#1946 closed defect (invalid)
Mixed up HTTP responses when two requests with different hosts made in succession
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | documentation | Version: | 1.17.x |
| Keywords: | Cc: | ||
| uname -a: | Linux 472834fffd09 4.14.171-136.231.amzn2.x86_64 #1 SMP Thu Feb 27 20:22:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
ginx version: nginx/1.17.9
built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04) built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-perl_modules_path=/usr/share/perl/5.26.1 --with-perl=/usr/bin/perl --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-pcre=../pcre-8.43 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl=../openssl-1.1.1f --with-openssl-opt=no-nextprotoneg --with-debug |
||
Description
I am using a single instance of nginx as a reverse proxy for two sites with different hosts and different TLS certificates: https://christianmoore.me and https://ifconfig.lol
Reproduction steps:
- Use a browser (I tried both Firefox and Chrome) to make a request for https://christianmoore.me
- While the assets are loading, make a request for https://ifconfig.lol
- Observe that the page that loads is christianmoore.me while the address bar indicates you are on ifconfig.lol
You have to be quick to cause this to happen. I have bookmarks on my toolbar which make reproducing this very easy. You can also have the second address in your clipboard so you can paste the second address in while the first one is loading.
I've attached a HAR file that shows 4 requests. The first 3 are working as intended, and the 4th shows the mixed up response.
Attachments (4)
Change History (8)
by , 5 years ago
| Attachment: | mixed_http_responses.har added |
|---|
comment:1 by , 5 years ago
To clarify, when reproducing the issue, the second request should be made in the same browser tab as the first.
comment:2 by , 5 years ago
Please provide full configuration as shown by nginx -T and debugging log of expected and incorrectly handled requests.
by , 5 years ago
| Attachment: | debug_expected.txt.gz added |
|---|
debug log w/ etxpected behavior (working correctly)
comment:3 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Your configuration uses caching with the default cache key, and both sites proxy requests to the same upstream server https://PrimaryALB-1057757296.us-east-1.elb.amazonaws.com. As default cache key is $scheme$proxy_host$request_uri, and $proxy_host is the same, requests to the same URI on both sites will result in the same cache key. In particular, a request to / might result in incorrect response as long as the cache item in question contains a response from another domain.
And this is what you observe in your tests. First requests saves a response from the christianmoore.me domain in the 8d10d27c179f3b98df4ec6d40f5e698a cache file (quoting debug.txt):
2020/04/04 20:21:59 [debug] 6#6: *1 http2 header: ":method: GET" ... 2020/04/04 20:21:59 [debug] 6#6: *1 http2 header: ":path: /" ... 2020/04/04 20:21:59 [debug] 6#6: *1 http2 header: ":authority: christianmoore.me" ... 2020/04/04 20:21:59 [debug] 6#6: *1 http cache key: "https://PrimaryALB-1057757296.us-east-1.elb.amazonaws.com" 2020/04/04 20:21:59 [debug] 6#6: *1 http cache key: "/" ... 2020/04/04 20:21:59 [debug] 6#6: *1 http file cache exists: -5 e:0 2020/04/04 20:21:59 [debug] 6#6: *1 cache file: "/var/cache/nginx/a/98/8d10d27c179f3b98df4ec6d40f5e698a" ... 2020/04/04 20:21:59 [debug] 6#6: *1 http file cache update 2020/04/04 20:21:59 [debug] 6#6: *1 http file cache rename: "/var/cache/nginx/tmp/0000000001" to "/var/cache/nginx/a/98/8d10d27c179f3b98df4ec6d40f5e698a"
And then the following request to the ifconfig.lol domain uses this cache item:
2020/04/04 20:22:00 [debug] 6#6: *7 http2 header: ":method: GET" ... 2020/04/04 20:22:00 [debug] 6#6: *7 http2 header: ":path: /" ... 2020/04/04 20:22:00 [debug] 6#6: *7 http2 header: ":authority: ifconfig.lol" ... 2020/04/04 20:22:00 [debug] 6#6: *7 http cache key: "https://PrimaryALB-1057757296.us-east-1.elb.amazonaws.com" 2020/04/04 20:22:00 [debug] 6#6: *7 http cache key: "/" ... 2020/04/04 20:22:00 [debug] 6#6: *7 http file cache send: /var/cache/nginx/a/98/8d10d27c179f3b98df4ec6d40f5e698a
Fixing the configuration to include site name into the cache key should resolve this.
HAR file showing 4 requests. The first 3 responses are expected, the 4th is unexpected.