[nginx] Proxy: connection upgrades now rejected if not configured.

Maxim Dounin mdounin at mdounin.ru
Mon Aug 18 00:30:24 UTC 2025 

details:   http://freenginx.org/hg/nginx/rev/ee7201216801
branches:  
changeset: 9408:ee7201216801
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Mon Aug 18 03:19:16 2025 +0300
description:
Proxy: connection upgrades now rejected if not configured.

Previously, connection upgrades from upstream servers were accepted
as long as they were requested by the client.  With this change, we
additionally check that the "Upgrade" header was actually sent to the
upstream server, as per "proxy_set_header Upgrade ..." in the configuration.

This shouldn't change anything for well-behaving upstream servers, though
makes things safer to use with misbehaving ones (and assuming the client
uses the "Upgrade" header for unrelated reasons, such as when trying to
start HTTP/2 over cleartext TCP with "Upgrade: h2c", currently deprecated).

diffstat:

 src/http/modules/ngx_http_proxy_module.c |  13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

diffs (47 lines):

diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -141,6 +141,7 @@ typedef struct {
     ngx_chain_t                   *busy;
 
     unsigned                       head:1;
+    unsigned                       upgrade:1;
     unsigned                       internal_chunked:1;
     unsigned                       header_sent:1;
 } ngx_http_proxy_ctx_t;
@@ -1244,6 +1245,7 @@ ngx_http_proxy_create_key(ngx_http_reque
 static ngx_int_t
 ngx_http_proxy_create_request(ngx_http_request_t *r)
 {
+    u_char                       *key;
     size_t                        len, uri_len, loc_len, body_len,
                                   key_len, val_len;
     uintptr_t                     escape;
@@ -1498,9 +1500,17 @@ ngx_http_proxy_create_request(ngx_http_r
             continue;
         }
 
+        key = e.pos;
+
         code = *(ngx_http_script_code_pt *) e.ip;
         code((ngx_http_script_engine_t *) &e);
 
+        if (e.pos - key == 7
+            && ngx_strncasecmp(key, (u_char *) "Upgrade", 7) == 0)
+        {
+            ctx->upgrade = 1;
+        }
+
         *e.pos++ = ':'; *e.pos++ = ' ';
 
         while (*(uintptr_t *) e.ip) {
@@ -2010,7 +2020,8 @@ ngx_http_proxy_process_header(ngx_http_r
             }
 
             if (u->headers_in.status_n == NGX_HTTP_SWITCHING_PROTOCOLS
-                && r->headers_in.upgrade)
+                && r->headers_in.upgrade
+                && ctx->upgrade)
             {
                 u->keepalive = 0;
                 u->upgrade = 1;

More information about the nginx-devel mailing list