Opened 5 months ago

Closed 5 months ago

#2193 closed defect (invalid)

incorrect responce code for corrupted proxied request

Reported by: demenev.an@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.18.x
Keywords: Cc: demenev.an@…
uname -a: Linux prometheus 5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-5J5hor/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

Description

Expected result: record on error log, 5xx responce
Actual result: on case of proxy cache to disk fail, responce 200 with random part of data

case to reproduce:
1 - install nginx with default config, set up reverse proxy (for grafana in my case)
2 - change user directive (in my case, from nginx to www-data)
3 - some part of /var/lib/nginx/proxy directory have previous user rights (for example - 3 directories of 10)
4 - reverse proxy send 200 ok responce and random part of data, without any errors or warnings

and only with debug_connection directive I can found, that part of cache directory has wrong file permissions.

Attachments (1)

photo_2021-05-26_00-03-30.jpg (39.6 KB ) - added by demenev.an@… 5 months ago.
exapmle of cache directory permissions

Download all attachments as: .zip

Change History (2)

by demenev.an@…, 5 months ago

exapmle of cache directory permissions

comment:1 by Maxim Dounin, 5 months ago

Resolution: invalid
Status: newclosed

When nginx encounters a fatal error during processing of a request, such as in the scenario you've described when it is not possible to create a temporary file when it's needed, it is not possible to return an HTTP error, since HTTP response headers were already sent. As such, nginx logs the error and closes the connection to signal to the client that the response is terminated abnormally.

A properly written client should be able to tell that there was an error and the response wasn't completely received. If your client can't, consider reporting this to your client developers.

When the error happens, nginx logs an error message at "crit" level. It should look like this:

2021/05/25 23:53:42 [crit] 61676#100121: *4 open() "/path/to/proxy_temp/1/00/0000000001" failed (13: Permission denied) while reading upstream, client: 127.0.0.1, server: , request: "GET /t/1m HTTP/1.1", upstream: "http://127.0.0.1:8081/t/1m", host: "127.0.0.1:8080"

If you don't see such error messages, check your logging configuration, notably error_log directives in your config.

Note: See TracTickets for help on using tickets.