Opened 11 years ago
Closed 10 years ago
#428 closed defect (fixed)
SPDY and Proxy Cache prematurely closes connections
Reported by: | Phil Sweeney | Owned by: | Valentin V. Bartenev |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-core | Version: | |
Keywords: | spdy proxy cache | Cc: | |
uname -a: | Linux myserver 3.8.0-31-generic #46~precise1-Ubuntu SMP Wed Sep 11 18:21:16 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.5.6
TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --with-ipv6 |
Description
As originally reported via mailing list/forum (a while ago):
http://forum.nginx.org/read.php?2,233497,241193#msg-241193
When SPDY and proxy cache are both being used, nginx will prematurely close the connection to avoid sending the body to the client. However with SPDY, there could be other items still to send, so this causes empty responses. In my case, css/js/images come back empty to the browser occasionally.
Debug logs have been provided to Valentin V. Bartenev, who stated in April:
"Well, from what I've examined from your debug logs, it looks like a known feature of caching mechanism, that closes connection to prevent sending body to a client, while the whole response is receiving from upstream. It's not a big deal in http, but turns into serious issue with spdy."
"The problem appears when the whole page is requested from upstream for caching purposes, but the client should not get its body (i.e. 304 response, or HEAD request)."
Didn't originally file a ticket here because Valentin hoped that rewrites going on at the time for the upstream code might fix this, but looks like it did not.
Change History (11)
comment:1 by , 11 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:2 by , 11 years ago
follow-up: 4 comment:3 by , 11 years ago
Thanks for that. I have tried it against 1.5.10 and it does appear to solve the issue!
Do you expect to apply this to mainline or does it require further work before that?
comment:4 by , 11 years ago
Replying to Phil Sweeney <philcollect@gmail.com>:
Do you expect to apply this to mainline or does it require further work before that?
Yes, it needs more work. But not because it does something wrong, the patch is correct and shouldn't introduce any bugs. Just the way it solves the problem hasn't been liked by colleagues.
comment:5 by , 11 years ago
This bug makes me 3 days to investigate and search for solution to use SPDY with proxy cache.
The issue occurs if use
proxy_cache_bypass $no_cache;
or cached items deleted on server while use F5 in browsers. Only the first request is response (GET 304 status) and error with subsequent requests.
No problem if I remove SPDY.
I tested the patch of Valentin V. Bartenev on 1.5.10 and it work for me.
Thanks.
comment:7 by , 11 years ago
Replying to www.google.com/accounts/o8/id?id=AItOawlDriEnv-y6Xg9DA3Xg0k8r-h-p-wHri4w:
it this problem fixed in 1.5.13?
No. The patch above is still relevant.
follow-up: 9 comment:8 by , 11 years ago
hi,
is the vuln and the patch valid for the stable 1.4.7 too?
brad
comment:10 by , 10 years ago
Patch work also for 1.6.
If it is not yet fixed information should be in documentation or somewhere.
I encountered also second problem with this issue. With limit_conn it looks like connections are not decreased when they are prematurely closed. So you can see in log that connections are limited on spdy but they are not over limit.
This patch should fix the problem:
src/http/ngx_http_upstream.c
output_filter(r, u->out_bufs);Feel free to use it.