#1907 closed defect (duplicate)
Nginx does not handle URL larger than 8K
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-core | Version: | 1.15.x |
Keywords: | Cc: | ||
uname -a: | Linux nginx-ingress-controller-79f78d4457-rr299 4.15.18-12-pve #1 SMP PVE 4.15.18-36 (Fri, 05 Apr 2019 18:47:13 +0200) x86_64 GNU/Linux | ||
nginx -V: |
nginx version: openresty/1.15.8.2
built by gcc 8.3.0 (Debian 8.3.0-6) built with OpenSSL 1.1.1c 28 May 2019 TLS SNI support enabled configure arguments: --prefix=/usr/local/openresty/nginx --with-debug --with-cc-opt='-DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC -O2 -g -Og -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wno-deprecated-declarations -fno-strict-aliasing -D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -DTCP_FASTOPEN=23 -fPIC -Wno-cast-function-type -I/root/.hunter/_Base/2c5c6fc/fdb8df4/92161a9/Install/include -m64 -mtune=native' --add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.15 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.7 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L/root/.hunter/_Base/2c5c6fc/fdb8df4/92161a9/Install/lib' --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_secure_link_module --with-http_gunzip_module --with-md5-asm --with-sha1-asm --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --user=www-data --group=www-data --add-module=/tmp/build/nginx-http-auth-digest-cd8641886c873cf543255aeda20d23e4cd603d05 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/nginx-influxdb-module-5b09391cb7b9a889687c0aa67964c06a2d933e8b --add-dynamic-module=/tmp/build/nginx-opentracing-0.9.0/opentracing --add-dynamic-module=/tmp/build/ModSecurity-nginx-d7101e13685efd7e7c9f808871b202656a969f4b --add-dynamic-module=/tmp/build/ngx_http_geoip2_module-3.2 --add-module=/tmp/build/nginx_ajp_module-bf6cd93f2098b59260de8d494f0f4b1f11a84627 --add-module=/tmp/build/ngx_brotli --with-stream --with-stream_ssl_preread_module |
Description
Steps to reproduce:
# curl "https://example.org/$(head -c 9999 /dev/zero |tr '\0' 'a')" curl: (52) Empty reply from server
Logs are clean, these parameters does not affect original issue:
large_client_header_buffers 16 64k; client_body_buffer_size 1M; client_header_buffer_size 1M;
Change History (4)
comment:1 by , 5 years ago
comment:2 by , 5 years ago
verbose log enabled:
# curl -svv "https://victoriametrics.example.org/$(head -c 9999 /dev/zero |tr '\0' 'a')" * Trying 10.36.1.99:443... * TCP_NODELAY set * Connected to victoriametrics.example.org (10.36.1.99) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [106 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [4236 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [556 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [37 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=CZ; CN=*.example.org; emailAddress=domains@example.com * start date: Feb 27 12:25:50 2017 GMT * expire date: Feb 27 12:25:50 2020 GMT * subjectAltName: host "victoriametrics.example.org" matched cert's "*.example.org" * issuer: C=PL; O=Unizeto Technologies S.A.; OU=Certum Certification Authority; CN=Certum Domain Validation CA SHA2 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 } [5 bytes data] * Using Stream ID: 1 (easy handle 0x557c761d2dd0) } [5 bytes data] > GET /aaaaaaa HTTP/2 > Host: victoriametrics.example.org > user-agent: curl/7.67.0 > accept: */* > { [5 bytes data] * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! } [5 bytes data] * TLSv1.2 (IN), TLS alert, close notify (256): { [2 bytes data] * Empty reply from server * Closing connection 0 } [5 bytes data] * TLSv1.2 (OUT), TLS alert, close notify (256): } [2 bytes data]
comment:3 by , 5 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
You are using HTTP/2, and the request exceeds default http2_max_field_size
. There should be something like this in logs at the info
level:
2019/12/26 16:39:40 [info] 34596#100149: *2 client exceeded http2_max_field_size limit while processing HTTP/2 connection, client: 127.0.0.1, server: 0.0.0.0:8443
Consider tuning http2_max_field_size.
Duplicate of #1520.
comment:4 by , 5 years ago
This problem affects only http2 protocol:
http2_max_header_size 1M;
http2_max_field_size 1M;
solves issue
Note:
See TracTickets
for help on using tickets.
Discussion:
https://t.me/nginx_ru/82745
(russian)