Bump nginx from 1.29.8 to 1.31.1#84
Conversation
Bumps nginx from 1.29.8 to 1.31.1. --- updated-dependencies: - dependency-name: nginx dependency-version: 1.31.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
alarthast
left a comment
alarthast
left a comment
There was a problem hiding this comment.
From the changes doc:
*) Change: now nginx rejects HTTP/2 and HTTP/3 requests with the "Connection", "Proxy-Connection", "Keep-Alive", "Transfer-Encoding", "Upgrade" header lines, and "TE" with any value other than "trailers".
I think I understand and agree with Claude's interpretation:
If you have any clients that were sending these headers over HTTP/2 or HTTP/3, they'll start getting errors after upgrading nginx. The fix is on the client side — they shouldn't be sending those headers at all.
but I'm not sure how relevant it is to us. If it is only our services that are using the proxy and they end up hitting this error, then would it be straightforward to update the headers used by those services?
|
tl;dr I think it's fine The headers are all HTTP/1.1-specific and are irrelevant to HTTP/2 and HTTP/3; nginx used to ignore them and now it's going to error instead. Services that call the proxy are airlock, jobrunner and the otel collector. Airlock and job-runner use requests, which only uses HTTP/1.1; so although we do send keep-alive headers at least (both use module-level Session objects), they won't be affected. The otel collector is using an otel-gateway endpoint for the otlp_http exporter which goes via the proxy; the exporter can use HTTP/2 if it's going via HTTPS (which it is), but it doesn't set any of the problematic headers. (N.B. I also asked Claude and google for most of that 😄 ) |
|
Thanks very much Becky! 😄 I think that would have took me really long to figure out. |
2 participants
Bumps nginx from 1.29.8 to 1.31.1.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)