Hello! On Tue, Dec 14, 2021 at 02:50:19PM +0000, Sai Vishnu Soudri (ssoudri) wrote:
> Thanks a lot for your reply. Just to clarify, by "There are no > know vulnerabilities in nginx which make request smuggling > possible" you mean after the 1.21.x release right? > I am using OpenResty and the latest version of OpenResty is > based on mainline nginx core 1.19.9. Supported releases are 1.20.2 stable and 1.21.4 mainline, see http://nginx.org/en/download.html. Though 1.19.9 isn't much different. > Currently, the approach I'm taking to mitigate HTTP Request > Smuggling is blocking all incoming HTTP/1.1 requests. I was > worried if incoming HTTP/2 requests would pose a vulnerability > as nginx converts it before sending upstream, but with your > reply I believe that should not be a problem anymore. > > Since OpenResty is not able to leverage the new changes added in > 1.21.x, do you suggest I continue with this approach till > OpenResty can leverage the changes made in 1.21.x or is it > mandatory to use 1.21.x and block HTTP/1.1 requests to prevent > request smuggling. I don't think you need to do anything special to prevent request smuggling unless you are using a buggy server in front of nginx. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
