Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1252 closed defect (invalid)

Multiplexing different hosts into one HTTP/2 connection leads to 421

Reported by: Oleg Davydov Owned by:
Priority: minor Milestone:
Component: other Version: 1.11.x
Keywords: Cc:
uname -a: Linux server 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.11.6
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
configure arguments: —with-http_ssl_module —user=www-data —group=www-data —with-cc-opt=-O4 —with-http_gzip_static_module —with-http_flv_module —with-http_mp4_module —with-file-aio —prefix=/etc/nginx —sbin-path=/usr/sbin/nginx —conf-path=/etc/nginx/nginx.conf —error-log-path=/var/log/nginx/error.log —http-log-path=/var/log/nginx/access.log —pid-path=/var/run/nginx.pid —http-client-body-temp-path=/tmp/nginx.client_body_temp —http-proxy-temp-path=/tmp/nginx.proxy_temp —with-zlib-asm=pentiumpro —http-fastcgi-temp-path=/tmp/nginx.fastcgi_temp —add-module=/root/ngx_http_bytes_filter_module —with-ld-opt=-static —with-cc-opt='-static -static-libgcc' —with-http_secure_link_module —with-http_addition_module —with-http_realip_module —with-threads —with-debug —with-http_sub_module —add-module=../nginx-rtmp-module —with-stream —with-stream —with-http_v2_module —add-module=../ngx_http_enhanced_memcached_module —with-http_slice_module

Description

Quote from https://tools.ietf.org/html/rfc7540:

An origin server might offer a certificate with multiple
"subjectAltName" attributes or names with wildcards, one of which is
valid for the authority in the URI.  For example, a certificate with
a "subjectAltName" of "*.example.com" might permit the use of the
same connection for requests to URIs starting with
"https://a.example.com/" and "https://b.example.com/"

That means that clients (for example, google chrome) reuse connections aggressively:
— make a TLS connection to a.example.com
— receive certificate to *.example.com
— next query, to b.example.com, send to this connection, because a.example.com and b.example.com have the save ip and both are covered with certificate.

Nginx will reject second query with 421 Misdirected Request, logging «client attempted to request the server name different from that one was negotiated while reading client request headers», that is misbehavior with RFC7540 (HTTP/2).

Change History (2)

comment:1 by Maxim Dounin, 3 years ago

Resolution: invalid
Status: newclosed

The 421 Misdirected Request status code is a special code introduced by RFC 7540 to indicate that the connection cannot be used for a particular request, see here. It is used by nginx in situations when it cannot serve the request over an existing connection due to different security settings, see #848. Browsers are expected to open a new connection in this case. That is, nginx behaviour here is perfectly correct and matches HTTP/2 protocol specification aka RFC 7540.

What you are likely see here is the Chrome bug with incorrect handling of 421 Misdirected Request status code. Chrome is known for doing it wrong. It is expected to be already fixed in the Chrome sources though, and likely fixed version will be available for normal users soon.

comment:2 by Oleg Davydov, 3 years ago

Thank you, will wait for this fix appears in chrome stable.

Note: See TracTickets for help on using tickets.