Selectively Disabling HTTP/1.0 and HTTP/1.1
18 days ago
- #HTTP/3
- #Nginx
- #Security
- HTTP/3 was enabled for the site in January 2026, with most traffic still using HTTP/1.X, which was largely malicious.
- Two approaches were used to selectively disable HTTP/1.X: allowing only known good agents or excluding assumed bad agents.
- Nginx configuration changes included using the map directive to create variables for decision-making on traffic allowance.
- Approach 1: Only known good agents (like text-based browsers and major bots) are allowed to use HTTP/1.X.
- Approach 2: Only assumed bad agents (like blank user agents or questionable ones) are blocked from using HTTP/1.X.
- HTTP Status 426 is returned for disallowed HTTP/1.X requests, with logs to review and adjust allowances.
- Testing showed successful blocking of malicious requests, with a significant drop in bad traffic after implementation.
- The author initially preferred Approach 1 but leaned towards Approach 2 for broader compatibility with legitimate bots.
- Considerations include the trade-off between security and accessibility for different types of users and bots.
- HTTP/1.0 is largely obsolete, while HTTP/1.1 is still used but lacks modern security features.