Welcome! Log In Create A New Profile

Advanced

Option to relax duplicate Host header checks

Posted by Leseratte10 
Option to relax duplicate Host header checks
March 24, 2022 04:59AM
As a response to ticket https://trac.nginx.org/nginx/ticket/1724, Nginx 1.17.9 and newer ( https://hg.nginx.org/nginx/rev/4f18393a1d51 ) no longer accept HTTP requests with more than one "Host" header due to an additional condition in ngx_http_process_host.

That change "broke" my server, as that server is being accessed by an old piece of hardware that seems to have a similar issue as the Motorola phones the hack was originally introduced for. It doesn't send two different hostnames, but instead sends the same one twice (two seperate, identical Host headers).

Looking both through the documentation and through the Nginx source code, I found no way to relax that check, so I had to download the nginx source code, revert that one commit, and compile it myself. But that's not an ideal solution as it makes it way more difficult to keep nginx up-to-date, I'd rather just use my distribution's nginx package.

Would it be possible to add a config file option to bring back the old behaviour, allowing duplicate host headers again? I see why this change was introduced (as multiple Host headers can cause a bunch of issues), but as long as it's disabled by default there should be no harm in having a configuration option that allows multiple headers, right?
Re: Option to relax duplicate Host header checks
May 03, 2022 07:58AM
Leseratte10 Wrote:
-------------------------------------------------------
> As a response to ticket https://trac.nginx.org/nginx/ticket/1724,
> Nginx 1.17.9 and newer ( https://hg.nginx.org/nginx/rev/4f18393a1d51 )
> no longer accept HTTP requests with more than one "Host" header due to
> an additional condition in ngx_http_process_host.
> https://supertennisracquet.com/how-does-tennis-score-work/
> That change "broke" my server, as that server is being accessed by an
> old piece of hardware that seems to have a similar issue as the
> Motorola phones the hack was originally introduced for. It doesn't
> send two different hostnames, but instead sends the same one twice
> (two seperate, identical Host headers).
>
> Looking both through the documentation and through the Nginx source
> code, I found no way to relax that check, so I had to download the
> nginx source code, revert that one commit, and compile it myself. But
> that's not an ideal solution as it makes it way more difficult to keep
> nginx up-to-date, I'd rather just use my distribution's nginx
> package.
>
> Would it be possible to add a config file option to bring back the old
> behaviour, allowing duplicate host headers again? I see why this
> change was introduced (as multiple Host headers can cause a bunch of
> issues), but as long as it's disabled by default there should be no
> harm in having a configuration option that allows multiple headers,
> right?

Thanks for sharing
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 77
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready