Opened 17 months ago

Closed 17 months ago

Last modified 17 months ago

#2525 closed defect (invalid)

bug when try to return 496 error

Reported by: theundefined@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.25.x
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.25.1
built by gcc 12.2.0 (Debian 12.2.0-14)
built with OpenSSL 3.0.9 30 May 2023
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.1/debian/debuild-base/nginx-1.25.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Hi.
I think there is small bug - when i try to return 496 error nginx return 400 error. Example code to show bug:
https://github.com/theundefined/nginx-496-bug/tree/master

Change History (3)

comment:1 by Maxim Dounin, 17 months ago

Resolution: invalid
Status: newclosed

496 is a special error code used by nginx internally, see here. It is expected to be returned as 400, though implies a different builtin error page and can be separately handled by the error_page directive.

That is, what do you observe by manually using "return 496;" in your configuration matches expected behaviour. If you want to return custom errors for your own needs and want to do this from nginx itself, avoid using codes used by nginx internally, notably 49X codes.

comment:2 by theundefined@…, 17 months ago

Hm. But in "my" case - i would restrict to need of certificate only for specific page. Only way which i found is set ssl_verify_client as optional and conditional return when ssl_client_verify is not SUCCESS (https://github.com/theundefined/nginx-496-bug/blob/master/nginx.conf#L42). So - 496 error is appropriate for that case.
I think that allow use it would be very useful.

comment:3 by Maxim Dounin, 17 months ago

If the goal is to trigger the same behaviour as on ssl_client_verify failure, returning 496 does exactly this. Note that when nginx generates 496 internally, it is converted to 400 when it is actually sent to the client, much like what you observe in your tests with return 496;.

Note: See TracTickets for help on using tickets.