Opened 3 weeks ago

Closed 3 weeks ago

Last modified 3 weeks ago

#1907 closed defect (duplicate)

Nginx does not handle URL larger than 8K

Reported by: kvaps@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.15.x
Keywords: Cc:
uname -a: Linux nginx-ingress-controller-79f78d4457-rr299 4.15.18-12-pve #1 SMP PVE 4.15.18-36 (Fri, 05 Apr 2019 18:47:13 +0200) x86_64 GNU/Linux
nginx -V: nginx version: openresty/1.15.8.2
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1c 28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-debug --with-cc-opt='-DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC -O2 -g -Og -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wno-deprecated-declarations -fno-strict-aliasing -D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -DTCP_FASTOPEN=23 -fPIC -Wno-cast-function-type -I/root/.hunter/_Base/2c5c6fc/fdb8df4/92161a9/Install/include -m64 -mtune=native' --add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.15 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.7 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L/root/.hunter/_Base/2c5c6fc/fdb8df4/92161a9/Install/lib' --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_secure_link_module --with-http_gunzip_module --with-md5-asm --with-sha1-asm --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --user=www-data --group=www-data --add-module=/tmp/build/nginx-http-auth-digest-cd8641886c873cf543255aeda20d23e4cd603d05 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/nginx-influxdb-module-5b09391cb7b9a889687c0aa67964c06a2d933e8b --add-dynamic-module=/tmp/build/nginx-opentracing-0.9.0/opentracing --add-dynamic-module=/tmp/build/ModSecurity-nginx-d7101e13685efd7e7c9f808871b202656a969f4b --add-dynamic-module=/tmp/build/ngx_http_geoip2_module-3.2 --add-module=/tmp/build/nginx_ajp_module-bf6cd93f2098b59260de8d494f0f4b1f11a84627 --add-module=/tmp/build/ngx_brotli --with-stream --with-stream_ssl_preread_module

Description

Steps to reproduce:

# curl "https://example.org/$(head -c 9999 /dev/zero |tr '\0' 'a')"
curl: (52) Empty reply from server

Logs are clean, these parameters does not affect original issue:

large_client_header_buffers 16 64k;
client_body_buffer_size 1M;
client_header_buffer_size 1M;

Change History (4)

comment:1 by kvaps@…, 3 weeks ago

Discussion:
https://t.me/nginx_ru/82745
(russian)

comment:2 by kvaps@…, 3 weeks ago

verbose log enabled:

# curl -svv "https://victoriametrics.example.org/$(head -c 9999 /dev/zero |tr '\0' 'a')" 
*   Trying 10.36.1.99:443...
* TCP_NODELAY set
* Connected to victoriametrics.example.org (10.36.1.99) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4236 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [556 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=CZ; CN=*.example.org; emailAddress=domains@example.com
*  start date: Feb 27 12:25:50 2017 GMT
*  expire date: Feb 27 12:25:50 2020 GMT
*  subjectAltName: host "victoriametrics.example.org" matched cert's "*.example.org"
*  issuer: C=PL; O=Unizeto Technologies S.A.; OU=Certum Certification Authority; CN=Certum Domain Validation CA SHA2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x557c761d2dd0)
} [5 bytes data]
> GET /aaaaaaa HTTP/2
> Host: victoriametrics.example.org
> user-agent: curl/7.67.0
> accept: */*
> 
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
* TLSv1.2 (IN), TLS alert, close notify (256):
{ [2 bytes data]
* Empty reply from server
* Closing connection 0
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, close notify (256):
} [2 bytes data]

comment:3 by Maxim Dounin, 3 weeks ago

Resolution: duplicate
Status: newclosed

You are using HTTP/2, and the request exceeds default http2_max_field_size. There should be something like this in logs at the info level:

2019/12/26 16:39:40 [info] 34596#100149: *2 client exceeded http2_max_field_size limit while processing HTTP/2 connection, client: 127.0.0.1, server: 0.0.0.0:8443

Consider tuning http2_max_field_size.

Duplicate of #1520.

comment:4 by kvaps@…, 3 weeks ago

This problem affects only http2 protocol:

http2_max_header_size 1M;
http2_max_field_size 1M;

solves issue

Note: See TracTickets for help on using tickets.