a destination buffer when reading the buffered request body. Then it is used in the proxy output filter to mark the last HTTP/2 DATA frame with END_STREAM. The problem happens when reusing the destination buffer, such as to re-read the buffered request body on next upstream, because this buffer may contain a dirty last_buf value, which breaks sending HTTP/2 request body in multiple output filter calls. The flush and last_in_chain flags are cleared for consistency. 
For instance, the last_buf flag is used in the http proxy module when
creating HTTP/2 requests to indicate the output is closed.  The flag
is inherited in ngx_output_chain() to a destination buffer when reading
the buffered request body.  Then it is used in the proxy output filter
to mark the last HTTP/2 DATA frame with END_STREAM.

The problem happens when reusing the destination buffer, such as to
re-read the buffered request body on next upstream, because this buffer
may contain a dirty last_buf value, which breaks sending HTTP/2 request
body in multiple output filter calls.

The flush and last_in_chain flags are cleared for consistency.
Proxy: fixed sending HTTP/2 buffered request body on next upstream. 2026-01-29T10:52:41+00:00 Sergey Kandaurov pluknet@nginx.com 2025-12-24T18:59:40+00:00 cd12dc4f12489257e851654ec1883cf06fa0b095 If a buffered request body wasn't fully sent, such as on early upstream response or limited by flow control, unsent buffers could remain in the input or busy chains when switching to the next upstream server. This resulted either in the invalid request sent or a stalled connection. The fix is to reset chains similar to ngx_http_upstream_reinit(). 
If a buffered request body wasn't fully sent, such as on early upstream
response or limited by flow control, unsent buffers could remain in the
input or busy chains when switching to the next upstream server.  This
resulted either in the invalid request sent or a stalled connection.

The fix is to reset chains similar to ngx_http_upstream_reinit().
Range filter: reasonable limit on multiple ranges. 2026-01-21T16:39:00+00:00 Sergey Kandaurov pluknet@nginx.com 2026-01-13T12:51:07+00:00 cb9252ae6537d8c24addcf0822267804fc73db43 A total response length with multiple ranges can be larger than the source response size due to multipart boundary headers. This change extends max ranges limit imposed in c2c3e3105 (1.1.2) by accounting boundary headers. Notably, this covers suspicious requests with a lot of small ranges that have an increased processing overhead and are susceptible to range based amplification attacks. The limit disables ranges as long as a total response length comes close to the source size, additionally penalizing small size ranges on a large source size where a processing overhead prevails, while leaving a room for more ranges on a small source size, such that it should not affect well-behaving applications. The limit can be altered with the "max_ranges" directive. Closes #988 on GitHub. 
A total response length with multiple ranges can be larger than the
source response size due to multipart boundary headers.  This change
extends max ranges limit imposed in c2c3e3105 (1.1.2) by accounting
boundary headers.  Notably, this covers suspicious requests with a
lot of small ranges that have an increased processing overhead and
are susceptible to range based amplification attacks.

The limit disables ranges as long as a total response length comes
close to the source size, additionally penalizing small size ranges
on a large source size where a processing overhead prevails, while
leaving a room for more ranges on a small source size, such that it
should not affect well-behaving applications.  The limit can be
altered with the "max_ranges" directive.

Closes #988 on GitHub.
Uwsgi: ensure HTTP_HOST is set to the requested target host. 2026-01-15T23:04:38+00:00 Andrew Clayton a.clayton@nginx.com 2025-12-13T07:05:27+00:00 8ea6eb5108f72f40975a812fa084703b21198cb4 Previously, the HTTP_HOST environment variable was constructed from the Host request header field, which doesn't work well with HTTP/2 and HTTP/3 where Host may be supplanted by the ":authority" pseudo-header field per RFC 9110, section 7.2. Also, it might give an incorrect HTTP_HOST value from HTTP/1.x requests given in the absolute form, in which case the Host header must be ignored by the server, per RFC 9112, section 3.2.2. The fix is to redefine the HTTP_HOST default from a protocol-specific value given in the $host variable. This will now use the Host request header field, ":authority" pseudo-header field, or request line target URI depending on request HTTP version. Also the CGI specification (RFC 3875, 4.1.18) notes The server SHOULD set meta-variables specific to the protocol and scheme for the request. Interpretation of protocol-specific variables depends on the protocol version in SERVER_PROTOCOL. 
Previously, the HTTP_HOST environment variable was constructed from the
Host request header field, which doesn't work well with HTTP/2 and
HTTP/3 where Host may be supplanted by the ":authority" pseudo-header
field per RFC 9110, section 7.2. Also, it might give an incorrect
HTTP_HOST value from HTTP/1.x requests given in the absolute form, in
which case the Host header must be ignored by the server, per RFC 9112,
section 3.2.2.

The fix is to redefine the HTTP_HOST default from a protocol-specific
value given in the $host variable. This will now use the Host request
header field, ":authority" pseudo-header field, or request line target
URI depending on request HTTP version.

Also the CGI specification (RFC 3875, 4.1.18) notes

  The server SHOULD set meta-variables specific to the protocol and
  scheme for the request. Interpretation of protocol-specific
  variables depends on the protocol version in SERVER_PROTOCOL.
SCGI: ensure HTTP_HOST is set to the requested target host. 2026-01-15T23:04:38+00:00 Andrew Clayton a.clayton@nginx.com 2025-12-13T07:05:27+00:00 d8d092a49da88c42b192b7b5d88f7e628ab30560 Previously, the HTTP_HOST environment variable was constructed from the Host request header field, which doesn't work well with HTTP/2 and HTTP/3 where Host may be supplanted by the ":authority" pseudo-header field per RFC 9110, section 7.2. Also, it might give an incorrect HTTP_HOST value from HTTP/1.x requests given in the absolute form, in which case the Host header must be ignored by the server, per RFC 9112, section 3.2.2. The fix is to redefine the HTTP_HOST default from a protocol-specific value given in the $host variable. This will now use the Host request header field, ":authority" pseudo-header field, or request line target URI depending on request HTTP version. Also the CGI specification (RFC 3875, 4.1.18) notes The server SHOULD set meta-variables specific to the protocol and scheme for the request. Interpretation of protocol-specific variables depends on the protocol version in SERVER_PROTOCOL. 
Previously, the HTTP_HOST environment variable was constructed from the
Host request header field, which doesn't work well with HTTP/2 and
HTTP/3 where Host may be supplanted by the ":authority" pseudo-header
field per RFC 9110, section 7.2. Also, it might give an incorrect
HTTP_HOST value from HTTP/1.x requests given in the absolute form, in
which case the Host header must be ignored by the server, per RFC 9112,
section 3.2.2.

The fix is to redefine the HTTP_HOST default from a protocol-specific
value given in the $host variable. This will now use the Host request
header field, ":authority" pseudo-header field, or request line target
URI depending on request HTTP version.

Also the CGI specification (RFC 3875, 4.1.18) notes

  The server SHOULD set meta-variables specific to the protocol and
  scheme for the request. Interpretation of protocol-specific
  variables depends on the protocol version in SERVER_PROTOCOL.
FastCGI: ensure HTTP_HOST is set to the requested target host. 2026-01-15T23:04:38+00:00 Andrew Clayton a.clayton@nginx.com 2025-12-13T07:05:27+00:00 71b18973b2b5ea29ed27b47fc0e619b4df533b60 Previously, the HTTP_HOST environment variable was constructed from the Host request header field, which doesn't work well with HTTP/2 and HTTP/3 where Host may be supplanted by the ":authority" pseudo-header field per RFC 9110, section 7.2. Also, it might give an incorrect HTTP_HOST value from HTTP/1.x requests given in the absolute form, in which case the Host header must be ignored by the server, per RFC 9112, section 3.2.2. The fix is to redefine the HTTP_HOST default from a protocol-specific value given in the $host variable. This will now use the Host request header field, ":authority" pseudo-header field, or request line target URI depending on request HTTP version. Also the CGI specification (RFC 3875, 4.1.18) notes The server SHOULD set meta-variables specific to the protocol and scheme for the request. Interpretation of protocol-specific variables depends on the protocol version in SERVER_PROTOCOL. Closes: https://github.com/nginx/nginx/issues/256 Closes: https://github.com/nginx/nginx/issues/455 Closes: https://github.com/nginx/nginx/issues/912 
Previously, the HTTP_HOST environment variable was constructed from the
Host request header field, which doesn't work well with HTTP/2 and
HTTP/3 where Host may be supplanted by the ":authority" pseudo-header
field per RFC 9110, section 7.2. Also, it might give an incorrect
HTTP_HOST value from HTTP/1.x requests given in the absolute form, in
which case the Host header must be ignored by the server, per RFC 9112,
section 3.2.2.

The fix is to redefine the HTTP_HOST default from a protocol-specific
value given in the $host variable. This will now use the Host request
header field, ":authority" pseudo-header field, or request line target
URI depending on request HTTP version.

Also the CGI specification (RFC 3875, 4.1.18) notes

  The server SHOULD set meta-variables specific to the protocol and
  scheme for the request. Interpretation of protocol-specific
  variables depends on the protocol version in SERVER_PROTOCOL.

Closes: https://github.com/nginx/nginx/issues/256
Closes: https://github.com/nginx/nginx/issues/455
Closes: https://github.com/nginx/nginx/issues/912
Win32: fixed C4319 warning with MSVC 2022 x86. 2025-12-24T18:41:43+00:00 Aleksei Bavshin a.bavshin@nginx.com 2025-12-23T18:44:13+00:00 6a67f71a4a78edb662c190af93ac6d3d680e107a The warning started to appear in Visual Studio 2022 version 17.14.21, which corresponds to the C/C++ compiler version 19.44.35221. The appropriate fix is to avoid mixing uint64_t and ngx_uint_t in an expression with bitwise operations. We can do that here because both the original shm->size value and the result of the expression are 32-bit platform words. 
The warning started to appear in Visual Studio 2022 version 17.14.21,
which corresponds to the C/C++ compiler version 19.44.35221.

The appropriate fix is to avoid mixing uint64_t and ngx_uint_t in an
expression with bitwise operations.  We can do that here because both
the original shm->size value and the result of the expression are 32-bit
platform words.
SSL: logging level of the "ech_required" TLS alert. 2025-12-17T09:49:06+00:00 Roman Arutyunyan arut@nginx.com 2025-12-16T13:53:12+00:00 0609736a92a72d269119c5bab1e518c4d9fb54da The alert is send by a client after its ECH configuration was rejected by a server. 
The alert is send by a client after its ECH configuration was rejected by
a server.