HTTP/2 requests to Lua scripts fail when using 'lua_check_client_abort on'

[igorclark]

This only seems to affect *_by_lua_* scripts that output content directly; rewrite_by_lua_* and access_by_lua_*passages that don't ngx.print() or ngx.say() anything seem to work as normal.

I'm running openresty 1.9.7.4 on debian 7.9 in a Vagrant Virtualbox VM.

Steps to reproduce:

• Build/make/install openresty 1.9.7.4 from release

• Generate self-signed SSL cert for relevant IP:

  • openssl genrsa -out /etc/ssl/192.168.56.110.key 2048
  • openssl req -new -x509 -key /etc/ssl/192.168.56.110.key -out /etc/ssl/192.168.56.110.cert -days 3650 -subj /CN=192.168.56.110

• Add server{} block to /etc/nginx/nginx.conf:

  server {
  
          listen 443 http2 ssl;
          ssl_certificate         /etc/ssl/192.168.56.110.cert;
          ssl_certificate_key     /etc/ssl/192.168.56.110.key;
          ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
  
          location /test-lua {
                 lua_check_client_abort on;
  
                  content_by_lua_block {
                          ngx.header['content-type'] = 'text/plain'
                          ngx.say("hi world")
                  }
          }
  }
  

• Request /test-lua:

  $ /usr/local/bin/curl -k -v --http2 https://192.168.56.110/test-lua
  *   Trying 192.168.56.110...
  * Connected to 192.168.56.110 (192.168.56.110) port 443 (#0)
  * ALPN, offering h2
  * ALPN, offering http/1.1
  * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  * successfully set certificate verify locations:
  *   CAfile: /usr/local/etc/openssl/cert.pem
  CApath: none
  * TLSv1.2 (OUT), TLS header, Certificate Status (22):
  * TLSv1.2 (OUT), TLS handshake, Client hello (1):
  * TLSv1.2 (IN), TLS handshake, Server hello (2):
  * NPN, negotiated HTTP2 (h2)
  * TLSv1.2 (IN), TLS handshake, Certificate (11):
  * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  * TLSv1.2 (IN), TLS handshake, Server finished (14):
  * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  * TLSv1.2 (OUT), TLS handshake, Unknown (67):
  * TLSv1.2 (OUT), TLS handshake, Finished (20):
  * TLSv1.2 (IN), TLS change cipher, Client hello (1):
  * TLSv1.2 (IN), TLS handshake, Finished (20):
  * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  * ALPN, server did not agree to a protocol
  * Server certificate:
  *        subject: CN=192.168.56.110
  *        start date: Mar 25 14:24:23 2016 GMT
  *        expire date: Mar 23 14:24:23 2026 GMT
  *        issuer: CN=192.168.56.110
  *        SSL certificate verify result: self signed certificate (18), continuing anyway.
  * Using HTTP2, server supports multi-use
  * Connection state changed (HTTP/2 confirmed)
  * TCP_NODELAY set
  * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  * Using Stream ID: 1 (easy handle 0x7fdcb300c400)
  > GET /test-lua HTTP/1.1
  > Host: 192.168.56.110
  > User-Agent: curl/7.47.1
  > Accept: */*
  >
  * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
  * HTTP/2 stream 1 was not closed cleanly: error_code = 2
  * Closing connection 0
  * TLSv1.2 (OUT), TLS alert, Client hello (1):
  curl: (16) HTTP/2 stream 1 was not closed cleanly: error_code = 2
  

• Error appears in error.log:

  2016/03/25 15:14:06 [alert] 11105#0: *1 epoll_ctl(1, 3) failed (17: File exists), client: 192.168.56.1, server: , request: "GET /test-lua HTTP/2.0", host: "192.168.56.110"

• Switch off lua_check_client_abort in /etc/nginx/nginx.conf, restart nginx:

  lua_check_client_abort off;

• Retry request to /test-lua:

  $ /usr/local/bin/curl -k -v --http2 https://192.168.56.110/test-lua
  *   Trying 192.168.56.110...
  * Connected to 192.168.56.110 (192.168.56.110) port 443 (#0)
  * ALPN, offering h2
  * ALPN, offering http/1.1
  * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  * successfully set certificate verify locations:
  *   CAfile: /usr/local/etc/openssl/cert.pem
  CApath: none
  * TLSv1.2 (OUT), TLS header, Certificate Status (22):
  * TLSv1.2 (OUT), TLS handshake, Client hello (1):
  * TLSv1.2 (IN), TLS handshake, Server hello (2):
  * NPN, negotiated HTTP2 (h2)
  * TLSv1.2 (IN), TLS handshake, Certificate (11):
  * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  * TLSv1.2 (IN), TLS handshake, Server finished (14):
  * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  * TLSv1.2 (OUT), TLS handshake, Unknown (67):
  * TLSv1.2 (OUT), TLS handshake, Finished (20):
  * TLSv1.2 (IN), TLS change cipher, Client hello (1):
  * TLSv1.2 (IN), TLS handshake, Finished (20):
  * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  * ALPN, server did not agree to a protocol
  * Server certificate:
  *        subject: CN=192.168.56.110
  *        start date: Mar 25 14:24:23 2016 GMT
  *        expire date: Mar 23 14:24:23 2026 GMT
  *        issuer: CN=192.168.56.110
  *        SSL certificate verify result: self signed certificate (18), continuing anyway.
  * Using HTTP2, server supports multi-use
  * Connection state changed (HTTP/2 confirmed)
  * TCP_NODELAY set
  * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  * Using Stream ID: 1 (easy handle 0x7f99ec00c400)
  > GET /test-lua HTTP/1.1
  > Host: 192.168.56.110
  > User-Agent: curl/7.47.1
  > Accept: */*
  >
  * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
  < HTTP/2.0 200
  < server:openresty/1.9.7.4
  < date:Fri, 25 Mar 2016 15:09:09 GMT
  < content-type:text/plain
  <
  hi world
  * Connection #0 to host 192.168.56.110 left intact
  

[agentzh]

@igorclark Thanks for the report! We'll look into this as soon as we can manage :)

[agentzh]

@igorclark HTTP/2 has not yet been officially supported by this module. Needs to do a lot of work on our side.

[igorclark]

Hi @agentzh, sorry for the delay in replying, thanks for the update! Understood. What level of priority is HTTP/2 for you and the team?

[agentzh]

@igorclark Not on the top, but still quite high.

[manwe-pl]

Hi. Is there any "donation" that might speed up work on this issue?

[agentzh]

@manwe-pl I don't have the time for this right now but other OpenResty developers may be interested in sponsorship. Will you please ask instead on the openresty-en mailing list? Please see https://openresty.org/en/community.html Thank you very much!