Join Log in
Score:0
avatar Server

Risks of enabling nginx upstream keepalive

in flag
logut

Using nginx as HTTP reverse proxy for Apache with PHP backend (I need .htaccess flexibility for webmasters). Seeing http/1.0 used in Apache logs made me look up on how to enable keep-alive connection.

Upon my search I found this blog post from Nginx https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#no-keepalives

By default, NGINX opens a new connection to an upstream (backend) server for every new incoming request. This is safe but inefficient,[...]

If default behavior is safe, what are the risks of enabling upstream keepalive ?

58
0 + 0
Score:5
user195311 avatar Server
ph flag
user195311

Proxying a connection with keepalive is considered a risk because of HTTP desynchronization attacks / request smuggling. This occurs when the backend doesn't split different client requests in the exact same way as the frontend. Closing the connection after each request is the "safe" option, since this clearly delineates when the current request has ended.

See https://book.hacktricks.xyz/pentesting-web/http-request-smuggling for more information.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.