Connection: Upgradeheader, such as for a websocket connection, the reverse proxy will maintain the persistent connection between the client and server, allowing for the continuous communication needed for these procotols. For a H2C Connection, the RFC requires 3 headers to be present:
Connection: Upgradevariant, where the
HTTP2-Settingsvalue is omitted from the
Sec-WebSocket-Version. Proxy doesn't validate
Sec-WebSocket-Versionheader and thinks that Upgrade request is correct. Further it translates request to the backend.
426because protocol version is incorrect inside header
Sec-WebSocket-Version. However, reverse proxy doesn't check enough response from backend (including status code) and thinks that backend is ready for WebSocket communication. Further it translates request to the client.
/api/socket.io/and healthcheck API on path
ucontrols URL. Backend reaches external resource and returns status code back to the client.
Upgrade: websocket. NGINX thinks that it's a normal Upgrade request, it looks only for
Upgradeheader skipping other parts of the request. Further proxy translates request to the backend.
101. Backend translates that response to the reverse proxy. Since NGINX validates only status code it will think that backend is ready for WebSocket communication. Further it translates request to the client.