Hi,
I see that nginx as proxy rejects headers with name like “auth.client”
or
“auth.token” (with dot in their name) and stops parsing further headers.
Thus the request to the upstream server doesn’t contain these headers.
From
the logs, it says “client sent invalid header line”.
Why is having a dot in the header name considered invalid? I searched
the
relevant RFCs (2616 and 822) and they don’t seem to exclude dot. May I
know
the reason for nginx to reject headers with dot while other servers like
Apache httpd parse headers with dot just fine.
Also, in the nginx source I noticed a undocumented directive
“ignore_invalid_headers” which is on by default. It when set to off,
makes
nginx passes such headers to the upstream server properly.
Is it safe to use this directive? Are there any side-effects,
performance
issues related to using it?
On Sat, Jan 23, 2010 at 12:08:08AM +0530, Vinay Y S wrote:
Also, in the nginx source I noticed a undocumented directive
“ignore_invalid_headers” which is on by default. It when set to off, makes
nginx passes such headers to the upstream server properly.
Is it safe to use this directive? Are there any side-effects, performance
issues related to using it?
Basically nginx does this because:
they aren’t generally used (http itself only uses alphanumeric
and “-” in headers);
they are likely to cause issues, including security ones, with
translations like CGI does (X-Blah -> HTTP_X_BLAH, X_Blah ->
HTTP_X_BLAH, X.Blah -> HTTP_X_BLAH); note that nginx itself uses
similar translation for $http_* variables and AFAIR while passing
headers to fastcgi backends.
As long as you are ok with the above - it should be mostly ok to
switch off ignore_invalid_headers.
Maxim D.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.