Opened 3 weeks ago

Last modified 3 weeks ago

#2053 new defect

ignore_invalid_headers required, but only for websockets

Reported by: feld@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.18.x
Keywords: Cc:
uname -a: FreeBSD nginx 12.1-RELEASE-p7 FreeBSD 12.1-RELEASE-p7 GENERIC amd64
nginx -V: nginx version: nginx/1.18.0
built with OpenSSL 1.1.1d-freebsd 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-pcre --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-mail=dynamic --with-stream=dynamic

Description

Hello,

The Fediverse (Mastodon, Pleroma, etc) has been using ActivityPub and the HTTP Signatures draft[1] in the wild for some time now.

We've been building out an optimized federation strategy over Websockets so we can sign the session and continue sending data, limiting the overhead. It seems that we require ignore_invalid_headers on; when this data is passed over a WebSocket due to the header (request-target), as defined in the draft.

This header exists for normal HTTP/1.1 and HTTP/2.0 federation and does not cause any problems. It only causes issues for the Websocket sessions.

The only other HTTP server/proxy I've tested with is Varnish which has not exhibited any problems with this header over Websockets.

[1] https://tools.ietf.org/html/draft-cavage-http-signatures-10

Change History (1)

comment:1 by Maxim Dounin, 3 weeks ago

As per the draft linked, the (request-target) is not an HTTP header, but rather a special name to be used in the headers signature parameter (2.3. Signature String Construction). It should never appear as a real HTTP header. It should only appear in the headers parameter or in signature strings.

Note well that ignore_invalid_headers on; is the default. You probably mean to write ignore_invalid_headers off; instead, which will instruct nginx to process invalid headers rather than ignoring them (so, for example, they will be passed to upstream servers). Note though that using ignore_invalid_headers off; might not be a good idea for security reasons. Unless the HTTP Signatures draft is implemented incorrectly, ignore_invalid_headers off; shouldn't be needed.

To find out why ignore_invalid_headers off; is needed in your case, consider looking into nginx error log. It should contain information about ignored headers at the info level (see the error_log directive description for details). If the culprit is indeed the (request-target) header actually present in requests as an HTTP header, you may want to fix the client, it does something wrong.

Note: See TracTickets for help on using tickets.