Overview of Nginx 1.26 changes
With the release of Nginx 1.26, several important changes have been introduced to enhance security and ensure compliance with HTTP standards. The following are the key updates:
Handling of whitespace in header names and values
To improve security, adherence to RFC 7230 has been strengthened, particularly concerning the handling of whitespace in headers. More details about these changes can be found in the Appendix.
Handling of Content-Length and Transfer-Encoding headers
One of the common techniques used in request smuggling attacks involves sending HTTP requests with both Content-Length and Transfer-Encoding headers. While Apigee Edge was already fortified against such attacks, Nginx now explicitly blocks requests that contain both headers. If such a request is sent, Nginx will respond with a 400 Bad Request error.
Supported ciphers
The list of supported ciphers for northbound requests may change with this release. You can check the ciphers supported by OpenSSL on your router host to get the updated list of available ciphers.
Supported key sizes
Previously, RSA, DSA, and DH keys smaller than 2048 bits, and ECC keys smaller than 224 bits, were accepted by default. However, with this update, such keys will no longer be allowed for both one-way and two-way TLS connections for northbound requests.
Appendix
Whitespace in headers
There are three primary changes:
- Certain header names that were previously allowed are now disallowed by Nginx 1.26. Requests with these headers will result in a 400 Bad Request error.
- Certain header values that were previously allowed are now disallowed by Nginx 1.26. Requests with these headers will also result in a 400 Bad Request error.
- Some headers that were previously accepted by Nginx but caused failures downstream in the message processor are now rejected directly by Nginx. Although these headers still lead to API failures, the HTTP failure messages will change.
The section below provides examples of various header names and header values that are disallowed. These are examples only and may not be an exhaustive list. It is recommended to adhere to the guidelines of RFC 7230 for headers.
Changes in header names
This section lists various header names that were allowed in Nginx 1.20.1 but are now disallowed in Nginx 1.26.
| Scenario | Examples of header names |
|---|---|
| Control character at start, end, or in between header name | { '\u0001'Header0, Value0 } { Header6'\u0002', Value6 } { Header'\u0005'4, Value4 } |
| Leading & trailing whitespace in header name | {"Header2 ", "Value2"} {" Header3", "Value3"} {" Header4 ", "Value4"} |
| Leading & trailing HTAB in header name | {"\tHeader11", "Value11"} {"Header12\t", "Value12"} {"\tHeader13\t", "Value13"} |
| Leading & trailing combination of HTAB, WS in header name | {"\t Header24", "Value24"} {" \tHeader25", "Value25"} {"Header26 \t", "Value26"} {"Header27\t ", "Value27"} |
| NewLine (\n) in between header name followed immediately by WS or a series of WS | {"Header\n 57Mutiline", "Value57"} {"Header\n 58Mutiline", "Value58"} |
| NewLine (\n) in between header name followed immediately by HTAB or a series of HTAB | {"Header\n\t73", "Value73"} {"Header\n\t\t74", "Value74"} |
| Carriage return (\r) NewLine (\n) in between header name followed immediately by HTAB or a series of HTAB | {"Header\r\n\t69", "Value69"} {"Header\r\n\t\t70", "Value70"} |
| Carriage return (\r) NewLine (\n) in between header name followed immediately by WS or a series of WS | {"Header\r\n 71", "Value71"} {"Header\r\n 72", "Value72"} |
Changes in header values
This section shows various header values that were allowed in Nginx 1.20.1 but disallowed in Nginx 1.26.
| Scenario | Examples |
|---|---|
| \r\n or combination of \r\n with WS or HTAB allowed in between HEADERVALUE |
{"Header47", "Value47\r\n MultiLine"}, {"Header48", "Value48\r\n MultiLine"}, {"Header49b", "Value49b\r\n \r\nMultiLine"}, {"Header50", "Value50 \r\n MultiLine"}, {"Header51", "Value51\r\n\tMultiLine"}, {"Header52", "Value52\r\n\t\tMultiLine"}, {"Header53", "Value53\t\r\n\tMultiLine"} |
| \n or combination of \n with WS or HTAB allowed in between HEADERVALUE |
{"Header61", "Value\n 61Multiline"}, {"Header62", "Value\n 63Multiline"}, {"Header65", "Value\n\t65"}, {"Header66", "Value\n\t\t66"}, {"Header67", "Value\n 67"}, {"Header68", "Value\n 68"} |
Change in HTTP failure response
This section covers headers that were allowed by the old Nginx but rejected by the upstream message processor, resulting in a 400 status code. However, in Nginx 1.26, such headers cause failures directly at Nginx, preventing the request from being forwarded to the message processor.
For clients that send such headers, the HTTP status code will remain 400. However, the HTTP response body may change as the failure will now be generated by Nginx instead of the message processor.
| Scenario | Examples |
|---|---|
| HTAB or WS in between HEADERNAME
The Message Processor rejects such requests. With Nginx 1.26, these requests will be rejected by Nginx itself. The API consumer will receive a 400 error response with an Nginx error message in the body. |
{"Header 5", "Value5"}, {"Header\t14", "Value14"}, {"Header\t 32", "Value32"}, {"Header \t33", "Value33"}, {"Header- 36", "Value36"}, {"Header-\t40", "Value40"}, {"Header 4a", "Value4a"}, {"Header\t 59", "Value59"}, {"Header\t 60", "Value60"} |