Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#744 closed defect (fixed)

Malformed query with 1st chunk of chunked unbuffered requests (proxy)

Reported by: Régis Leroy Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.7.x
Keywords: proxy chunk unbuffered Cc:
uname -a: Linux aspirator 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.7.11
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_spdy_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre-jit --add-module=/build/buildd/nginx-1.7.11/debian/modules/headers-more-nginx-module --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-auth-ldap --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-cache-purge --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-development-kit --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-http-push --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-upload-progress --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-lua --add-module=/build/buildd/nginx-1.7.11/debian/modules/ngx-fancyindex --add-module=/build/buildd/nginx-1.7.11/debian/modules/ngx_http_substitutions_filter_module

Description

Testing the new nginx 1.7.11 proxy_request_buffering off option and sending chunked requests I can get a working transfer if I add a small wait (flushing the tcp/ip socket) between the end of headers transmission and the first chunk.
But when I send the first chunk directly with the request headers the transmitted query is broken (chunk size added on top of headers).

With a small wait:

    POST /fic1.html?gc8o3n=4jh7nj HTTP/1.1
    Host: www.dummy-host.example.com
    Content-Type: application/x-www-form-urlencoded
    Transfer-Encoding: chunked
    User-Agent: nope
    
    17
    One small chunk of data
    (... to be continued)

When sending the same headers+first chunk directly in the tcp/ip socket, the query transmitted by nginx to the backend becomes:

    17
    POST /fic1.html?gc8o3n=4jh7nj HTTP/1.1
    Host: www.dummy-host.example.com
    X-Real-IP: 192.168.1.52
    X-Forwarded-For: 192.168.1.52
    Transfer-Encoding: chunked
    Content-Type: application/x-www-form-urlencoded
    User-Agent: nope
    
    One small chunk of data
    (... to be continued)

Which is clearly wrong and rejected as such.

Nginx proxy configuration:

    upstream http_backend {
        server 192.168.1.52:81;
        keepalive 3;
    }
    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        location / {
            proxy_redirect          off;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_connect_timeout   90;
            proxy_send_timeout      90;
            proxy_read_timeout      90;
            proxy_buffer_size   16k;
            proxy_buffers       32   16k;
            proxy_busy_buffers_size 64k;
            # Activate http/1.1 and keepalive in proxy
            proxy_http_version 1.1;
            # avoid dechunking
            proxy_request_buffering off;
            add_header X-Cached $upstream_cache_status;
            proxy_set_header Connection "";
            proxy_pass http://http_backend;
        }
       (...)

Tested with a python script using directly sockets, can attach it if you want.

Change History (2)

comment:1 by Sergey Kandaurov, 9 years ago

Resolution: fixed
Status: newclosed

Thanks, this bug was fixed in 1.7.12 (24ccec3c4a87).

comment:2 by Régis Leroy, 9 years ago

ok, sorry, did not found it on my searchs.

Note: See TracTickets for help on using tickets.