Hello!

On Tue, Dec 14, 2021 at 02:50:19PM +0000, Sai Vishnu Soudri (ssoudri) wrote:

> Thanks a lot for your reply. Just to clarify, by "There are no
> know vulnerabilities in nginx which make request smuggling
> possible" you mean after the 1.21.x release right?
> I am using OpenResty and the latest version of OpenResty is
> based on mainline nginx core 1.19.9.

Supported releases are 1.20.2 stable and 1.21.4 mainline, see
http://nginx.org/en/download.html. Though 1.19.9 isn't much
different.

> Currently, the approach I'm taking to mitigate HTTP Request
> Smuggling is blocking all incoming HTTP/1.1 requests. I was
> worried if incoming HTTP/2 requests would pose a vulnerability
> as nginx converts it before sending upstream, but with your
> reply I believe that should not be a problem anymore.
>
> Since OpenResty is not able to leverage the new changes added in
> 1.21.x, do you suggest I continue with this approach till
> OpenResty can leverage the changes made in 1.21.x or is it
> mandatory to use 1.21.x and block HTTP/1.1 requests to prevent
> request smuggling.

I don't think you need to do anything special to prevent request
smuggling unless you are using a buggy server in front of nginx.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx