FastCGI: 30-year-old protocol still better for reverse proxies
Original: FastCGI: 30 years old and still the better protocol for reverse proxies
Why This Matters
Highlights persistent HTTP security flaws in proxy architectures and viable alternative protocol
Andrew Ayer argues FastCGI remains superior to HTTP for reverse proxy communication after 30 years. The protocol avoids HTTP's parsing vulnerabilities and desync attacks that plague modern systems like Discord's recent security flaw.
Software engineer Andrew Ayer advocates for FastCGI, a 30-year-old protocol, over HTTP for reverse proxy-to-backend communication. He highlights recent HTTP desync vulnerabilities, including Discord's media proxy flaw that exposed private attachments. FastCGI functions as a wire protocol with explicit message framing, avoiding HTTP/1.1's parsing ambiguities that enable request smuggling attacks. The protocol integrates easily with existing applications - Go developers need only replace http.Serve with fcgi.Serve while keeping the same handlers. Popular proxies like nginx, Apache, Caddy, and HAProxy support FastCGI with simple configuration changes. Ayer notes HTTP/1.1's multiple message formatting methods create inconsistent parsing across implementations, leading to security researcher James Kettle's declaration that 'HTTP/1.1 must die' after discovering repeated vulnerabilities. While HTTP/2 addresses framing issues, FastCGI has provided clear message boundaries since 1996 with simpler implementation.