id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 1934,Unpredictable behaviour using proxy_cookie_path to add SameSite cookie attribute,edrandall@…,,"== Use-Case: We are attempting to use alter cookie attibutes for the Chrome browser, in view of the upcoming `SameSite` changes per https://www.chromium.org/updates/same-site == Configuration The nginx is configured as a proxy in front of apache-tomcat. SSL is terminated on Nginx. Session cookies are set by Tomcat. For architectural reasons we need to add the `SameSite=None` attribute at the nginx proxy layer for Chrome users. Hence we have a configuration consisting of (heavily abbreviated): {{{ http { map $http_user_agent $samesite_attr { ""~*chrome"" '; SameSite=None'; } upstream local_tomcat { server 127.0.0.1:8080 fail_timeout=0; keepalive 100; } server { listen 9443 ssl http2; location / { proxy_pass http://local_tomcat; proxy_cookie_path ~/(.*) ""/$1$samesite_attr""; } } } }}} == Expected behaviour When the backend tomcat returns a `set_cookie` header and the user-agent string contains 'Chrome', we expected to see `; SameSite=None` appended on the cookie attribute list. (The cookie already contains the `Secure` attribute btw.) == Observed behaviour Initially users on Chrome started to report website availability issues and 'gateway timeout' errors. Using a plugin to alter the Chrome user-agent string to impersonate IE10 reverted to normal working behaviour. Further investigation using 'Curl' showed that, after Tomcat processing completes, sometimes the HTTP/2 response became corrupted. Downgrading to http1.1 allowed us to observe the Set-Cookie header - this sometimes contained a fragment of the User-Agent string interspersed within the value. === Examples: 1) Using HTTP/2 and `user-agent: chrome`: ''Response:'' {{{ * Connection state changed (MAX_CONCURRENT_STREAMS updated)! * http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [set-cookie], value: [JSESSION_blk-idp02=8991A33D964779B87765BE4CD56A2FF3; Path=/; SameSite=None] * HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1) * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): } [2 bytes data] curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1) }}} 2) Using HTTP/1.1 and a longer user-agent string incorporating the word `chrome`: ''Tomcat set-cookie:'' `JSESSION_blk-idp02=6CD6436F1944BD877C73AE0EDAF301FB; Path=/userplatform; Secure; HttpOnly` ''Response:'' {{{ < set-cookie: JSESSION_blk-idp02=6CD6436F1944BD877C73AE0EDAF301FB; Path=/ ; SameSite=Noneuserplatform; Secure; HttpOnly }}} We tried a number of different tactics to work-around the problem: * using two maps (to distance the user-agent string from the $samesite_attr value); * Removing the regex on `proxy_cookie_path`, instead hard-coding the cookie paths used by the application; Unfortunately these were unsuccessful. This leaves us concluding that there's an underlying issue with the proxy_cookie_path directive not being thread/memory safe. ",defect,closed,critical,,documentation,1.17.x,duplicate,,,Linux tszcwpp001 2.6.32-754.25.1.el6.x86_64 #1 SMP Wed Nov 20 15:07:26 EST 2019 x86_64 x86_64 x86_64 GNU/Linux,"nginx version: nginx/1.17.6 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) built with LibreSSL 3.0.2 TLS SNI support enabled configure arguments: --prefix=/home/erandall/build/nginx-build/install/nginx-1.17.6 --with-pcre=/home/erandall/build/nginx-build/compile/pcre-8.43 --with-pcre-jit --with-zlib=/home/erandall/build/nginx-build/compile/zlib-1.2.11 --with-openssl=/home/erandall/build/nginx-build/compile/libressl-3.0.2 --with-http_ssl_module --with-http_v2_module --with-http_auth_request_module --with-http_slice_module --without-http_autoindex_module --without-http_browser_module --without-http_empty_gif_module --without-http_fastcgi_module --without-http_geo_module --without-http_grpc_module --without-http_memcached_module --without-http_mirror_module --without-http_scgi_module --without-http_split_clients_module --without-http_ssi_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_least_conn_module --without-http_upstream_zone_module --without-http_userid_module --without-http_uwsgi_module --with-threads --with-file-aio"