Custom Query (2297 matches)

grpc_pass seems to cause grpc core to do a TCP reset when streaming a lot of data, ostensibly when response headers are being sent.

The grpc client experiences a HTTP/2 RST_STREAM frame.

The problem *appears* to be fixed if the grpc_buffer_size is set to a large number such as 100M. Presumably, this makes sense if the upstream GRPC server is able to produce data faster than the client can receive it; however I expected grpc_pass to act like proxy_pass and use a temporary file if the buffer size is exceeded.

Alternatively, disabling buffering and relying on flow-control seems like a good option, considering the GRPC stream data may be real-time in some use cases. With proxy_pass this is possible with proxy_buffering off. Unfortunately there is no such option with grpc_pass.

I have created a gist which includes a minimal example (with nginx configuration, versions etc) to reproduce this:

​https://gist.github.com/naggie/1c432b41613a23497a3c6f67c0adac28

Thanks!

I have compiled latest nginx 1.15.4 and noticed that it segfault every time when trying to do ssllabs test (​https://www.ssllabs.com/ssltest/) on any vhost. It always segfault during "Testing renegotiation" stage. I have generated core dump and backtrace is always the same:

backtrace #0 ngx_http_ssl_servername (ssl_conn=0x1eccef0, ad=0x7ffd4e5949d0, arg=0x0) at src/http/ngx_http_request.c:878 #1 0x000000000057bc9f in ssl_parse_clienthello_tlsext () #2 0x000000000057227e in tls_process_client_hello () #3 0x00000000005678bd in state_machine () #4 0x000000000054fd42 in ssl3_read_bytes () #5 0x00000000005556a5 in ssl3_read () #6 0x000000000055edc9 in SSL_read () #7 0x0000000000495f76 in ngx_ssl_recv (c=0x1c18a40, buf=0x1efb21a "", size=886) at src/event/ngx_event_openssl.c:1746 #8 0x00000000004b00ed in ngx_http_read_request_header (r=0x1da0e60) at src/http/ngx_http_request.c:1418 #9 0x00000000004afc46 in ngx_http_process_request_headers (rev=0x1c8f730) at src/http/ngx_http_request.c:1285 #10 0x0000000000491415 in ngx_epoll_process_events (cycle=0x162e050, timer=42349, flags=1) at src/event/modules/ngx_epoll_module.c:902 #11 0x0000000000481540 in ngx_process_events_and_timers (cycle=0x162e050) at src/event/ngx_event.c:242 #12 0x000000000048ebe8 in ngx_worker_process_cycle (cycle=0x162e050, data=0x0) at src/os/unix/ngx_process_cycle.c:750 #13 0x000000000048bac8 in ngx_spawn_process (cycle=0x162e050, proc=0x48eb3a <ngx_worker_process_cycle>, data=0x0, name=0x6e7ee8 "worker process", respawn=-3) at src/os/unix/ngx_process.c:199 #14 0x000000000048ddfd in ngx_start_worker_processes (cycle=0x162e050, n=4, type=-3) at src/os/unix/ngx_process_cycle.c:359 #15 0x000000000048d54d in ngx_master_process_cycle (cycle=0x162e050) at src/os/unix/ngx_process_cycle.c:131 #16 0x000000000044e751 in main (argc=1, argv=0x7ffd4e5953d8) at src/core/nginx.c:382

Tested on different servers and OSes (Fedora 28, Centos 7.5) with different configs, every time it results in segfault. The same problem exists when compiled with openssl-1.1.1 or with openssl-1.1.0i.

My test config is:

worker_processes 4;

events {

worker_connections 2048;

}

http {

ssl_dhparam /usr/local/nginx/conf/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

server {

listen xx.xx.xx.xx:443; server_name www.xxx.com ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;

location / {

root /srv/www;

}

}

A few users (using Chrome and Safari) where getting request for client certificates upon connecting to the site. I was unable to reproduce the error until I installed another client certificate in Chrome (so it prompts to select certificate).

I double checked the config and none of the options for client certificates were set. I also added "ssl_verify_client off;" just to be sure.

After reverting 699f6e55bbb4 the users are no longer getting client certificate requests.