Opened 7 months ago

Closed 7 months ago

Last modified 7 months ago

#1946 closed defect (invalid)

Mixed up HTTP responses when two requests with different hosts made in succession

Reported by: christian.christianmoore.me@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.17.x
Keywords: Cc:
uname -a: Linux 472834fffd09 4.14.171-136.231.amzn2.x86_64 #1 SMP Thu Feb 27 20:22:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: ginx version: nginx/1.17.9
built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1 --with-perl=/usr/bin/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-pcre=../pcre-8.43 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl=../openssl-1.1.1f --with-openssl-opt=no-nextprotoneg --with-debug

Description

I am using a single instance of nginx as a reverse proxy for two sites with different hosts and different TLS certificates: https://christianmoore.me and https://ifconfig.lol

Reproduction steps:

  1. Use a browser (I tried both Firefox and Chrome) to make a request for https://christianmoore.me
  2. While the assets are loading, make a request for https://ifconfig.lol
  3. Observe that the page that loads is christianmoore.me while the address bar indicates you are on ifconfig.lol

You have to be quick to cause this to happen. I have bookmarks on my toolbar which make reproducing this very easy. You can also have the second address in your clipboard so you can paste the second address in while the first one is loading.

I've attached a HAR file that shows 4 requests. The first 3 are working as intended, and the 4th shows the mixed up response.

Attachments (4)

mixed_http_responses.har (121.8 KB ) - added by christian.christianmoore.me@… 7 months ago.
HAR file showing 4 requests. The first 3 responses are expected, the 4th is unexpected.
nginx-T.txt (9.1 KB ) - added by christian.christianmoore.me@… 7 months ago.
Results of "nginx -T"
debug.txt (199.1 KB ) - added by christian.christianmoore.me@… 7 months ago.
Debug log when issue reproduced
debug_expected.txt.gz (31.8 KB ) - added by christian.christianmoore.me@… 7 months ago.
debug log w/ etxpected behavior (working correctly)

Download all attachments as: .zip

Change History (8)

by christian.christianmoore.me@…, 7 months ago

Attachment: mixed_http_responses.har added

HAR file showing 4 requests. The first 3 responses are expected, the 4th is unexpected.

in reply to:  description comment:1 by christian.christianmoore.me@…, 7 months ago

To clarify, when reproducing the issue, the second request should be made in the same browser tab as the first.

comment:2 by Maxim Dounin, 7 months ago

Please provide full configuration as shown by nginx -T and debugging log of expected and incorrectly handled requests.

by christian.christianmoore.me@…, 7 months ago

Attachment: nginx-T.txt added

Results of "nginx -T"

by christian.christianmoore.me@…, 7 months ago

Attachment: debug.txt added

Debug log when issue reproduced

by christian.christianmoore.me@…, 7 months ago

Attachment: debug_expected.txt.gz added

debug log w/ etxpected behavior (working correctly)

comment:3 by Maxim Dounin, 7 months ago

Resolution: invalid
Status: newclosed

Your configuration uses caching with the default cache key, and both sites proxy requests to the same upstream server https://PrimaryALB-1057757296.us-east-1.elb.amazonaws.com. As default cache key is $scheme$proxy_host$request_uri, and $proxy_host is the same, requests to the same URI on both sites will result in the same cache key. In particular, a request to / might result in incorrect response as long as the cache item in question contains a response from another domain.

And this is what you observe in your tests. First requests saves a response from the christianmoore.me domain in the 8d10d27c179f3b98df4ec6d40f5e698a cache file (quoting debug.txt):

2020/04/04 20:21:59 [debug] 6#6: *1 http2 header: ":method: GET"
...
2020/04/04 20:21:59 [debug] 6#6: *1 http2 header: ":path: /"
...
2020/04/04 20:21:59 [debug] 6#6: *1 http2 header: ":authority: christianmoore.me"
...
2020/04/04 20:21:59 [debug] 6#6: *1 http cache key: "https://PrimaryALB-1057757296.us-east-1.elb.amazonaws.com"
2020/04/04 20:21:59 [debug] 6#6: *1 http cache key: "/"
...
2020/04/04 20:21:59 [debug] 6#6: *1 http file cache exists: -5 e:0
2020/04/04 20:21:59 [debug] 6#6: *1 cache file: "/var/cache/nginx/a/98/8d10d27c179f3b98df4ec6d40f5e698a"
...
2020/04/04 20:21:59 [debug] 6#6: *1 http file cache update
2020/04/04 20:21:59 [debug] 6#6: *1 http file cache rename: "/var/cache/nginx/tmp/0000000001" to "/var/cache/nginx/a/98/8d10d27c179f3b98df4ec6d40f5e698a"

And then the following request to the ifconfig.lol domain uses this cache item:

2020/04/04 20:22:00 [debug] 6#6: *7 http2 header: ":method: GET"
...
2020/04/04 20:22:00 [debug] 6#6: *7 http2 header: ":path: /"
...
2020/04/04 20:22:00 [debug] 6#6: *7 http2 header: ":authority: ifconfig.lol"
...
2020/04/04 20:22:00 [debug] 6#6: *7 http cache key: "https://PrimaryALB-1057757296.us-east-1.elb.amazonaws.com"
2020/04/04 20:22:00 [debug] 6#6: *7 http cache key: "/"
...
2020/04/04 20:22:00 [debug] 6#6: *7 http file cache send: /var/cache/nginx/a/98/8d10d27c179f3b98df4ec6d40f5e698a

Fixing the configuration to include site name into the cache key should resolve this.

comment:4 by christian.christianmoore.me@…, 7 months ago

Problem solved! Thank you and sorry for the false report.

Note: See TracTickets for help on using tickets.