Re: What are NGINX reverse proxy users doing to prevent HTTP Request smuggling?

2021-12-14 Thread Maxim Dounin
sing OpenResty and the latest version of OpenResty is > based on mainline nginx core 1.19.9. Supported releases are 1.20.2 stable and 1.21.4 mainline, see http://nginx.org/en/download.html. Though 1.19.9 isn't much different. > Currently, the approach I'm taking to mitigate HTT

Re: What are NGINX reverse proxy users doing to prevent HTTP Request smuggling?

2021-12-14 Thread Sai Vishnu Soudri (ssoudri)
Currently, the approach I'm taking to mitigate HTTP Request Smuggling is blocking all incoming HTTP/1.1 requests. I was worried if incoming HTTP/2 requests would pose a vulnerability as nginx converts it before sending upstream, but with your reply I believe that should not be a problem

Re: What are NGINX reverse proxy users doing to prevent HTTP Request smuggling?

2021-12-13 Thread Maxim Dounin
Hello! On Fri, Dec 10, 2021 at 11:46:48AM +, Sai Vishnu Soudri (ssoudri) wrote: > Hi everyone, > > I'm a new NGINX user and I want to understand what NGINX reverse > proxy users are doing to mitigate HTTP request smuggling > vulnerability. I understand that NGINX does

What are NGINX reverse proxy users doing to prevent HTTP Request smuggling?

2021-12-10 Thread Sai Vishnu Soudri (ssoudri)
Hi everyone, I'm a new NGINX user and I want to understand what NGINX reverse proxy users are doing to mitigate HTTP request smuggling vulnerability. I understand that NGINX does not support sending HTTP/2 requests upstream. Since the best way to prevent HTTP Request Smuggling is by se

Re: HTTP request smuggling

2021-06-30 Thread Hans Middelhoek
Hi Maxim, Op 30-6-2021 om 21:17 schreef Maxim Dounin: Hello! On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote: Thanks! That makes sense to me. I like to understand things a little better and hope you can help with that: 1) Why is the result different when I disable keepalive i

Re: HTTP request smuggling

2021-06-30 Thread Maxim Dounin
Hello! On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote: > Thanks! That makes sense to me. I like to understand things a little > better and hope you can help with that: > > 1) Why is the result different when I disable keepalive in Nginx? After > disabling keepalive the second

Re: HTTP request smuggling

2021-06-30 Thread Hans Middelhoek
spond the same as Nginx with keepalive disabled? Op 30-6-2021 om 18:13 schreef Maxim Dounin: Hello! On Wed, Jun 30, 2021 at 05:01:11PM +0200, Hans Middelhoek wrote: Recently I got a report from a security researcher who said I'm vulnerable for HTTP request smuggling attacks and

Re: HTTP request smuggling

2021-06-30 Thread Maxim Dounin
Hello! On Wed, Jun 30, 2021 at 05:01:11PM +0200, Hans Middelhoek wrote: > Recently I got a report from a security researcher who said I'm > vulnerable for HTTP request smuggling attacks and included a > demonstration. I couldn't imagine he was right because I'm using

HTTP request smuggling

2021-06-30 Thread Hans Middelhoek
Hello, Recently I got a report from a security researcher who said I'm vulnerable for HTTP request smuggling attacks and included a demonstration. I couldn't imagine he was right because I'm using HTTP/1.0 connections between Nginx (reverse proxy) and Apache. It should only b