Opened 5 months ago

Closed 5 months ago

#1800 closed defect (duplicate)

nginx close http2 connection if request too large

Reported by: shveenkov@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.17.x
Keywords: Cc:
uname -a: Linux infra01.n3o.ru 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.16.0 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Description

nginx close http2 connection if request too large

see the max simple nginx config with http2 support:

server {

listen 443 ssl http2;
ssl on;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert.key;

location / {

root /usr/share/nginx/html;

}

}

look at http 1.1 - normal response

curl -s --http1.1 -v "https://infra01.n3o.ru/$(printf 'x%.0s' {1..9171})"

  • Trying 95.163.251.222...
  • TCP_NODELAY set
  • Connected to infra01.n3o.ru (95.163.251.222) port 443 (#0)
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/cert.pem CApath: none
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: CN=infra01.n3o.ru
  • start date: May 6 23:45:09 2019 GMT
  • expire date: Aug 4 23:45:09 2019 GMT
  • subjectAltName: host "infra01.n3o.ru" matched cert's "infra01.n3o.ru"
  • issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
  • SSL certificate verify ok.

    GET /xxxxxxxxx ....

.....
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1

Host: infra01.n3o.ru
User-Agent: curl/7.54.0
Accept: */*

< HTTP/1.1 414 Request-URI Too Large
< Server: nginx/1.16.0
< Date: Thu, 27 Jun 2019 13:22:31 GMT
< Content-Type: text/html
< Content-Length: 177
< Connection: close
<
<html>
<head><title>414 Request-URI Too Large</title></head>
<body>
<center><h1>414 Request-URI Too Large</h1></center>
<hr><center>nginx/1.16.0</center>
</body>
</html>

  • Closing connection 0
  • TLSv1.2 (OUT), TLS alert, Client hello (1):

We have normal response - 414 Request-URI Too Large

But for http2 - we have closed nginx connection, why?
Look at curl output.

curl -s --http2 -v "https://infra01.n3o.ru/$(printf 'x%.0s' {1..9171})"

  • Trying 95.163.251.222...
  • TCP_NODELAY set
  • Connected to infra01.n3o.ru (95.163.251.222) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/cert.pem CApath: none
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: CN=infra01.n3o.ru
  • start date: May 6 23:45:09 2019 GMT
  • expire date: Aug 4 23:45:09 2019 GMT
  • subjectAltName: host "infra01.n3o.ru" matched cert's "infra01.n3o.ru"
  • issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x7fbb96803600)

    GET /xxxxxxxxxxx ...

....
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/2

Host: infra01.n3o.ru
User-Agent: curl/7.54.0
Accept: */*

  • Connection state changed (MAX_CONCURRENT_STREAMS updated)!
  • TLSv1.2 (IN), TLS alert, Client hello (1):
  • Unexpected EOF
  • Closing connection 0
  • TLSv1.2 (OUT), TLS alert, Client hello (1):

something wrong.

Change History (1)

comment:1 Changed 5 months ago by mdounin

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #1520.

Note: See TracTickets for help on using tickets.