#2525 closed defect (invalid)
bug when try to return 496 error
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | documentation | Version: | 1.25.x |
Keywords: | Cc: | ||
uname -a: | |||
nginx -V: |
nginx version: nginx/1.25.1
built by gcc 12.2.0 (Debian 12.2.0-14) built with OpenSSL 3.0.9 30 May 2023 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.1/debian/debuild-base/nginx-1.25.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
Description
Hi.
I think there is small bug - when i try to return 496 error nginx return 400 error. Example code to show bug:
https://github.com/theundefined/nginx-496-bug/tree/master
Change History (3)
comment:1 by , 17 months ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 by , 17 months ago
Hm. But in "my" case - i would restrict to need of certificate only for specific page. Only way which i found is set ssl_verify_client as optional and conditional return when ssl_client_verify is not SUCCESS (https://github.com/theundefined/nginx-496-bug/blob/master/nginx.conf#L42). So - 496 error is appropriate for that case.
I think that allow use it would be very useful.
comment:3 by , 17 months ago
If the goal is to trigger the same behaviour as on ssl_client_verify
failure, returning 496 does exactly this. Note that when nginx generates 496 internally, it is converted to 400 when it is actually sent to the client, much like what you observe in your tests with return 496;
.
496 is a special error code used by nginx internally, see here. It is expected to be returned as 400, though implies a different builtin error page and can be separately handled by the error_page directive.
That is, what do you observe by manually using "return 496;" in your configuration matches expected behaviour. If you want to return custom errors for your own needs and want to do this from nginx itself, avoid using codes used by nginx internally, notably 49X codes.