Opened 3 years ago

Last modified 3 years ago

#2234 closed defect

NGINX 1.19.2 TCP RST/ACK TLSv1.0 Client Hello of Tor Relay ORPort Self-Test in TCP Stream Mode — at Initial Version

Reported by: garycnew@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.19.x
Keywords: NGINX TCP RST ACK TLSv1.0 Tor Relay ORPort Self-Test Stream Cc:
uname -a: Linux gnutech-wap01 2.6.36.4brcmarm #1 SMP PREEMPT Fri Aug 14 15:20:58 EDT 2020 armv7l ASUSWRT-Merlin
nginx -V: nginx version: nginx/1.19.2 (x86_64-pc-linux-gnu)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --target=arm-openwrt-linux --host=arm-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/opt --exec-prefix=/opt --bindir=/opt/bin --sbindir=/opt/sbin --libexecdir=/opt/lib --sysconfdir=/opt/etc --datadir=/opt/share --localstatedir=/opt/var --mandir=/opt/man --infodir=/opt/info --disable-nls --crossbuild=Linux::arm --prefix=/opt --conf-path=/opt/etc/nginx/nginx.conf --with-http_ssl_module --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-naxsi/naxsi_src --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/lua-nginx --with-ipv6 --with-http_stub_status_module --with-http_flv_module --with-http_dav_module --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-dav-ext-module --with-http_auth_request_module --with-http_v2_module --with-http_realip_module --with-http_secure_link_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-headers-more --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-brotli --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-rtmp --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-ts --error-log-path=/opt/var/log/nginx/error.log --pid-path=/opt/var/run/nginx.pid --lock-path=/opt/var/lock/nginx.lock --http-log-path=/opt/var/log/nginx/access.log --http-client-body-temp-path=/opt/var/lib/nginx/body --http-proxy-temp-path=/opt/var/lib/nginx/proxy --http-fastcgi-temp-path=/opt/var/lib/nginx/fastcgi --with-cc=arm-openwrt-linux-gnueabi-gcc --with-cc-opt='-I/media/ware4/Entware.2020.09/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/include -I/media/ware4/Entware.2020.09/staging_dir/toolchain-arm_cortex-a9_gcc-8.4.0_glibc-2.23_eabi/include -O2 -pipe -mtune=cortex-a9 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -mfloat-abi=soft -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK' --with-ld-opt='-L/media/ware4/Entware.2020.09/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/lib -Wl,-rpath,/opt/lib -Wl,-rpath-link=/media/ware4/Entware.2020.09/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/lib -Wl,--dynamic-linker=/opt/lib/ld-linux.so.3 -L/media/ware4/Entware.2020.09/staging_dir/toolchain-arm_cortex-a9_gcc-8.4.0_glibc-2.23_eabi/lib -Wl,--gc-sections' --without-http_upstream_zone_module --modules-path=/opt/lib/nginx --http-uwsgi-temp-path=/opt/var/lib/nginx/uwsgi --http-scgi-temp-path=/opt/var/lib/nginx/scgi

Description

There appears to be a bug with NGINX 1.19.2 immediately sending a TCP RST/ACK after receiving a TLSv1.0 Client Hello from a Tor Relay ORPort Self-Test in TCP Stream Mode with a Single TorNode in the NGINX Upstream Hash Configuration, but works fine with any Tor Relay Requests over TLSv1.2 or TLSv1.3.

# cat nginx.conf
user nobody;
worker_processes auto;
worker_rlimit_nofile 7168;

events {
    worker_connections  3584;
}

stream {

    upstream application {
        hash $remote_addr consistent;
        server 192.168.0.21:9001 weight=4 max_fails=1 fail_timeout=10s;
    }

    server {
        listen                        xxx.xxx.xxx.xxx:443;

        proxy_pass                    application;
    }
}

# cat torrc 
Nickname ASUSMerlinTorFarm
ORPort xxx.xxx.xxx.xxx:443 NoListen
ORPort 192.168.0.21:9001 NoAdvertise
SocksPort 9050
SocksPort 192.168.0.21:9050
ControlPort 9051
ExitRelay 0
DirCache 0
MaxMemInQueues 192 MB
GeoIPFile /opt/share/tor/geoip
Log notice file /tmp/torlog
Log notice syslog
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 192.168.0.21:9040
DNSPort 192.168.0.21:9053
RunAsDaemon 1
DataDirectory /tmp/tor/torrc.d/.tordb
AvoidDiskWrites 1
User tor
ContactInfo tor-operator@your-emailaddress-domain

Interestingly, an external TLS scan of the NGINX listening port shows that it's capable of TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. However, in the particular scenario previously described, NGINX immediately sends a TCP RST/ACK after receiving a TLSv1.0 Client Hello from a Tor Relay ORPort Self-Test, which has been validated with several packet traces and should be easily reproducible.

I've confirmed that this issue is specific to NGINX by stopping NGINX and configuring a PortFoward in its place, which is successful.

This is a blocker for High-Availability Tor Relay Implementation using NGINX.

Respectfully,

Gary

P.S. I've confirmed that this is an issue with HAProxy's TCP Stream implementation, as well, but we'd prefer to use NGINX.

Change History (0)

Note: See TracTickets for help on using tickets.