I’m reaching out regarding a critical security concern that was highlighted in a recent paper titled “HTTP/1.1 Must Die: The Desync Endgame” (https://http1mustdie.com/).
According to the paper, HTTP/1.1 used for upstream (from proxy to backend) is inherently insecure due to HTTP desynchronization (desync) attacks. The research argues that HTTP/1.1 cannot be reliably patched, and that the only solution is to use HTTP/2 (or higher) on upstream connections.
Are there any plans or ongoing discussions to implement HTTP/2 support for upstream connections in Nginx using proxy_pass?
@jsmaldone I searched on around and I cannot find any plans for this at least on sites I have access to and am able to share publicly.
This was discussed quite some time ago on the mailing lists but not implemented. A Stack post, also from quite a while back, may shed some light around a possible reason.
”NGINX does not support “HTTP/2 to the backend”. This is evident from documentation. The maximum HTTP version to the backend is 1.1.
There’s actually little sense in adding such support. The primary feature of HTTP/2 is requests multiplexing. When you deal with HTTP proxying, the frontend NGINX routes a request to a matching location in backend. So, when we talk about HTTP proxying, this level does traffic inspection on the HTTP level in order to inspect headers, URIs to route requests appropriately. Thus, it’s always about inspecting a single request and routing it somewhere, multiplexing hardly applies here.”