#1252 closed defect (invalid)
Multiplexing different hosts into one HTTP/2 connection leads to 421
Reported by: | Oleg Davydov | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.11.x |
Keywords: | Cc: | ||
uname -a: | Linux server 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.11.6
built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.2j 26 Sep 2016 TLS SNI support enabled configure arguments: —with-http_ssl_module —user=www-data —group=www-data —with-cc-opt=-O4 —with-http_gzip_static_module —with-http_flv_module —with-http_mp4_module —with-file-aio —prefix=/etc/nginx —sbin-path=/usr/sbin/nginx —conf-path=/etc/nginx/nginx.conf —error-log-path=/var/log/nginx/error.log —http-log-path=/var/log/nginx/access.log —pid-path=/var/run/nginx.pid —http-client-body-temp-path=/tmp/nginx.client_body_temp —http-proxy-temp-path=/tmp/nginx.proxy_temp —with-zlib-asm=pentiumpro —http-fastcgi-temp-path=/tmp/nginx.fastcgi_temp —add-module=/root/ngx_http_bytes_filter_module —with-ld-opt=-static —with-cc-opt='-static -static-libgcc' —with-http_secure_link_module —with-http_addition_module —with-http_realip_module —with-threads —with-debug —with-http_sub_module —add-module=../nginx-rtmp-module —with-stream —with-stream —with-http_v2_module —add-module=../ngx_http_enhanced_memcached_module —with-http_slice_module |
Description
Quote from https://tools.ietf.org/html/rfc7540:
An origin server might offer a certificate with multiple "subjectAltName" attributes or names with wildcards, one of which is valid for the authority in the URI. For example, a certificate with a "subjectAltName" of "*.example.com" might permit the use of the same connection for requests to URIs starting with "https://a.example.com/" and "https://b.example.com/"
That means that clients (for example, google chrome) reuse connections aggressively:
— make a TLS connection to a.example.com
— receive certificate to *.example.com
— next query, to b.example.com, send to this connection, because a.example.com and b.example.com have the save ip and both are covered with certificate.
Nginx will reject second query with 421 Misdirected Request, logging «client attempted to request the server name different from that one was negotiated while reading client request headers», that is misbehavior with RFC7540 (HTTP/2).
Note:
See TracTickets
for help on using tickets.
The
421 Misdirected Request
status code is a special code introduced by RFC 7540 to indicate that the connection cannot be used for a particular request, see here. It is used by nginx in situations when it cannot serve the request over an existing connection due to different security settings, see #848. Browsers are expected to open a new connection in this case. That is, nginx behaviour here is perfectly correct and matches HTTP/2 protocol specification aka RFC 7540.What you are likely see here is the Chrome bug with incorrect handling of
421 Misdirected Request
status code. Chrome is known for doing it wrong. It is expected to be already fixed in the Chrome sources though, and likely fixed version will be available for normal users soon.