Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrating tomcat from jetty to jetty-9.4.29.v2020052 #5067

Closed
maugomez77 opened this issue Jul 21, 2020 · 12 comments
Closed

Migrating tomcat from jetty to jetty-9.4.29.v2020052 #5067

maugomez77 opened this issue Jul 21, 2020 · 12 comments
Labels
Question

Comments

@maugomez77
Copy link

maugomez77 commented Jul 21, 2020
edited
Loading

Jetty version
jetty-9.4.29.v2020052

Java version
openjdk version "11.0.5" 2019-10-15 LTS
OpenJDK Runtime Environment AppleJDK-11.0.5.10.1 (build 11.0.5+10-LTS)
OpenJDK 64-Bit Server VM AppleJDK-11.0.5.10.1 (build 11.0.5+10-LTS, mixed mode)

OS type/version
worun@rn-aosd-d00-lapp01:/Local/AS/Sentinel/packages/NemoDataSetsService-21-2-0-20200720-224046-4/lib$ uname -a
Linux rn-aosd-d00-lapp01.rno.apple.com 3.10.0-1127.8.2.el7.x86_64 #1 SMP Wed May 13 17:48:48 PDT 2020 x86_64 x86_64 x86_64 GNU/Linux

Description
After migrating from tomcat to jetty

Locally this endpoint looks to work fine, but with adding some headers from nginx is sending the following errors:

Bad Message 400
reason: Header Folding

Any idea how can one disable this particular issue or how to print which headers values are the one that causing the problem from nginx, is really hard to figure it out since nginx does not show any headers being passed, but locally works just that nginx sending specific headers that causes this issue
@olamy olamy added the Question label Jul 21, 2020
@olamy
Copy link
Member

olamy commented Jul 21, 2020

can you post your ngnix configuration?
The error means there might some tabs in headers, maybe check your ngnix configuration if any tab in the header names?

@maugomez77
Copy link
Author

i already disable all the headers but still unable to figure it out which header is complaning about

@maugomez77
Copy link
Author

maugomez77 commented Jul 21, 2020
edited
Loading

file one nginx:

upstream publishing-versioning-service-tls {
        server rn-aosd-d00-lapp01.rno.apple.com:13515;
	server rn-aosd-d00-lapp02.rno.apple.com:13515;
      }

upstream publishing-validation-service-tls { 
        server rn-aosd-d00-lapp01.rno.apple.com:13241;
        server rn-aosd-d00-lapp02.rno.apple.com:13241; 
}     

upstream NemoDataSetsService-UPSTREAM-tls {
        # this host is having issues connection with cassandra/solr
          server rn-aosd-d00-lapp01.rno.apple.com:13555;
          server rn-aosd-d00-lapp02.rno.apple.com:13555;
}

upstream NemoIntegrationService-UPSTREAM-tls {
	server rn-aosd-d00-lapp01.rno.apple.com:13255;
}

upstream content-authoring-service-tls {
    server rn-aosd-d00-lapp01.rno.apple.com:13506;
    server rn-aosd-d00-lapp02.rno.apple.com:13506;
    keepalive 16;
 }

upstream content-messaging-service-tls {
                server rn-aosd-d00-lapp01.rno.apple.com:13514;
                server rn-aosd-d00-lapp02.rno.apple.com:13514;
        }

 upstream content-meta-data-service-tls {
                server rn-aosd-d00-lapp01.rno.apple.com:13507;
                server rn-aosd-d00-lapp02.rno.apple.com:13507;
    }


upstream content-preview-service-tls {
                server rn-aosd-d00-lapp01.rno.apple.com:13511;
                server rn-aosd-d00-lapp02.rno.apple.com:13511;
    }


upstream identityadminservice-tls { 
	server rn-aosd-d00-lapp01.rno.apple.com:13021;
}

upstream aries-push-service-tls {
    server rn-aosd-d00-lapp01.rno.apple.com:13031;
    server rn-aosd-d00-lapp02.rno.apple.com:13031;
}

server {
        listen                  9999 ssl;
        add_header              'X-Nginx-Routed' $hostname;

        access_log /Local/ThirdParty/nginx/logs/nginx_9999_log;

        ssl_certificate      /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.chain.pem;
        ssl_certificate_key  /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.key.nopass.pem;
        ssl_password_file   /Local/AS/Secret/nginx-password-file;
        ssl_ciphers          ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:RC4+RSA:!AES256:!CAMELLIA256:+HIGH:+MEDIUM;
        ssl_verify_client           on;
        ssl_verify_depth            2;
        ssl_client_certificate      /Local/AS/Secret/trustedca.pem;
        ###ssl_client_certificate        /Local/AS/Secret/rn-aosd-d00-lapp01.rno.apple.com.chain.pem;
        # ssl_verify_client optional_no_ca;  
        ssl_session_cache    shared:SSL:20m;
        ssl_session_timeout  1m;

        proxy_ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.chain.pem;
        proxy_ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.key.nopass.pem;
        proxy_ssl_password_file     /Local/AS/Secret/nginx-password-file; 
        proxy_ssl_session_reuse     off;
        # Same header that is usually set by Netscaler
        proxy_set_header            X-Client-Cert       $ssl_client_cert;         

    location /8255/ {
                proxy_pass https://NemoIntegrationService-UPSTREAM-tls/;
        }

    location /8515/ {
                proxy_pass https://publishing-versioning-service-tls/;
        }

    location /8241/ {
                proxy_pass https://publishing-validation-service-tls/;
        }

    location /8555/ {
                proxy_pass https://NemoDataSetsService-UPSTREAM-tls/;       
                ##proxy_pass https://nemo$request_uri;
        }

    location /8506/ {
                proxy_pass https://content-authoring-service-tls/;
        }

     location /8514/ {
                proxy_pass https://content-messaging-service-tls/;
        }

     location /8507/ {
                proxy_pass https://content-meta-data-service-tls/;
        }

     location /8511/ {
                proxy_pass https://content-preview-service-tls/;
        }

     location /8021/ { 
               proxy_pass https://identityadminservice-tls/;   
        }

        location /8031/ {
               proxy_pass https://aries-push-service-tls/;
        }
}

file 2 nginx:

upstream nemo {
    # subs_filter "\"" "%22"
    server rn-aosd-d00-lapp01.rno.apple.com:13509;
    server rn-aosd-d00-lapp02.rno.apple.com:13509;
    keepalive 16;
}

upstream sheriff {
    server rn-aosd-d00-lapp01.rno.apple.com:13510;
    server rn-aosd-d00-lapp02.rno.apple.com:13510;
    keepalive 16;
}

server {
  charset utf-8;
  listen 28509;
  add_header 'X-Nginx-Routed' $hostname;
  ssl on;
  ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.chain.pem;
  ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.key.nopass.pem;
  error_page 502  /502.html;
  
  add_header nginx-upstream $upstream_addr;
  add_header              'Access-Control-Allow-Headers' 'Origin,Authorization,Content-Type,Accept,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since,X-AOS-CSRF,Cookie,Referer';
  add_header              'Access-Control-Allow-Methods' 'POST, GET, OPTIONS';
  add_header              'Access-Control-Allow-Credentials' 'true';
  add_header              'Access-Control-Max-Age' '86400';


  location /nemo {
        error_log /Local/ThirdParty/nginx/logs/nginx_root_nemo_error_log debug;
        access_log /Local/ThirdParty/nginx/logs/nginx_root_nemo_upstream_log;
    port_in_redirect off;
    proxy_ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.chain.pem;
    proxy_ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.key.nopass.pem;
    proxy_pass https://nemo/;
    #proxy_pass https://$host$uri;
    #latest good with subfamilies empty
    #proxy_pass  https://rn-aosd-d00-lapp01.rno.apple.com:13509;
    proxy_set_header  X-Context-Path /nemo;
    proxy_read_timeout 600s;


#    proxy_set_header    X-Real-IP  $remote_addr;
#    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    Host $http_host;
    #proxy_redirect    false;
  }


  location / {
        error_log /Local/ThirdParty/nginx/logs/nginx_root_nemo_error_log debug;
        access_log /Local/ThirdParty/nginx/logs/nginx_root_nemo_upstream_log;
        port_in_redirect off;
        proxy_ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.chain.pem;
        proxy_ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.key.nopass.pem;
        proxy_pass https://nemo/;   
        #proxy_pass https://$host$uri;
        #proxy_pass  https://rn-aosd-d00-lapp01.rno.apple.com:13509;
        #  proxy_set_header  X-Context-Path /nemo;
        proxy_read_timeout 600s; 
  }

}

server {
  listen 28510;
  add_header 'X-Nginx-Routed' $hostname;
  ssl on;
  ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.chain.pem;
  ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.key.nopass.pem;
  error_page 502  /502.html;

  add_header nginx-upstream $upstream_addr;
  add_header              'Access-Control-Allow-Headers' 'Origin,Authorization,Content-Type,Accept,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since,X-AOS-CSRF,Cookie,Referer';
                add_header              'Access-Control-Allow-Methods' 'POST, GET, OPTIONS';
                add_header              'Access-Control-Allow-Credentials' 'true';
                add_header              'Access-Control-Max-Age' '86400';

    location / {
        error_log /Local/ThirdParty/nginx/logs/nginx_sheriff_error_log;
        access_log /Local/ThirdParty/nginx/logs/nginx_sheriff_upstream_log;
    port_in_redirect off;
    proxy_ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.chain.pem;
    proxy_ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.key.nopass.pem;
    proxy_pass https://sheriff;
#    proxy_set_header  X-Context-Path /sheriff;
    proxy_read_timeout 300s;

   }

    location /sheriff {
        error_log /Local/ThirdParty/nginx/logs/nginx_sheriff_error_log;
        access_log /Local/ThirdParty/nginx/logs/nginx_sheriff_upstream_log;
    port_in_redirect off;
    proxy_ssl_certificate	/Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.chain.pem;
    proxy_ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.key.nopass.pem;
    proxy_pass https://sheriff/;
    #proxy_pass https://$host$uri;
    #latest good with subfamilies empty
    #proxy_pass  https://rn-aosd-d00-lapp01.rno.apple.com:13509;
    proxy_set_header  X-Context-Path /sheriff;
    proxy_read_timeout 600s;


#    proxy_set_header    X-Real-IP  $remote_addr;
#    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    Host $http_host;
    #proxy_redirect    false;
  }
}

@olamy
Copy link
Member

olamy commented Jul 21, 2020

I can see few line starting with proxy_set_header and probably a tab after. Just use only 1 space

@olamy
Copy link
Member

olamy commented Jul 21, 2020

BTW if you really need those tab characters.
Look at https://www.eclipse.org/jetty/documentation/current/configuring-connectors.html
uncomment and change the value of jetty.http.compliance to RFC2616 or RFC2616

@maugomez77
Copy link
Author

but how can i change if i have jetty embedded inside the package:

worun@rn-aosd-d00-lapp01:/Local/AS/Sentinel/packages/NemoDataSetsService-21-2-0-20200720-224046-4/lib$ ls -alt | grep jetty
-rw-r--r--. 1 worun worun    26577 Jul  1 18:38 as-jetty-2021.1-SNAPSHOT.jar
-rw-r--r--. 1 worun worun    86337 Jun 25 21:20 jetty-annotations-9.4.29.v20200521.jar
-rw-r--r--. 1 worun worun   212106 Jun 25 21:20 jetty-http-9.4.29.v20200521.jar
-rw-r--r--. 1 worun worun   161528 Jun 25 21:20 jetty-io-9.4.29.v20200521.jar
-rw-r--r--. 1 worun worun    46836 Jun 25 21:20 jetty-jndi-9.4.29.v20200521.jar
-rw-r--r--. 1 worun worun    65806 Jun 25 21:20 jetty-plus-9.4.29.v20200521.jar
-rw-r--r--. 1 worun worun   117943 Jun 25 21:20 jetty-security-9.4.29.v20200521.jar
-rw-r--r--. 1 worun worun   698491 Jun 25 21:20 jetty-server-9.4.29.v20200521.jar
-rw-r--r--. 1 worun worun   131750 Jun 25 21:20 jetty-servlet-9.4.29.v20200521.jar
-rw-r--r--. 1 worun worun   552439 Jun 25 21:20 jetty-util-9.4.29.v20200521.jar
-rw-r--r--. 1 worun worun   138225 Jun 25 21:20 jetty-webapp-9.4.29.v20200521.jar
-rw-r--r--. 1 worun worun    66721 Jun 25 21:20 jetty-xml-9.4.29.v20200521.jar

i do not see or should i create new xml / modules there ?

@maugomez77
Copy link
Author

BTW if you really need those tab characters.
Look at https://www.eclipse.org/jetty/documentation/current/configuring-connectors.html
uncomment and change the value of jetty.http.compliance to RFC2616 or RFC2616

same RFC2616 twice ?

@maugomez77
Copy link
Author

maugomez77 commented Jul 21, 2020
edited
Loading

Here i paste removing spaces and leave one space:

worun@rn-aosd-d00-lapp01:/Local/ThirdParty/nginx/conf/load-balancer$ cat https.conf 
upstream publishing-versioning-service-tls {
        server rn-aosd-d00-lapp01.rno.apple.com:13515;
	server rn-aosd-d00-lapp02.rno.apple.com:13515;
      }

upstream publishing-validation-service-tls { 
        server rn-aosd-d00-lapp01.rno.apple.com:13241;
        server rn-aosd-d00-lapp02.rno.apple.com:13241; 
}     

upstream NemoDataSetsService-UPSTREAM-tls {
        # this host is having issues connection with cassandra/solr
          server rn-aosd-d00-lapp01.rno.apple.com:13555;
          server rn-aosd-d00-lapp02.rno.apple.com:13555;
}

upstream NemoIntegrationService-UPSTREAM-tls {
	server rn-aosd-d00-lapp01.rno.apple.com:13255;
}

upstream content-authoring-service-tls {
    server rn-aosd-d00-lapp01.rno.apple.com:13506;
    server rn-aosd-d00-lapp02.rno.apple.com:13506;
    keepalive 16;
 }

upstream content-messaging-service-tls {
                server rn-aosd-d00-lapp01.rno.apple.com:13514;
                server rn-aosd-d00-lapp02.rno.apple.com:13514;
        }

 upstream content-meta-data-service-tls {
                server rn-aosd-d00-lapp01.rno.apple.com:13507;
                server rn-aosd-d00-lapp02.rno.apple.com:13507;
    }


upstream content-preview-service-tls {
                server rn-aosd-d00-lapp01.rno.apple.com:13511;
                server rn-aosd-d00-lapp02.rno.apple.com:13511;
    }


upstream identityadminservice-tls { 
	server rn-aosd-d00-lapp01.rno.apple.com:13021;
}

upstream aries-push-service-tls {
    server rn-aosd-d00-lapp01.rno.apple.com:13031;
    server rn-aosd-d00-lapp02.rno.apple.com:13031;
}

server {
        listen                  9999 ssl;
        add_header              'X-Nginx-Routed' $hostname;

        access_log /Local/ThirdParty/nginx/logs/nginx_9999_log;

        ssl_certificate      /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.chain.pem;
        ssl_certificate_key  /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.key.nopass.pem;
        ssl_password_file   /Local/AS/Secret/nginx-password-file;
        ssl_ciphers          ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:RC4+RSA:!AES256:!CAMELLIA256:+HIGH:+MEDIUM;
        ssl_verify_client           on;
        ssl_verify_depth            2;
        ssl_client_certificate      /Local/AS/Secret/trustedca.pem;
        ###ssl_client_certificate        /Local/AS/Secret/rn-aosd-d00-lapp01.rno.apple.com.chain.pem;
        # ssl_verify_client optional_no_ca;  
        ssl_session_cache    shared:SSL:20m;
        ssl_session_timeout  1m;

        proxy_ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.chain.pem;
        proxy_ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.key.nopass.pem;
        proxy_ssl_password_file     /Local/AS/Secret/nginx-password-file; 
        proxy_ssl_session_reuse     off;
        # Same header that is usually set by Netscaler
        proxy_set_header X-Client-Cert $ssl_client_cert;

    location /8255/ {
                proxy_pass https://NemoIntegrationService-UPSTREAM-tls/;
        }

    location /8515/ {
                proxy_pass https://publishing-versioning-service-tls/;
        }

    location /8241/ {
                proxy_pass https://publishing-validation-service-tls/;
        }

    location /8555/ {
                proxy_pass https://NemoDataSetsService-UPSTREAM-tls/;       
                ##proxy_pass https://nemo$request_uri;
        }

    location /8506/ {
                proxy_pass https://content-authoring-service-tls/;
        }

     location /8514/ {
                proxy_pass https://content-messaging-service-tls/;
        }

     location /8507/ {
                proxy_pass https://content-meta-data-service-tls/;
        }

     location /8511/ {
                proxy_pass https://content-preview-service-tls/;
        }

     location /8021/ { 
               proxy_pass https://identityadminservice-tls/;   
        }

        location /8031/ {
               proxy_pass https://aries-push-service-tls/;
        }
}

And the other file:

upstream nemo {
    # subs_filter "\"" "%22"
    server rn-aosd-d00-lapp01.rno.apple.com:13509;
    server rn-aosd-d00-lapp02.rno.apple.com:13509;
    keepalive 16;
}

upstream sheriff {
    server rn-aosd-d00-lapp01.rno.apple.com:13510;
    server rn-aosd-d00-lapp02.rno.apple.com:13510;
    keepalive 16;
}

server {
  charset utf-8;
  listen 28509;
  add_header 'X-Nginx-Routed' $hostname;
  ssl on;
  ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.chain.pem;
  ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.key.nopass.pem;
  error_page 502  /502.html;
  
  add_header nginx-upstream $upstream_addr;
  add_header 'Access-Control-Allow-Headers' 'Origin,Authorization,Content-Type,Accept,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since,X-AOS-CSRF,Cookie,Referer';
  add_header 'Access-Control-Allow-Methods' 'POST, GET, OPTIONS';
  add_header 'Access-Control-Allow-Credentials' 'true';
  add_header 'Access-Control-Max-Age' '86400';


  location /nemo {
        error_log /Local/ThirdParty/nginx/logs/nginx_root_nemo_error_log debug;
        access_log /Local/ThirdParty/nginx/logs/nginx_root_nemo_upstream_log;
    port_in_redirect off;
    proxy_ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.chain.pem;
    proxy_ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.key.nopass.pem;
    proxy_pass https://nemo/;
    #proxy_pass https://$host$uri;
    #latest good with subfamilies empty
    #proxy_pass  https://rn-aosd-d00-lapp01.rno.apple.com:13509;
    proxy_set_header X-Context-Path /nemo;
    proxy_read_timeout 600s;


#    proxy_set_header    X-Real-IP  $remote_addr;
#    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    #proxy_redirect    false;
  }


  location / {
        error_log /Local/ThirdParty/nginx/logs/nginx_root_nemo_error_log debug;
        access_log /Local/ThirdParty/nginx/logs/nginx_root_nemo_upstream_log;
        port_in_redirect off;
        proxy_ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.chain.pem;
        proxy_ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.key.nopass.pem;
        proxy_pass https://nemo/;   
        #proxy_pass https://$host$uri;
        #proxy_pass  https://rn-aosd-d00-lapp01.rno.apple.com:13509;
        #  proxy_set_header  X-Context-Path /nemo;
        proxy_read_timeout 600s; 
  }

}

server {
  listen 28510;
  add_header 'X-Nginx-Routed' $hostname;
  ssl on;
  ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.chain.pem;
  ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.key.nopass.pem;
  error_page 502  /502.html;

  add_header nginx-upstream $upstream_addr;
  add_header 'Access-Control-Allow-Headers' 'Origin,Authorization,Content-Type,Accept,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since,X-AOS-CSRF,Cookie,Referer';
  add_header 'Access-Control-Allow-Methods' 'POST, GET, OPTIONS';
  add_header 'Access-Control-Allow-Credentials' 'true';
  add_header 'Access-Control-Max-Age' '86400';

    location / {
        error_log /Local/ThirdParty/nginx/logs/nginx_sheriff_error_log;
        access_log /Local/ThirdParty/nginx/logs/nginx_sheriff_upstream_log;
    port_in_redirect off;
    proxy_ssl_certificate       /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.chain.pem;
    proxy_ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.key.nopass.pem;
    proxy_pass https://sheriff;
#    proxy_set_header  X-Context-Path /sheriff;
    proxy_read_timeout 300s;

   }

    location /sheriff {
        error_log /Local/ThirdParty/nginx/logs/nginx_sheriff_error_log;
        access_log /Local/ThirdParty/nginx/logs/nginx_sheriff_upstream_log;
    port_in_redirect off;
    proxy_ssl_certificate	/Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.chain.pem;
    proxy_ssl_certificate_key   /Local/AS/Secret/rn-aost-t00-lapp03.rno.apple.com.client.key.nopass.pem;
    proxy_pass https://sheriff/;
    #proxy_pass https://$host$uri;
    #latest good with subfamilies empty
    #proxy_pass  https://rn-aosd-d00-lapp01.rno.apple.com:13509;
    proxy_set_header X-Context-Path /sheriff;
    proxy_read_timeout 600s;


#    proxy_set_header    X-Real-IP  $remote_addr;
#    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    #proxy_redirect    false;
  }
}

and some other file in case:

worun@rn-aosd-d00-lapp01:/Local/ThirdParty/nginx/conf$ cat AOS-nginx.conf 
worker_processes  4;

events {
  worker_connections  2048;
}


http {
  include       mime.types;
  default_type  application/octet-stream;
  proxy_connect_timeout       300;
  proxy_send_timeout          300;
  proxy_read_timeout          300;
  send_timeout                300;
  proxy_http_version 1.1;
  proxy_set_header Connection "";
  proxy_set_header Host $host;
  proxy_set_header x-forwarded-scheme-nginx $scheme;

  sendfile        on;
  keepalive_timeout  250;
  proxy_pass_header 'Server';

  proxy_buffer_size   128k;
  proxy_buffers   4 256k;
  proxy_busy_buffers_size   256k;

  client_max_body_size 20M;

  access_log  off;
  # error_log logs/AOS-error.log info;
  include "/Local/ThirdParty/nginx/conf/load-balancer/*.conf";
}

And some other one file:

load_module modules/ngx_http_subs_filter_module.so;

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

@olamy
Copy link
Member

olamy commented Jul 21, 2020

BTW if you really need those tab characters.
Look at https://www.eclipse.org/jetty/documentation/current/configuring-connectors.html
uncomment and change the value of jetty.http.compliance to RFC2616 or RFC2616

same RFC2616 twice ?

typo to RFC2616 or LEGACY

@olamy
Copy link
Member

olamy commented Jul 21, 2020

but read documentation as well

@olamy
Copy link
Member

olamy commented Jul 21, 2020
edited
Loading

not sure how you create your server but you can configure HttpCompliance when you create your HttpConnectionFactory
such https://github.com/eclipse/jetty.project/blob/65de149f84b68e23fb2a2a849e80b06850c8cd29/jetty-servlet/src/test/java/org/eclipse/jetty/servlet/ComplianceViolations2616Test.java#L112

@maugomez77
Copy link
Author

the issue was on this header:
proxy_set_header X-Client-Cert $ssl_client_cert;

if i turn it off, then issue is gone. most likely that value is having some of those 3 characters

            switch (_fieldState)
            {
                case FIELD:
                    switch (t.getType())
                    {
                        case COLON:
                        case SPACE:
                        case HTAB:
                        {
                            if (complianceViolation(HttpComplianceSection.NO_FIELD_FOLDING, _headerString))
                                throw new BadMessageException(HttpStatus.BAD_REQUEST_400, "Header Folding");

                            // header value without name - continuation?

@maugomez77 maugomez77 mentioned this issue Jul 21, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@olamy @maugomez77