id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1143	http2 and auth_request corrupts first 32 bytes of POST request bodies longer than 8192 bytes	jason.codeassassin.com@…		"nginx 1.10.2 and 1.11.6 on Ubuntu 16.04 and Debian Stretch will corrupt the
first 32 bytes of a POST request body exceeding 8192 bytes when proxying from
a HTTP/2 client and also using an auth_request.

Using HTTP/1.1 instead of HTTP/2 stops the corruption.

Removing the auth_request configuration also stops the corruption.

POST request bodies of exactly 8192 bytes or less are not corrupted.

HTTP/2 clients tested include nghttp2 1.16, Chrome 55 for Windows, and
Firefox 51.0 for Windows. The client-side HTTP/2 over TLS traffic has been
captured, decrypted, and verified to contain the uncorrupted POST request body.

This was discovered affecting users in our Production environment and then reproduced in isolation with a minimal nginx configuration which has been published at https://github.com/jstangroome/nginx-http2-auth_request-post-corruption

The nginx.conf from the repository above is attached for convenience. Use `nghttp https://127.0.0.1/with_auth_request --data=./a-file-larger-than-8192-bytes.txt` or similar."	defect	closed	major		nginx-core	1.11.x	fixed			Linux a4d477a7e472 3.13.0-85-generic #129-Ubuntu SMP Thu Mar 17 20:50:15 UTC 2016 x86_64 GNU/Linux	"nginx version: nginx/1.11.6
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2)
built with OpenSSL 1.0.2g-fips  1 Mar 2016 (running with OpenSSL 1.0.2g  1 Mar 2016)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed'"