Opened 5 years ago

Closed 5 years ago

#1838 closed defect (invalid)

problem in http2

Reported by: oleg9301@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.16.x
Keywords: Cc:
uname -a: Linux n32-cot1-node3 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.16.1
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0k 28 May 2019 (running with OpenSSL 1.1.0j 20 Nov 2018)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/tmp/nginx-1.16.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --add-dynamic-module=/tmp/nginx-1.16.1/debian/testcookie-nginx-module --with-compat --add-dynamic-module=/tmp/nginx-1.16.1/debian/ModSecurity-nginx --add-dynamic-module=/tmp/nginx-1.16.1/debian/nginx-dav-ext-module --add-module=/tmp/nginx-1.16.1/debian/nginx_http_upstream_check_module

Description

cat /etc/debian_version
9.9

Добрый день имею следующую конфигурация: есть проксирующий nginx на котором я включаю http2 и через 15-20 часов начинаются проблемы с прохождением части файлов в бразере chrome(ERR_SPDY_PROTOCOL_ERROR)

В логах вижу что отдается 32 kb вместо 400. Curl по http2 выкачивает файл нормально(но с ошибкой в логе, см внизу), мозила тоже работает корректно, проблемы только в chrome любых версий.

[] 109.232.248.0 - - [23/Aug/2019:09:19:36 +0300] "GET /press/css/DmShgKZBWtExAzwWROPpnQJJ.css HTTP/2.0" 200 32100 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-" XXXX 0.172 - 10.163.94.29:443 0.096/0.168/0.172 32100
[] 109.232.248.0 - - [23/Aug/2019:09:19:36 +0300] "GET /press/css/DmShgKZBWtExAzwWROPpnQJJ.css HTTP/2.0" 200 32100 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-" XXXX 0.144 - 10.163.94.29:443 0.064/0.140/0.144 32100
[] 109.232.248.0 - - [23/Aug/2019:09:19:45 +0300] "GET /press/css/DmShgKZBWtExAzwWROPpnQJJ.css HTTP/2.0" 200 436145 "-" "curl/7.52.1" "-" XXXX 0.239 - 10.163.94.29:443 0.064/0.140/0.236 436145

Конфиг для проксирования(удалена некоторая информация: ip,domain)

upstream XXXX {

server Y.Y.Y.Y:443 backup;
server Z.Z.Z.Z:443;
check interval=3000 rise=1 fall=3 timeout=1000;

}
server {

access_log /var/log/nginx/XXXX.access.log http_log;
error_log /var/log/nginx/XXXX.error.log;

listen X.X.X.X:443 ssl http2;
server_name XXXX

ssl_dhparam /etc/ssl/dhparam.pem;
ssl_certificate /etc/ssl/certificates/XXXX/cert.pem;
ssl_certificate_key /etc/ssl/certificates/XXXX/key.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:XXXX:10m;

limit_conn addr 100;
client_max_body_size 50m;

testcookie_name XXXX;
proxy_set_header Host $http_host;
proxy_set_header X-Client-Ip $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";

location / {

proxy_pass https://XXXX;
proxy_connect_timeout 10s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

}

}

server {

listen X.X.X.X:80;
server_name XXXX;

return 301 https://XXXX:443$request_uri;

}

Обратите внимание на строчку ошибки в выводе curl

  • http2 error: Ignoring received invalid HTTP header field: frame type: 1, stream: 1, name: [expires], value: [A, 23 023 2020 11:52:52 GMT]

curl -vvi https://XXXX/press/css/DmShgKZBWtExAzwWROPpnQJJ.css

  • Trying X.X.X.X...
  • TCP_NODELAY set
  • Connected to XXXX (X.X.X.X) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: XXXX
  • start date: Feb 11 12:26:10 2019 GMT
  • expire date: Apr 1 11:01:03 2020 GMT
  • subjectAltName: host "XXXX" matched cert's "XXXX"
  • issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Extended Validation CA - SHA256 - G3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x561366d93e80)

    GET /press/css/DmShgKZBWtExAzwWROPpnQJJ.css HTTP/1.1
    Host: XXXX
    User-Agent: curl/7.52.1
    Accept: */*

  • Connection state changed (MAX_CONCURRENT_STREAMS updated)!
  • http2 error: Ignoring received invalid HTTP header field: frame type: 1, stream: 1, name: [expires], value: [A, 23 023 2020 11:52:52 GMT]

< HTTP/2 200
HTTP/2 200
< server: nginx
server: nginx
< date: Fri, 23 Aug 2019 06:52:35 GMT
date: Fri, 23 Aug 2019 06:52:35 GMT
< content-type: text/css; charset=utf-8
content-type: text/css; charset=utf-8
< content-length: 436145
content-length: 436145
< cache-control: max-age=31536000
cache-control: max-age=31536000
< content-disposition: attachment; filename="OWcRyGLYVEKHSrySdZKMswJJ.css"
content-disposition: attachment; filename="OWcRyGLYVEKHSrySdZKMswJJ.css"

<
/*press-1.0*/

Attachments (1)

header_expires (39 bytes ) - added by oleg9301@… 5 years ago.

Download all attachments as: .zip

Change History (4)

by oleg9301@…, 5 years ago

Attachment: header_expires added

comment:1 by oleg9301@…, 5 years ago

Добавил файл header_expires, смотреть в оргинале, т.к. trac сьедает спецсимволы.

comment:2 by oleg9301@…, 5 years ago

Заработало после добавления
proxy_hide_header Expires;

Похоже что в движке chrome по разному обрабатываются ошибки в header expires для http1.1 и http2.
Nginx просто передает то, что ему пришло на вход, в этом ошибки нет.

comment:3 by Sergey Kandaurov, 5 years ago

Resolution: invalid
Status: newclosed

Раз proxy_hide_header помогает, то проблема скорее всего где-то в отдаваемых заголовках на стороне бекенда. По хорошему надо разбираться, что именно отдаёт бекенд и в каком виде это уходит клиенту.

Note: See TracTickets for help on using tickets.