Opened 5 years ago
Closed 5 years ago
#1800 closed defect (duplicate)
nginx close http2 connection if request too large
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.17.x |
| Keywords: | Cc: | ||
| uname -a: | Linux infra01.n3o.ru 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.16.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' |
||
Description
nginx close http2 connection if request too large
see the max simple nginx config with http2 support:
server {
listen 443 ssl http2;
ssl on;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert.key;
location / {
root /usr/share/nginx/html;
}
}
look at http 1.1 - normal response
curl -s --http1.1 -v "https://infra01.n3o.ru/$(printf 'x%.0s' {1..9171})"
- Trying 95.163.251.222...
- TCP_NODELAY set
- Connected to infra01.n3o.ru (95.163.251.222) port 443 (#0)
- ALPN, offering http/1.1
- Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
- successfully set certificate verify locations:
- CAfile: /etc/ssl/cert.pem CApath: none
- TLSv1.2 (OUT), TLS handshake, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (IN), TLS handshake, Server finished (14):
- TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- TLSv1.2 (OUT), TLS change cipher, Client hello (1):
- TLSv1.2 (OUT), TLS handshake, Finished (20):
- TLSv1.2 (IN), TLS change cipher, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
- ALPN, server accepted to use http/1.1
- Server certificate:
- subject: CN=infra01.n3o.ru
- start date: May 6 23:45:09 2019 GMT
- expire date: Aug 4 23:45:09 2019 GMT
- subjectAltName: host "infra01.n3o.ru" matched cert's "infra01.n3o.ru"
- issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
- SSL certificate verify ok.
GET /xxxxxxxxx ....
.....
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1
Host: infra01.n3o.ru
User-Agent: curl/7.54.0
Accept: */*
< HTTP/1.1 414 Request-URI Too Large
< Server: nginx/1.16.0
< Date: Thu, 27 Jun 2019 13:22:31 GMT
< Content-Type: text/html
< Content-Length: 177
< Connection: close
<
<html>
<head><title>414 Request-URI Too Large</title></head>
<body>
<center><h1>414 Request-URI Too Large</h1></center>
<hr><center>nginx/1.16.0</center>
</body>
</html>
- Closing connection 0
- TLSv1.2 (OUT), TLS alert, Client hello (1):
We have normal response - 414 Request-URI Too Large
But for http2 - we have closed nginx connection, why?
Look at curl output.
curl -s --http2 -v "https://infra01.n3o.ru/$(printf 'x%.0s' {1..9171})"
- Trying 95.163.251.222...
- TCP_NODELAY set
- Connected to infra01.n3o.ru (95.163.251.222) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
- successfully set certificate verify locations:
- CAfile: /etc/ssl/cert.pem CApath: none
- TLSv1.2 (OUT), TLS handshake, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (IN), TLS handshake, Server finished (14):
- TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- TLSv1.2 (OUT), TLS change cipher, Client hello (1):
- TLSv1.2 (OUT), TLS handshake, Finished (20):
- TLSv1.2 (IN), TLS change cipher, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
- ALPN, server accepted to use h2
- Server certificate:
- subject: CN=infra01.n3o.ru
- start date: May 6 23:45:09 2019 GMT
- expire date: Aug 4 23:45:09 2019 GMT
- subjectAltName: host "infra01.n3o.ru" matched cert's "infra01.n3o.ru"
- issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
- SSL certificate verify ok.
- Using HTTP2, server supports multi-use
- Connection state changed (HTTP/2 confirmed)
- Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
- Using Stream ID: 1 (easy handle 0x7fbb96803600)
GET /xxxxxxxxxxx ...
....
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/2
Host: infra01.n3o.ru
User-Agent: curl/7.54.0
Accept: */*
- Connection state changed (MAX_CONCURRENT_STREAMS updated)!
- TLSv1.2 (IN), TLS alert, Client hello (1):
- Unexpected EOF
- Closing connection 0
- TLSv1.2 (OUT), TLS alert, Client hello (1):
something wrong.
Duplicate of #1520.