What are NGINX reverseproxy users doing to prevent HTTP Request smuggling?

Sai Vishnu

4/7/23, 10:03 AM

Since NGINX does not support sending HTTP/2 requests upstream, what are the present NGINX reverseproxy users doing to mitigate HTTP Request Smuggling vulnerability?

I understand that the best way to prevent HTTP Request Smuggling is by sending HTTP/2 requests end to end. Since NGINX when used as reverseproxy sends requests upstream using HTTP/1.1, I believe this exposes the backend to HTTP Request Smuggling.

Apart from the web application firewall(WAF) from NGINX App Protect, is there any other solution to tackle this vulnerability? I am relatively new to NGINX and reverse proxies, if NGINX does have an alternate solution, please do share.

Thank you

337

0 + 0

security

http

nginx

reverse-proxy

vulnerability

djdomi

4/7/23, 3:15 PM

i am unsure vut i believe that this question would be better fit on security instead of here even its a interesting sounding question

Sai Vishnu

4/8/23, 7:37 AM

I've posted the question here because this involves understanding how Nginx and its users tackle the vulnerability. Could you please share the link for security if thats a different forum, I'll post the question there as well.

djdomi

4/8/23, 6:40 PM

i think its: https://security.stackexchange.com/

Sai Vishnu

4/9/23, 6:29 AM

Thank you. I have posted the question there as well.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What are NGINX reverseproxy users doing to prevent HTTP Request smuggling?

TH: ผู้ใช้ NGINX reverseproxy ทำอะไรเพื่อป้องกันการลักลอบส่งคำขอ HTTP

RO: Ce fac utilizatorii de reverseproxy NGINX pentru a preveni contrabanda cu solicitări HTTP?

RU: Что делают пользователи обратного прокси-сервера NGINX, чтобы предотвратить контрабанду HTTP-запросов?

VI: Người dùng proxy ngược NGINX đang làm gì để ngăn chặn buôn lậu Yêu cầu HTTP?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.