nginx closes connection instead of returning proper error code (like 414) when http2 is enabled and too long url is provided

[arekm.maven.pl@…]

When http2 is enabled and too long GET is issued nginx closes connection immediately and logs in access.log:

193.239.45.161 - - [19/Jun/2020:08:43:41 +0200] "-" 000 0 "-" "-" "-"

(nothing in error.log)

414 would be expected (and is returned if http2 gets disabled in config)

Tested with nginx 1.18 and 1.19.

Live server with the issue:
$ curl "​https://ixion.pld-linux.org/`perl -E 'say "=" x 11656'`"
curl: (52) Empty reply from server

# uname -a
Linux ixion-pld 5.6.13-1 #1 SMP Fri May 15 11:19:53 CEST 2020 x86_64 Common_KVM_processor PLD Linux
# nginx -V
nginx version: nginx/1.19.0
built by gcc 10.1.0 20200507 (release) (PLD-Linux)
built with OpenSSL 1.1.1g  21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr --modules-path=/usr/lib64/nginx/modules --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --http-client-body-temp-path=/var/cache/nginx/client_body_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-http_ssl_module --with-http_v2_module --user=nginx --group=nginx --with-cc=x86_64-pld-linux-gcc --with-cc-opt='-O2 -fwrapv -pipe -Wformat -Werror=format-security -gdwarf-4 -fno-debug-types-section -fvar-tracking-assignments -g2 -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector-strong --param=ssp-buffer-size=4 -Werror=trampolines -fPIC -march=x86-64 -gdwarf-4 -fno-debug-types-section -fvar-tracking-assignments -g2' --with-ld-opt='-Wl,--as-needed -Wl,--no-copy-dt-needed-entries -Wl,-z,relro -Wl,-z,combreloc'
[root@ixion-pld ~]# nginx -T | sed '/# configuration.*mime\.types:/,/# configuration file/d'
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

# Load dynamic modules first
include modules.d/*.conf;

events {
	worker_connections 2048;
	use epoll;
}

http {
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
			'$status $body_bytes_sent "$http_referer" '
			'"$http_user_agent" "$http_x_forwarded_for"';
	access_log /var/log/nginx/access.log main;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	# Load modular configuration files from the /etc/nginx/conf.d directory.
	# See http://nginx.org/en/docs/ngx_core_module.html#include
	# for more information.
	include /etc/nginx/conf.d/*.conf;

	server {
		listen 80 default_server;
		listen [::]:80 default_server;
		server_name  _;

		# https://wiki.mozilla.org/Security/Server_Side_TLS
		listen 443 ssl http2 default_server;
		listen [::]:443 ssl http2 default_server;

		# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
		ssl_certificate /etc/nginx/server.crt;
		ssl_certificate_key /etc/nginx/server.key;

		# Session resumption (caching)
		ssl_session_timeout 1d;
		ssl_session_cache shared:SSL:50m;
		ssl_session_tickets off;

		# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
		#ssl_dhparam /etc/nginx/dhparam.pem;

		# intermediate configuration. tweak to your needs.
		ssl_protocols TLSv1.2 TLSv1.3;
		ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
		ssl_prefer_server_ciphers on;

		# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
		#add_header Strict-Transport-Security max-age=15768000;

		# OCSP Stapling ---
		# fetch OCSP records from URL in ssl_certificate and cache them
		ssl_stapling on;
		ssl_stapling_verify on;

		# verify chain of trust of OCSP response using Root CA and Intermediate certs
		#ssl_trusted_certificate /etc/nginx/ca.crt;

		access_log	/var/log/nginx/access.log main;

		location / {
			autoindex	on;
			root	/home/services/nginx/html;
			index	index.html index.htm index.php;
		}

		# Load configuration files for the default server block.
		include webapps.d/*.conf;
	}

	include vhosts.d/*.conf;
}

location /.well-known/acme-challenge {
	alias /var/lib/dehydrated/acme-challenge;
}

# configuration file /etc/nginx/webapps.d/php.conf:
location ~ ^/~(?<userdir_user>[\w-]+)(?<userdir_uri>/.*)?$ {
	alias /home/users/$userdir_user/public_html$userdir_uri;
	autoindex on;

	location ~ /~arekm/p/ {
		auth_basic "Restricted";
		auth_basic_user_file /etc/nginx/webapps.d/users;

		location ~ [^/]\.php(/|$) {
			include webapps.d/php5_common;
		}
	}

	location ~ [^/]\.php(/|$) {
		include webapps.d/php5_common;
	}
}

# php support
location ~ [^/]\.php(/|$) {
	include webapps.d/php5_common;
}

# configuration file /etc/nginx/webapps.d/php5_common:
include fastcgi_params;

fastcgi_index index.php;

# check if requested PHP file really exists
if (!-f $request_filename) {
    return 404;
}

#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $request_filename;

fastcgi_pass unix:/var/run/php/php74-fpm.sock;

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

[arekm.maven.pl@…]

large_client_header_buffers 8 512k;
in http section doesn't help. Connection gets closed immediately

[arekm.maven.pl@…]

raising

http2_max_field_size 64k;

helps.

There is some inconsistency

curl --http1.1 "​https://ixion.pld-linux.org/`perl -E 'say "=" x 11656'`" -> 414
curl --http2 "​https://ixion.pld-linux.org/`perl -E 'say "=" x 11656'`" -> 404
test with http2_max_field_size raised to 64k

I would expect above http2 request to return 414 due to large_client_header_buffers being default but not sure if that makes sense with http2.

At least 400 bad request should be returned if http2_max_field_size is lower than in request (as in original bug report message example).

[Maxim Dounin]

Duplicate of #1520.