-
Notifications
You must be signed in to change notification settings - Fork 16.8k
[stable/nginx-ingress] http2 + large cookies #20901
Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
still valid
…On Sat, 21 Mar 2020 at 10:20, stale[bot] ***@***.***> wrote:
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed if no further activity occurs. Any
further update will cause the issue/pull request to no longer be considered
stale. Thank you for your contributions.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#20901 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAVA5O6EIUW622X7WJ6Q4GLRISIGZANCNFSM4KYLPWEQ>
.
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
still valid
…On Thu, 23 Apr 2020 at 05:05, stale[bot] ***@***.***> wrote:
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed if no further activity occurs. Any
further update will cause the issue/pull request to no longer be considered
stale. Thank you for your contributions.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#20901 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAVA5O5BMCZA37YR4SIS4MTRN65APANCNFSM4KYLPWEQ>
.
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
Still valid |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
This issue is being automatically closed due to inactivity. |
Did you manage to find a solution i'm having the same issue. |
No, we ended up having to try to find a way to reduce the cookie size. We still occasionally get 400s which isn't a good user experience. |
still valid |
@huang-jy, i think i managed to get it to work.
Ran and then tried
Before: |
You're patching the config post-deployment. You can add custom config directives by overriding the Also which version ingress controller are you using? It's been over a year this I raised this, so maybe they've fixed it since |
Ah yes, the deployment is different, i'm using the deployment "guide" here: https://kubernetes.github.io/ingress-nginx/deploy/#azure |
Ah, that now makes sense as to why you're patching your configmap. |
Yeah sorry, i was more concentrating on getting it to work and not really noticing your deployment method. |
It's fine :) |
Describe the bug
When using large cookies and having http2 enabled, nginx-ingress returns an empty reply, or a
400 Bad Request
if http2 is not enabled.Version of Helm and Kubernetes:
Helm:
Kubernetes:
Which chart:
nginx-ingress version 1.6.17
What happened:
When using large cookies with http2 enabled, connection is dropped, regardless of whether or not http2 directives are being included.
What you expected to happen:
http2 directives to be followed, or clarified
How to reproduce it (as minimally and precisely as possible):
Generate cookies of various sizes and curl the dns endpoint for your ingress.
curl -I --fail -H "Cookie: test_size=\"$(openssl rand -hex 1100)\"" https://{dns-name-for-your-ingress} 2>&1
curl -I --fail -H "Cookie: test_size=\"$(openssl rand -hex 4100)\"" https://{dns-name-for-your-ingress} 2>&1
curl -I --fail -H "Cookie: test_size=\"$(openssl rand -hex 8100)\"" https://{dns-name-for-your-ingress} 2>&1
With the OOTB config, cookie size 1100 (generates 2200 byte cookie) works, but 4100 (8200 bytes) and 8100 (16200 bytes) will fail, with the response
curl: (52) Empty reply from server
If you add the
use-http2: "false"
directive to the configmap, then instead of "Empty reply from server", you will getcurl: (22) The requested URL returned error: 400 Bad Request
If we use the solution mentioned in kubernetes/ingress-nginx#319, and add
large-client-header-buffers: "4 4k"
Then all three cookie sizes will work.
However, if we switch http2 back on:
use-http2: "true"
We still get
curl: (52) Empty reply from server
Even adding:
http2_max_field_size: "16k"
http2_max_header_size: "24k"
Does not appear to help fix the problem
Anything else we need to know:
The text was updated successfully, but these errors were encountered: