Opened 8 years ago

Closed 8 years ago

#1048 closed defect (invalid)

broken header xxxx while reading PROXY protocol

Reported by: Roycohen@… Owned by:
Priority: critical Milestone:
Component: nginx-core Version: 1.9.x
Keywords: Cc:
uname -a: Linux bamboo3 4.4.14-24.50.amzn1.x86_64 #1 SMP Fri Jun 24 19:56:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: openresty/
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
built with OpenSSL 1.0.1k-fips 8 Jan 2015
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx/nginx --with-cc-opt='-O2 -O2 -O2 -g -fexceptions -fstack-protector -m64' --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.59 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.30 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.05 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.5 --add-module=../ngx_lua_upstream-0.05 --add-module=../headers-more-nginx-module-0.30 --add-module=../array-var-nginx-module-0.05 --add-module=../redis2-nginx-module-0.13 --add-module=../redis-nginx-module-0.3.7 --with-ld-opt='-Wl,-rpath,/etc/nginx/luajit/lib -Wl,-rpath,/etc/luajit/lib' --with-pcre-jit --with-pcre=/usr/src/pcre-8.38 --with-http_realip_module --with-http_geoip_module --with-http_sub_module --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --user=nginx --add-module=/usr/src/strftime-nginx-module --add-module=/usr/src/ngx_http_lower_upper_case --add-module=/usr/src/nginx-push-stream-module-0.5.1 --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-http_ssl_module


I have upgraded from NGINX 1.8 to 1.9.x and since then my ELB health check is broken.
I have configured in the listen directive prxoy_protocl and health check is now getting 503 because of the proxy protocol.

NOTE: It doesn't related to openresty bundle.
How can I use the proxy_protocol with the ELB heath check, and why the NGINX can't ignore these headers if not found.

Change History (5)

comment:1 by Roman Arutyunyan, 8 years ago

Does "xxxx" look like a PROXY protocol header? If you don't know how to check that, please post "xxxx" here at least partially.

Did you change ELB settings after upgrade?

comment:2 by Roycohen@…, 8 years ago

Here is the full error:
2016/08/11 14:24:42 [error] 26894#0: *138 broken header: "GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: _gat=1; instanceid=577c0bad0757bbe7178b4577; pvptheme=aniview; debugEnabled=; _ga=GA1.2.641309518.1469949931; token=RjqUD7FmUf--atsGHlkkTZ1TqX-CCO28v9hFIscTz4doQSmPrMtK3k10Kc15leXY7cPFeHhQNO2xTlXfz2RvJgyGynbczwnvr7pMTHukXhdKZvx7AXned-ZwWBKe4lMaK6c3TPN8huTlQjSxokemWA%3D%3D; version=av2.1.1_hf1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
X-Forwarded-Port: 80
X-Forwarded-Proto: http
Connection: keep-alive

" while reading PROXY protocol, client:, server:

It doesn't matter.
Why NGINX breaks the request if proxy_protocol is invalid.
I didn't changed anything in the ELB.

It is easy to create it.

Last edited 8 years ago by Roycohen@… (previous) (diff)

comment:3 by Roman Arutyunyan, 8 years ago

It does not break the request. It expects from client exactly what you have configured.

comment:4 by Roycohen@…, 8 years ago

I want it to resolve the proxy headers when they are sent and if they do not then it shouldn't break the request.
It is breaking, you can check an see.
I can make with your remote share and show it to you.

in reply to:  4 comment:5 by Valentin V. Bartenev, 8 years ago

Resolution: invalid
Status: newclosed

Replying to Roycohen@…:

I want it to resolve the proxy headers when they are sent and if they do not then it shouldn't break the request.

That is prohibited by the proxy protocol specification for serious security reasons.

A quote from the spec:

The receiver MUST be configured to only receive the protocol described in this
specification and MUST not try to guess whether the protocol header is present
or not. This means that the protocol explicitly prevents port sharing between
public and private access. Otherwise it would open a major security breach by
allowing untrusted parties to spoof their connection addresses. The receiver
SHOULD ensure proper access filtering so that only trusted proxies are allowed
to use this protocol.

Note: See TracTickets for help on using tickets.