Handling duplicated headers

luis.gasca · 2016-06-16T20:59:41+00:00

Here is my server configuration, it is very simple but not working.server { server_name www.abc.com; &#xA...

Handling duplicated headers

luis.gasca

Hi,

I am facing an issue where I am getting http requests with a duplicated HTTP Content-length header. NGINX is returning an error 400 Bad Request and it seems that this is hardcoded in the nginx source code [1]

Is there any way to sanitize these headers in Lua before nginx begin to parse them ? I have done some tests with header_filter_by_lua, but it seems this is executed after NGINX headers parsing.

Thanks,

Luis

[1] https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L109 and https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L1587

rpaprocki

Header filter lua handling is for responses, not requests. If your client is sending a request with duplicate content length headers (something that very much violates spec), Nginx doesn't (and shouldn't) be able to handle this, and it's a bad request. Beyond this, request header processing is done after this, and won't be any help. Better fix your client instead.

On Jun 16, 2016, at 05:59, luis...@interactive3g.com wrote:

Hi,

I am facing an issue where I am getting http requests with a duplicated HTTP Content-length header. NGINX is returning an error 400 Bad Request and it seems that this is hardcoded in the nginx source code [1]

Is there any way to sanitize these headers in Lua before nginx begin to parse them ? I have done some tests with header_filter_by_lua, but it seems this is executed after NGINX headers parsing.

Thanks,
Luis

[1] https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L109 and https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L1587

.

luis.gasca

I have no control over those invalid requests and it seems that Apache handles this with mod_headers (RequestHeader edit directive).
Just hoping that Openresty would have the equivalent to this.

El 16/06/2016 a las 16:02, Robert Paprocki escribió:

Header filter lua handling is for responses, not requests. If your client is sending a request with duplicate content length headers (something that very much violates spec), Nginx doesn't (and shouldn't) be able to handle this, and it's a bad request. Beyond this, request header processing is done after this, and won't be any help. Better fix your client instead.

On Jun 16, 2016, at 05:59, luis...@interactive3g.com wrote:

Hi,

I am facing an issue where I am getting http requests with a duplicated HTTP Content-length header. NGINX is returning an error 400 Bad Request and it seems that this is hardcoded in the nginx source code [1]

Is there any way to sanitize these headers in Lua before nginx begin to parse them ? I have done some tests with header_filter_by_lua, but it seems this is executed after NGINX headers parsing.

Thanks,

Luis

[1] https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L109 and https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L1587
.

rpaprocki

Ngx lua can indeed manipulate request headers, but if Nginx sees the request as bad, you're out of luck.

On Jun 16, 2016, at 07:07, Luis Gasca <luis...@interactive3g.com> wrote:

I have no control over those invalid requests and it seems that Apache handles this with mod_headers (RequestHeader edit directive).
Just hoping that Openresty would have the equivalent to this.

El 16/06/2016 a las 16:02, Robert Paprocki escribió:

Header filter lua handling is for responses, not requests. If your client is sending a request with duplicate content length headers (something that very much violates spec), Nginx doesn't (and shouldn't) be able to handle this, and it's a bad request. Beyond this, request header processing is done after this, and won't be any help. Better fix your client instead.

On Jun 16, 2016, at 05:59, luis...@interactive3g.com wrote:

Hi,

I am facing an issue where I am getting http requests with a duplicated HTTP Content-length header. NGINX is returning an error 400 Bad Request and it seems that this is hardcoded in the nginx source code [1]

Is there any way to sanitize these headers in Lua before nginx begin to parse them ? I have done some tests with header_filter_by_lua, but it seems this is executed after NGINX headers parsing.

Thanks,

Luis

[1] https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L109 and https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L1587
.