Opened 6 weeks ago

Closed 5 weeks ago

#2651 closed defect (duplicate)

Some QUIC connections lost domain header in nginx H3

Reported by: bhzhu203@… Owned by:
Priority: major Milestone:
Component: http/3 Version: 1.25.x
Keywords: Cc:
uname -a: Linux jp-proxy 6.5.0-uksm+ #4 SMP PREEMPT_DYNAMIC Tue Aug 29 17:14:48 CST 2023 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.27.0
built by gcc 10.3.1 20211027 (Alpine 10.3.1_git20211027)
built with LibreSSL 3.9.2
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-debug --with-http_v2_module --with-http_v3_module --with-http_realip_module --add-module=../ngx_http_geoip2_module --add-module=../ngx_brotli --with-http_sub_module --with-file-aio --with-threads --with-cc-opt=-I../libressl-3.9.2/build/include --with-ld-opt=-L../libressl-3.9.2/build/lib --with-openssl=../libressl-3.9.

Description

log_format compression escape=json '{"@timestamp":"$time_iso8601",'

'"ip":"$remote_addr","host":"$http_host",'
'"rq":"$request","rqb":"$request_body",'
'"st":"$status","size":$body_bytes_sent,'
'"ua":"$http_user_agent","ck":"$http_cookie",'
'"cost":"$request_time",'
'"ref":"$http_referer",'
'"xff":"$http_x_forwarded_for",'
'"ust":"$upstream_status",'
'"uip":"$upstream_addr",'
'"utm":"$http_utm",'
'"Client-Info":"$http_Client-Info",'
'"timeZone":"$http_timeZone",'
'"countryCode":"$http_countryCode",'
'"useCurrencyCode":"$http_useCurrencyCode",'
'"userId":"$http_userId",'
'"network":"$http_network",'
'"language":"$http_language",'
'"traceId":"$http_traceId",'
'"host1":"$host",'
'"ut":"$upstream_response_time"}';

tail -f /usr/local/nginx/logs/access.log | jq 'select(.host == "" or .host == null)'
{

"@timestamp": "2024-06-14T09:48:54+08:00",
"ip": "115.205.41.187",
"host": "",
"rq": "GET /_nuxt/ebe4dda.js HTTP/3.0",
"rqb": "",
"st": "301",
"size": 162,
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"ck": "",
"cost": "0.182",
"ref": "",
"xff": "",
"ust": "301",
"uip": "127.0.0.1:7377",
"utm": "",
"Client-Info": "-Info",
"timeZone": "",
"countryCode": "",
"useCurrencyCode": "",
"userId": "",
"network": "",
"language": "",
"traceId": "",
"host1": "m.yxxxxxxx.com",
"ut": "0.181"

}
{

"@timestamp": "2024-06-14T09:48:56+08:00",
"ip": "115.205.41.187",
"host": "",
"rq": "GET /_nuxt/ebe4dda.js HTTP/3.0",
"rqb": "",
"st": "301",
"size": 162,
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"ck": "",
"cost": "0.181",
"ref": "",
"xff": "",
"ust": "301",
"uip": "127.0.0.1:7377",
"utm": "",
"Client-Info": "-Info",
"timeZone": "",
"countryCode": "",
"useCurrencyCode": "",
"userId": "",
"network": "",
"language": "",
"traceId": "",
"host1": "m.yxxxxxxx.com",
"ut": "0.181"

}
{

"@timestamp": "2024-06-14T09:52:46+08:00",
"ip": "125.121.8.200",
"host": "",
"rq": "GET /favicon.ico HTTP/3.0",
"rqb": "",
"st": "404",
"size": 110,
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"ck": "",
"cost": "0.190",
"ref": "https://api.yxxxxxxx.com/",
"xff": "",
"ust": "404",
"uip": "127.0.0.1:7377",
"utm": "",
"Client-Info": "-Info",
"timeZone": "",
"countryCode": "",
"useCurrencyCode": "",
"userId": "",
"network": "",
"language": "",
"traceId": "",
"host1": "api.yxxxxxxx.com",
"ut": "0.190"

}

When the QUIC protocol is uncommented for just one domain (api.yxxxxxxx.com):

### 1. H3 connections may lose the $http_host variable (it becomes null), but the $host variable is still present.

### 2. If H3 is uncommented for api.yxxxxxxx.com (just this one domain), other domains that don't have H3 uncommented will still accept H3 connections. This will mess up incoming connections, especially for domains sharing certificates, causing them to resolve to the wrong domain and result in incorrect 301 redirects.

https://github.com/koverstreet/bcachefs/assets/3523160/998feb4f-314b-4977-a8fe-bc0a1babbccd

### 3. Some connections get stuck in an endless loop of 301 redirects.

Change History (1)

comment:1 by Roman Arutyunyan, 5 weeks ago

Resolution: duplicate
Status: newclosed

Duplicate of #2652.

Note: See TracTickets for help on using tickets.