id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2052 Slice module closes connection on upstream error codes 4xx and 5xx other than 416 halaei@… "Follwing instructions in https://docs.nginx.com/nginx/admin-guide/content-cache/content-caching/#slice, I enabled slice caching with a config similar to the following: {{{ location / { slice 1m; proxy_cache cache; proxy_cache_key $uri$is_args$args$slice_range; proxy_set_header Range $slice_range; proxy_cache_valid 200 206 1h; proxy_pass http://localhost:8000; } }}} I setup a mock upstream to send me response based on the provided headers and query params: 1. ""l"" query param: length of the file 2. ""x-err"" header: if presented the server respond with an error code and a json body instead of returning a 200/206 status code with a file in the body. First I send a request to get the first slice of 2MB file: `curl -X GET http://mycache.test/file?l=2000000 -H 'Range: bytes=0-1000000'` This causes nginx to successfully request for the first 1MB of the file, cache it and send the response back to the client. Now if I send a request to get the whole file but set 'x-err' header to 403, the upstream respond with 403 for the second slice of the file, but nginx can't handle this situation and closes the connection without sending the error back to the client or clearing the cached files. `curl -X GET http://mycache.test/file>l=2000000 -H 'x-err: 403` My expectation would be for the server to either send the available range, or send 403 while clearing the cached slices depending on the situation (e.g. partial 206 response if available slices covers the beginning of the requested range and 403 otherwise). Currently, I have no choice but to disable slice in my configuration because this scenario is highly likely to happen for me in production, which is an AWS CloudFront/S3 upstream serving signed URLs to private files." defect closed major nginx-core 1.19.x invalid slice Linux vivo 4.15.0-115-generic #116-Ubuntu SMP Wed Aug 26 14:04:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.19.2 built by gcc 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1) built with OpenSSL 1.1.1 11 Sep 2018 (running with OpenSSL 1.1.1g 21 Apr 2020) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.19.2/debian/debuild-base/nginx-1.19.2=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'"