最近,我们cookie中的数据量越来越大,并且所有通过nginx的请求都开始被431错误响应拒绝。
我尝试将large_client_header_buffers和client_header_buffer_size增加到无济于事。这是我正在使用的主要nginx.conf的示例:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
large_client_header_buffers 4 64k;
client_header_buffer_size 8k;
include /etc/nginx/conf.d/*.conf;
}
对于特定的服务器块:
server {
listen 443 ssl;
server_name staging1.acme.services;
ssl_certificate /certs/acme.services/fullchain.pem;
ssl_certificate_key /certs/acme.services/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
client_max_body_size 1000M;
# following two lines needed for DNS propagation to work
resolver 127.0.0.11 ipv6=off valid=10s;
set $v5 http://frontend;
location /v1/ {
proxy_pass http://gateway:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass $v5;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
我尝试过/看过:
400 Bad Request Request Header Or Cookie Too Large nginx
"Request Header Or Cookie Too Large" in nginx with proxy_pass
删除此nginx代理并直接访问该站点会删除这些错误,因此,我很确定这是此代理进行的一些配置。这是tcpdump -n -S -s 0 -A 'tcp dst port 80' | grep -B3 -A10 "GET"
17:41:49.205476 IP 172.23.0.2.46958 > 172.23.0.3.80: Flags [.], ack 1031354459, win 229, options [nop,nop,TS val 3490060934 ecr 2370799301], length 0
E..4M.@.@............n.P.D..=y8[....XZ.....
.....O..
17:41:49.205513 IP 172.23.0.2.46958 > 172.23.0.3.80: Flags [P.], seq 71625227:71629509, ack 1031354459, win 229, options [nop,nop,TS val 3490060934 ecr 2370799301], length 4282: HTTP: GET / HTTP/1.0
E...M.@.@............n.P.D..=y8[....i......
.....O..GET / HTTP/1.0
Host: staging.acme.services
X-Real-IP: 10.11.13.216
X-Forwarded-For: 10.11.13.216
X-Forwarded-Proto: https
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
--
E..4.A@.@.;O.........p.P....$.......XZ.....
.....O.
答案 0 :(得分:0)
在进入后端之前,您还要添加3个标头。
这足以使后端缓冲区溢出,接近其极限。您可以尝试使用curl并传递所有标头来重现请求。
只需调整后端。