Hi everyone,

I'm a new NGINX user and I want to understand what NGINX reverse proxy users are doing to mitigate HTTP request smuggling vulnerability. I understand that NGINX does not support sending HTTP/2 requests upstream.

Since the best way to prevent HTTP Request Smuggling is by sending HTTP/2 requests end to end. I believe NGINX when used as a reverse proxy could expose my backend server to HTTP request smuggling when it converts incoming HTTP/2 requests to HTTP/1.1 before sending it upstream.

Apart from the web application firewall (WAF) from NGINX App Protect, is there any other solution to tackle this vulnerability? I am relatively new to NGINX and reverse proxies, if NGINX or its users does have an alternate solution, please do share.

Thank you.
Regards,
Sai Vishnu Soudri
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx