Hello -
Nginx is reporting invalid incoming headers with RFC-compliant headers that use a '.' (meaning, a period) within the name.
As an example, I am curling to a very basic proxy setup while trailing the error log:
The following is valid:
# curl -vvvH "a-b-c: 999" localhost:81/test/v01
* About to connect() to localhost port 81 (#0)
* Trying ::1... connected
* Connected to localhost (::1) port 81 (#0)
> GET /test/v01 HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:81
> Accept: */*
> a-b-c: 999
>
< HTTP/1.1 204 No Content
< Server: nginx
< Date: Mon, 19 Mar 2018 22:58:35 GMT
< Content-Length: 0
< Connection: keep-alive
< Cache-Control: max-age=0, no-store
<
* Connection #0 to host localhost left intact
* Closing connection #0
2018/03/19 22:58:35 [info] 432544#432544: *526 client ::1 closed keepalive connection
However a very similar request but using a period within the header:
[root@dtord01stg02p ~]# curl -vvvH "a.b.c: 999" localhost:81/test/v01
* About to connect() to localhost port 81 (#0)
* Trying ::1... connected
* Connected to localhost (::1) port 81 (#0)
> GET /test/v01 HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:81
> Accept: */*
> a.b.c: 999
>
2018/03/19 22:58:38 [info] 432544#432544: *528 client sent invalid header line: "a.b.c: 999" while reading client request headers, client: ::1, server: , request: "GET /test/v01 HTTP/1.1", host: "localhost:81"
< HTTP/1.1 204 No Content
< Server: nginx
< Date: Mon, 19 Mar 2018 22:58:38 GMT
< Content-Length: 0
< Connection: keep-alive
< Cache-Control: max-age=0, no-store
<
* Connection #0 to host localhost left intact
* Closing connection #0
2018/03/19 22:58:38 [info] 432544#432544: *528 client ::1 closed keepalive connection
I am aware that I can allow illegal requests, but standards compliance is a strict requirement in our enterprise.