Configuration: made max_headers_size a valid setting.

ac000 · ac000 · commit 40ef2ce689fe · 2022-11-09T00:44:29.000Z
@JanMikes and @tagur87 on GitHub both reported issues with long URLs that were exceeding the 8192 byte large_header_buffer_size setting, which resulted in a HTTP 431 error (Request Header Fields Too Large). This can be resolved in the code by updating the following line in src/nxt_router.c::nxt_router_conf_create() skcf->large_header_buffer_size = 8192; However, requiring users to modify unit and install custom versions is less than ideal. We could increase the value, but to what? This commit takes the option of allowing the user to set this option in their config. Export large_header_buffer_size to the configuration as 'max_headers_size' which is deemed a more suitable user facing name. large_header_buffer_size is already set by the configuration system in nxt_router.c it just isn't set as a valid config option in nxt_conf_validation.c With this change users can set this option in their config if required by the following "settings": { "http": { "max_headers_size": 16384 } }, It retains its default value of 8192 bytes if this is not set. With this commit, without the above setting or too low a value, with a long URL you get a 431 error. With the above setting set to a large enough value, the request is successful. This also adds a couple of test cases for this new setting. Closes: <#521> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
diff --git a/docs/changes.xml b/docs/changes.xml
@@ -43,6 +43,14 @@ prefer system crypto policy, instead of hardcoding a default.
 </para>
 </change>
 
+<change type="feature">
+<para>
+new configuration option 'max_headers_size' for 'settings.http' to set the
+maximum allowed size of the HTTP headers (including the request line).
+Defaults to 8192 bytes.
+</para>
+</change>
+
 <change type="feature">
 <para>
 compatibility with OpenSSL 3.
diff --git a/src/nxt_conf_validation.c b/src/nxt_conf_validation.c
@@ -306,6 +306,9 @@ static nxt_conf_vldt_object_t  nxt_conf_vldt_http_members[] = {
     }, {
         .name       = nxt_string("idle_timeout"),
         .type       = NXT_CONF_VLDT_INTEGER,
+    }, {
+        .name       = nxt_string("max_headers_size"),
+        .type       = NXT_CONF_VLDT_INTEGER,
     }, {
         .name       = nxt_string("body_buffer_size"),
         .type       = NXT_CONF_VLDT_INTEGER,
diff --git a/src/nxt_router.c b/src/nxt_router.c
@@ -1447,7 +1447,7 @@ static nxt_conf_map_t  nxt_router_http_conf[] = {
     },
 
     {
-        nxt_string("large_header_buffer_size"),
+        nxt_string("max_headers_size"),
         NXT_CONF_MAP_SIZE,
         offsetof(nxt_socket_conf_t, large_header_buffer_size),
     },
diff --git a/test/test_settings.py b/test/test_settings.py
@@ -257,6 +257,19 @@ def req():
         assert 'success' in self.conf({'http': {'idle_timeout': 7}}, 'settings')
         assert req()['status'] == 200, 'status idle timeout 2'
 
+    def test_settings_max_headers_size(self):
+        self.load('empty')
+
+        assert 'success' in self.conf(
+            {'http': {'max_headers_size': 16 * 1024}}, 'settings'
+        )
+
+        url = "/" + "0" * 1024 + "/index.html";
+        assert self.get(url=url)['status'] == 200, 'status size'
+
+        url = "/" + "0" * 16 * 1024 + "/index.html";
+        assert self.get(url=url)['status'] == 431, 'status size max'
+
     def test_settings_max_body_size(self):
         self.load('empty')
 

Original file line number	Diff line number	Diff line change
`@@ -1447,7 +1447,7 @@ static nxt_conf_map_t nxt_router_http_conf[] = {`
`1447`	`1447`	`},`
`1448`	`1448`
`1449`	`1449`	`{`
`1450`		`- nxt_string("large_header_buffer_size"),`
	`1450`	`+ nxt_string("max_headers_size"),`
`1451`	`1451`	`NXT_CONF_MAP_SIZE,`
`1452`	`1452`	`offsetof(nxt_socket_conf_t, large_header_buffer_size),`
`1453`	`1453`	`},`