Opened 8 years ago
Closed 8 years ago
#1048 closed defect (invalid)
broken header xxxx while reading PROXY protocol
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | critical | Milestone: | |
Component: | nginx-core | Version: | 1.9.x |
Keywords: | Cc: | ||
uname -a: | Linux bamboo3 4.4.14-24.50.amzn1.x86_64 #1 SMP Fri Jun 24 19:56:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: openresty/1.9.15.1
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) built with OpenSSL 1.0.1k-fips 8 Jan 2015 TLS SNI support enabled configure arguments: --prefix=/etc/nginx/nginx --with-cc-opt='-O2 -O2 -O2 -g -fexceptions -fstack-protector -m64' --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.59 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.30 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.05 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.5 --add-module=../ngx_lua_upstream-0.05 --add-module=../headers-more-nginx-module-0.30 --add-module=../array-var-nginx-module-0.05 --add-module=../redis2-nginx-module-0.13 --add-module=../redis-nginx-module-0.3.7 --with-ld-opt='-Wl,-rpath,/etc/nginx/luajit/lib -Wl,-rpath,/etc/luajit/lib' --with-pcre-jit --with-pcre=/usr/src/pcre-8.38 --with-http_realip_module --with-http_geoip_module --with-http_sub_module --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --user=nginx --add-module=/usr/src/strftime-nginx-module --add-module=/usr/src/ngx_http_lower_upper_case --add-module=/usr/src/nginx-push-stream-module-0.5.1 --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-http_ssl_module |
Description
I have upgraded from NGINX 1.8 to 1.9.x and since then my ELB health check is broken.
I have configured in the listen directive prxoy_protocl and health check is now getting 503 because of the proxy protocol.
NOTE: It doesn't related to openresty bundle.
How can I use the proxy_protocol with the ELB heath check, and why the NGINX can't ignore these headers if not found.
Change History (5)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
Here is the full error:
2016/08/11 14:24:42 [error] 26894#0: *138 broken header: "GET /favicon.ico HTTP/1.1
host: manage.aniview.com
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: _gat=1; instanceid=577c0bad0757bbe7178b4577; pvptheme=aniview; debugEnabled=; _ga=GA1.2.641309518.1469949931; token=RjqUD7FmUf--atsGHlkkTZ1TqX-CCO28v9hFIscTz4doQSmPrMtK3k10Kc15leXY7cPFeHhQNO2xTlXfz2RvJgyGynbczwnvr7pMTHukXhdKZvx7AXned-ZwWBKe4lMaK6c3TPN8huTlQjSxokemWA%3D%3D; version=av2.1.1_hf1
Referer: http://manage.aniview.com/channels/
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
X-Forwarded-For: 31.168.230.226
X-Forwarded-Port: 80
X-Forwarded-Proto: http
Connection: keep-alive
" while reading PROXY protocol, client: 172.31.20.170, server: 0.0.0.0:80
*
It doesn't matter.
Why NGINX breaks the request if proxy_protocol is invalid.
I didn't changed anything in the ELB.
It is easy to create it.
comment:3 by , 8 years ago
It does not break the request. It expects from client exactly what you have configured.
follow-up: 5 comment:4 by , 8 years ago
I want it to resolve the proxy headers when they are sent and if they do not then it shouldn't break the request.
It is breaking, you can check an see.
I can make with your remote share and show it to you.
comment:5 by , 8 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Replying to Roycohen@…:
I want it to resolve the proxy headers when they are sent and if they do not then it shouldn't break the request.
That is prohibited by the proxy protocol specification for serious security reasons.
A quote from the spec:
The receiver MUST be configured to only receive the protocol described in this
specification and MUST not try to guess whether the protocol header is present
or not. This means that the protocol explicitly prevents port sharing between
public and private access. Otherwise it would open a major security breach by
allowing untrusted parties to spoof their connection addresses. The receiver
SHOULD ensure proper access filtering so that only trusted proxies are allowed
to use this protocol.
Does "xxxx" look like a PROXY protocol header? If you don't know how to check that, please post "xxxx" here at least partially.
Did you change ELB settings after upgrade?