diff options
| author | Andrew Clayton <a.clayton@nginx.com> | 2025-12-13 07:05:27 +0000 |
|---|---|---|
| committer | Andrew Clayton <a.clayton@nginx.com> | 2026-01-15 23:04:38 +0000 |
| commit | 71b18973b2b5ea29ed27b47fc0e619b4df533b60 (patch) | |
| tree | b92ff0db9a6f4f8ffcb671b3a86465cb6eec7697 /src/http/modules | |
| parent | 6a67f71a4a78edb662c190af93ac6d3d680e107a (diff) | |
| download | nginx-71b18973b2b5ea29ed27b47fc0e619b4df533b60.tar.gz nginx-71b18973b2b5ea29ed27b47fc0e619b4df533b60.tar.bz2 | |
FastCGI: ensure HTTP_HOST is set to the requested target host.
Previously, the HTTP_HOST environment variable was constructed from the
Host request header field, which doesn't work well with HTTP/2 and
HTTP/3 where Host may be supplanted by the ":authority" pseudo-header
field per RFC 9110, section 7.2. Also, it might give an incorrect
HTTP_HOST value from HTTP/1.x requests given in the absolute form, in
which case the Host header must be ignored by the server, per RFC 9112,
section 3.2.2.
The fix is to redefine the HTTP_HOST default from a protocol-specific
value given in the $host variable. This will now use the Host request
header field, ":authority" pseudo-header field, or request line target
URI depending on request HTTP version.
Also the CGI specification (RFC 3875, 4.1.18) notes
The server SHOULD set meta-variables specific to the protocol and
scheme for the request. Interpretation of protocol-specific
variables depends on the protocol version in SERVER_PROTOCOL.
Closes: https://github.com/nginx/nginx/issues/256
Closes: https://github.com/nginx/nginx/issues/455
Closes: https://github.com/nginx/nginx/issues/912
Diffstat (limited to 'src/http/modules')
| -rw-r--r-- | src/http/modules/ngx_http_fastcgi_module.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c index 6b1977340..f7f0696a8 100644 --- a/src/http/modules/ngx_http_fastcgi_module.c +++ b/src/http/modules/ngx_http_fastcgi_module.c @@ -656,9 +656,18 @@ static ngx_str_t ngx_http_fastcgi_hide_headers[] = { }; +static ngx_keyval_t ngx_http_fastcgi_headers[] = { + { ngx_string("HTTP_HOST"), + ngx_string("$host$is_request_port$request_port") }, + { ngx_null_string, ngx_null_string } +}; + + #if (NGX_HTTP_CACHE) static ngx_keyval_t ngx_http_fastcgi_cache_headers[] = { + { ngx_string("HTTP_HOST"), + ngx_string("$host$is_request_port$request_port") }, { ngx_string("HTTP_IF_MODIFIED_SINCE"), ngx_string("$upstream_cache_last_modified") }, { ngx_string("HTTP_IF_UNMODIFIED_SINCE"), ngx_string("") }, @@ -3276,7 +3285,8 @@ ngx_http_fastcgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) conf->params_source = prev->params_source; } - rc = ngx_http_fastcgi_init_params(cf, conf, &conf->params, NULL); + rc = ngx_http_fastcgi_init_params(cf, conf, &conf->params, + ngx_http_fastcgi_headers); if (rc != NGX_OK) { return NGX_CONF_ERROR; } |