sing OpenResty and the latest version of OpenResty is
> based on mainline nginx core 1.19.9.
Supported releases are 1.20.2 stable and 1.21.4 mainline, see
http://nginx.org/en/download.html. Though 1.19.9 isn't much
different.
> Currently, the approach I'm taking to mitigate HTT
Currently, the approach I'm taking to mitigate HTTP Request Smuggling is
blocking all incoming HTTP/1.1 requests. I was worried if incoming HTTP/2
requests would pose a vulnerability as nginx converts it before sending
upstream, but with your reply I believe that should not be a problem
Hello!
On Fri, Dec 10, 2021 at 11:46:48AM +, Sai Vishnu Soudri (ssoudri) wrote:
> Hi everyone,
>
> I'm a new NGINX user and I want to understand what NGINX reverse
> proxy users are doing to mitigate HTTP request smuggling
> vulnerability. I understand that NGINX does
Hi everyone,
I'm a new NGINX user and I want to understand what NGINX reverse proxy users
are doing to mitigate HTTP request smuggling vulnerability. I understand that
NGINX does not support sending HTTP/2 requests upstream.
Since the best way to prevent HTTP Request Smuggling is by se
Hi Maxim,
Op 30-6-2021 om 21:17 schreef Maxim Dounin:
Hello!
On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote:
Thanks! That makes sense to me. I like to understand things a little
better and hope you can help with that:
1) Why is the result different when I disable keepalive i
Hello!
On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote:
> Thanks! That makes sense to me. I like to understand things a little
> better and hope you can help with that:
>
> 1) Why is the result different when I disable keepalive in Nginx? After
> disabling keepalive the second
spond the same as Nginx with keepalive disabled?
Op 30-6-2021 om 18:13 schreef Maxim Dounin:
Hello!
On Wed, Jun 30, 2021 at 05:01:11PM +0200, Hans Middelhoek wrote:
Recently I got a report from a security researcher who said I'm
vulnerable for HTTP request smuggling attacks and
Hello!
On Wed, Jun 30, 2021 at 05:01:11PM +0200, Hans Middelhoek wrote:
> Recently I got a report from a security researcher who said I'm
> vulnerable for HTTP request smuggling attacks and included a
> demonstration. I couldn't imagine he was right because I'm using
Hello,
Recently I got a report from a security researcher who said I'm
vulnerable for HTTP request smuggling attacks and included a
demonstration. I couldn't imagine he was right because I'm using
HTTP/1.0 connections between Nginx (reverse proxy) and Apache. It should
only b
