Opened 7 years ago
Closed 6 years ago
#1549 closed defect (fixed)
HTTP2 push does not work due to incorrect scheme in proxy_protocol mode
Reported by: | Roel van Duijnhoven | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | |
Keywords: | http2 push | Cc: | |
uname -a: | Linux haproxy-machine 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' |
Description
I use the proxy_protocol because I send the tcp traffic via HaProxy to nginX. However HTTP2 push does not work with this set-up.
When I debug the difference between non-proxy and proxy mode using nghttp I get the following difference:
The resource *is* pushed, but has the wrong scheme.
Sample of configuration used:
http { # This is the one I would like to use server { listen 8002 http2 proxy_protocol; server_name _; root /usr/share/nginx/html; location / { http2_push /image.jpg; } } # This one can be accessed directly; and *does* work server { listen 8004 http2 ssl; ssl_certificate certificate.pem; ssl_certificate_key private.key; server_name _; root /usr/share/nginx/html; location / { http2_push /image.jpg; } } }
I could not find a way to overwrite the scheme in nginX in a way that would solve this issue.
I first placed this issue on StackOverflow. That can be found here: https://stackoverflow.com/questions/50022621/using-http2-push-with-nginx-in-conjunction-with-haproxy-does-not-work
Thanks!
Attachments (2)
Change History (10)
by , 7 years ago
comment:1 by , 7 years ago
comment:2 by , 7 years ago
I can verify that this fixes the problem! Thank you very much :).
On a related note: there is also the problem that the $scheme
variable is incorrect when using proxy_protocol
. So I quickly verified if this patch also mitigates that situation: that is however not the case.
I tested that by adding:
add_header X-scheme $scheme;
The $scheme
variable is http; although the incoming request is definitely https.
Ps: I had some trouble getting a clean Vagrant CentOs/7 working using https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source. Would it be worth creating an issue for this as well (with steps taken to make it work)? But finally got it working :).
Thanks again for your work!
by , 7 years ago
Attachment: | https.patch added |
---|
Patch that sets https scheme correctly when using proxy protocol
follow-up: 5 comment:3 by , 7 years ago
An update.
I did an attempt to update the source code myself. And after compiling found it to work! It now correctly reports the HTTPS scheme only when the actual request has that set as its scheme.
You can find the patch attached!
Note: I am a mere n00b to the nginx code-base. So please review before merging.
follow-up: 7 comment:5 by , 6 years ago
Replying to roelvanduijnhoven@…:
An update.
I did an attempt to update the source code myself. And after compiling found it to work! It now correctly reports the HTTPS scheme only when the actual request has that set as its scheme.
You can find the patch attached!
Note: I am a mere n00b to the nginx code-base. So please review before merging.
While in HTTP/2 the scheme is required, in HTTP/1 it is generally not present (https://tools.ietf.org/html/rfc7230#section-5.3.1) so your patch won't work for HTTP/1.
The original request scheme can be obtained either from the X-Forwarded-Proto
header, or derived from the PROXY protocol v2 PP2_TYPE_SSL
TLV, but nginx currently lacks support of the latter.
We've also discussed about adding support for XFP
and PP2_TYPE_SSL
to the realip module with the effect that the $scheme
and $https
variables will match the original request.
comment:7 by , 6 years ago
@ru It is hard for me to contribute in this discussion in a meaningful way. But I think the use case I describe is not _that_ special. I'll drop some thoughts in the other issue.
Regarding the original issue: you can fix that issue with the patch you gave earlier. I verified that it worked!
Replying to ru:
Replying to roelvanduijnhoven@…:
An update.
I did an attempt to update the source code myself. And after compiling found it to work! It now correctly reports the HTTPS scheme only when the actual request has that set as its scheme.
You can find the patch attached!
Note: I am a mere n00b to the nginx code-base. So please review before merging.
While in HTTP/2 the scheme is required, in HTTP/1 it is generally not present (https://tools.ietf.org/html/rfc7230#section-5.3.1) so your patch won't work for HTTP/1.
The original request scheme can be obtained either from the
X-Forwarded-Proto
header, or derived from the PROXY protocol v2PP2_TYPE_SSL
TLV, but nginx currently lacks support of the latter.
We've also discussed about adding support for
XFP
andPP2_TYPE_SSL
to the realip module with the effect that the$scheme
and$https
variables will match the original request.
comment:8 by , 6 years ago
Owner: | set to |
---|---|
Resolution: | → fixed |
Status: | new → closed |
Please try the attached patch.