[PATCH 10 of 12] Upstream: unexpected connection upgrades now rejected
Maxim Dounin
mdounin at mdounin.ru
Fri Aug 8 20:09:05 UTC 2025
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1754683266 -10800
# Fri Aug 08 23:01:06 2025 +0300
# Node ID 07b82a889a0e69eef4d90c3457b390dbdb38e2c9
# Parent e7b982e718785a517c34ffee9422ae9db3230e82
Upstream: unexpected connection upgrades now rejected.
Unless the client explicitly requested to change the application protocol,
the "101 Switching Protocols" response is now considered to be an upstream
server error and not forwarded to the client.
Similarly, other 1xx responses are also rejected for now. This will be
changed in subsequent patches.
This ensures that such responses won't affect the connection with the client.
diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c
--- a/src/http/modules/ngx_http_fastcgi_module.c
+++ b/src/http/modules/ngx_http_fastcgi_module.c
@@ -2063,6 +2063,19 @@ ngx_http_fastcgi_process_header(ngx_http
ngx_str_set(&u->headers_in.status_line, "200 OK");
}
+ if (u->headers_in.status_n < NGX_HTTP_OK) {
+
+ /* reject 1xx responses */
+
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "upstream sent unexpected status \"%V\"",
+ u->headers_in.status_line.len
+ ? &u->headers_in.status_line
+ : &u->headers_in.status->value);
+
+ return NGX_HTTP_UPSTREAM_INVALID_HEADER;
+ }
+
break;
}
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -2009,12 +2009,21 @@ ngx_http_proxy_process_header(ngx_http_r
u->keepalive = !u->headers_in.connection_close;
}
- if (u->headers_in.status_n == NGX_HTTP_SWITCHING_PROTOCOLS) {
+ if (u->headers_in.status_n == NGX_HTTP_SWITCHING_PROTOCOLS
+ && r->headers_in.upgrade)
+ {
u->keepalive = 0;
-
- if (r->headers_in.upgrade) {
- u->upgrade = 1;
- }
+ u->upgrade = 1;
+
+ } else if (u->headers_in.status_n < NGX_HTTP_OK) {
+
+ /* reject unexpected 1xx responses */
+
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "upstream sent unexpected status \"%V\"",
+ &u->headers_in.status_line);
+
+ return NGX_HTTP_UPSTREAM_INVALID_HEADER;
}
return NGX_OK;
diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c
--- a/src/http/modules/ngx_http_scgi_module.c
+++ b/src/http/modules/ngx_http_scgi_module.c
@@ -1157,6 +1157,18 @@ ngx_http_scgi_process_header(ngx_http_re
&& r->headers_in.upgrade)
{
u->upgrade = 1;
+
+ } else if (u->headers_in.status_n < NGX_HTTP_OK) {
+
+ /* reject unexpected 1xx responses */
+
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "upstream sent unexpected status \"%V\"",
+ u->headers_in.status_line.len
+ ? &u->headers_in.status_line
+ : &u->headers_in.status->value);
+
+ return NGX_HTTP_UPSTREAM_INVALID_HEADER;
}
return NGX_OK;
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -1386,6 +1386,18 @@ ngx_http_uwsgi_process_header(ngx_http_r
&& r->headers_in.upgrade)
{
u->upgrade = 1;
+
+ } else if (u->headers_in.status_n < NGX_HTTP_OK) {
+
+ /* reject unexpected 1xx responses */
+
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "upstream sent unexpected status \"%V\"",
+ u->headers_in.status_line.len
+ ? &u->headers_in.status_line
+ : &u->headers_in.status->value);
+
+ return NGX_HTTP_UPSTREAM_INVALID_HEADER;
}
return NGX_OK;
More information about the nginx-devel
mailing list