#744 closed defect (fixed)
Malformed query with 1st chunk of chunked unbuffered requests (proxy)
Reported by: | Régis Leroy | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.7.x |
Keywords: | proxy chunk unbuffered | Cc: | |
uname -a: | Linux aspirator 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.7.11
TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_spdy_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre-jit --add-module=/build/buildd/nginx-1.7.11/debian/modules/headers-more-nginx-module --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-auth-ldap --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-cache-purge --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-development-kit --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-http-push --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-upload-progress --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.7.11/debian/modules/nginx-lua --add-module=/build/buildd/nginx-1.7.11/debian/modules/ngx-fancyindex --add-module=/build/buildd/nginx-1.7.11/debian/modules/ngx_http_substitutions_filter_module |
Description
Testing the new nginx 1.7.11 proxy_request_buffering off option and sending chunked requests I can get a working transfer if I add a small wait (flushing the tcp/ip socket) between the end of headers transmission and the first chunk.
But when I send the first chunk directly with the request headers the transmitted query is broken (chunk size added on top of headers).
With a small wait:
POST /fic1.html?gc8o3n=4jh7nj HTTP/1.1 Host: www.dummy-host.example.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked User-Agent: nope 17 One small chunk of data (... to be continued)
When sending the same headers+first chunk directly in the tcp/ip socket, the query transmitted by nginx to the backend becomes:
17 POST /fic1.html?gc8o3n=4jh7nj HTTP/1.1 Host: www.dummy-host.example.com X-Real-IP: 192.168.1.52 X-Forwarded-For: 192.168.1.52 Transfer-Encoding: chunked Content-Type: application/x-www-form-urlencoded User-Agent: nope One small chunk of data (... to be continued)
Which is clearly wrong and rejected as such.
Nginx proxy configuration:
upstream http_backend { server 192.168.1.52:81; keepalive 3; } server { listen 80 default_server; listen [::]:80 default_server; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 16k; proxy_buffers 32 16k; proxy_busy_buffers_size 64k; # Activate http/1.1 and keepalive in proxy proxy_http_version 1.1; # avoid dechunking proxy_request_buffering off; add_header X-Cached $upstream_cache_status; proxy_set_header Connection ""; proxy_pass http://http_backend; } (...)
Tested with a python script using directly sockets, can attach it if you want.
Thanks, this bug was fixed in 1.7.12 (24ccec3c4a87).