Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP/2 requests to Lua scripts fail when using 'lua_check_client_abort on' #724

Open
igorclark opened this issue Mar 25, 2016 · 6 comments
Open

HTTP/2 requests to Lua scripts fail when using 'lua_check_client_abort on' #724

igorclark opened this issue Mar 25, 2016 · 6 comments

Comments

@igorclark
Copy link

This only seems to affect *_by_lua_* scripts that output content directly; rewrite_by_lua_* and access_by_lua_*passages that don't ngx.print() or ngx.say() anything seem to work as normal.

I'm running openresty 1.9.7.4 on debian 7.9 in a Vagrant Virtualbox VM.

Steps to reproduce:

  • Build/make/install openresty 1.9.7.4 from release

  • Generate self-signed SSL cert for relevant IP:

    • openssl genrsa -out /etc/ssl/192.168.56.110.key 2048
    • openssl req -new -x509 -key /etc/ssl/192.168.56.110.key -out /etc/ssl/192.168.56.110.cert -days 3650 -subj /CN=192.168.56.110

  • Add server{} block to /etc/nginx/nginx.conf:

    server {

        listen 443 http2 ssl;
        ssl_certificate         /etc/ssl/192.168.56.110.cert;
        ssl_certificate_key     /etc/ssl/192.168.56.110.key;
        ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;

        location /test-lua {
               lua_check_client_abort on;

                content_by_lua_block {
                        ngx.header['content-type'] = 'text/plain'
                        ngx.say("hi world")
                }
        }
}

  • Request /test-lua:

    $ /usr/local/bin/curl -k -v --http2 https://192.168.56.110/test-lua
*   Trying 192.168.56.110...
* Connected to 192.168.56.110 (192.168.56.110) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP2 (h2)
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*        subject: CN=192.168.56.110
*        start date: Mar 25 14:24:23 2016 GMT
*        expire date: Mar 23 14:24:23 2026 GMT
*        issuer: CN=192.168.56.110
*        SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdcb300c400)
> GET /test-lua HTTP/1.1
> Host: 192.168.56.110
> User-Agent: curl/7.47.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* HTTP/2 stream 1 was not closed cleanly: error_code = 2
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (16) HTTP/2 stream 1 was not closed cleanly: error_code = 2

  • Error appears in error.log:

    2016/03/25 15:14:06 [alert] 11105#0: *1 epoll_ctl(1, 3) failed (17: File exists), client: 192.168.56.1, server: , request: "GET /test-lua HTTP/2.0", host: "192.168.56.110"

  • Switch off lua_check_client_abort in /etc/nginx/nginx.conf, restart nginx:

    lua_check_client_abort off;

  • Retry request to /test-lua:

    $ /usr/local/bin/curl -k -v --http2 https://192.168.56.110/test-lua
*   Trying 192.168.56.110...
* Connected to 192.168.56.110 (192.168.56.110) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP2 (h2)
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*        subject: CN=192.168.56.110
*        start date: Mar 25 14:24:23 2016 GMT
*        expire date: Mar 23 14:24:23 2026 GMT
*        issuer: CN=192.168.56.110
*        SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f99ec00c400)
> GET /test-lua HTTP/1.1
> Host: 192.168.56.110
> User-Agent: curl/7.47.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 200
< server:openresty/1.9.7.4
< date:Fri, 25 Mar 2016 15:09:09 GMT
< content-type:text/plain
<
hi world
* Connection #0 to host 192.168.56.110 left intact
@agentzh
Copy link
Member

agentzh commented Mar 25, 2016

@igorclark Thanks for the report! We'll look into this as soon as we can manage :)

@agentzh
Copy link
Member

agentzh commented Apr 8, 2016

@igorclark HTTP/2 has not yet been officially supported by this module. Needs to do a lot of work on our side.

@igorclark
Copy link
Author

Hi @agentzh, sorry for the delay in replying, thanks for the update! Understood. What level of priority is HTTP/2 for you and the team?

@agentzh
Copy link
Member

agentzh commented Apr 20, 2016

@igorclark Not on the top, but still quite high.

@manwe-pl
Copy link

Hi. Is there any "donation" that might speed up work on this issue?

@agentzh
Copy link
Member

agentzh commented Apr 26, 2016

@manwe-pl I don't have the time for this right now but other OpenResty developers may be interested in sponsorship. Will you please ask instead on the openresty-en mailing list? Please see https://openresty.org/en/community.html Thank you very much!

@adrhc adrhc mentioned this issue Jan 16, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@agentzh @igorclark @manwe-pl