NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
To mitigate this issue, use a named location instead of having the error_page handler do the redirect, this configuration is not vulnerable to request smuggling on all versions of NGINX we tested.
server {
listen 80;
server_name localhost;
error_page 401 @401;
location / {
return 401;
}
location @401 {
return 302 <http://example.org>;
}
}