Public bug reported:
Environment:
- OS: Ubuntu 24.04 LTS (noble), arm64
- nginx package: nginx 1.24.0-2ubuntu7.10
- nginx flavor: nginx-extras 1.24.0-2ubuntu7.10
- headers-more package: libnginx-mod-http-headers-more-filter 1:0.37-2build1
- Architecture: arm64
- TLS/HTTP: HTTPS with HTTP/2 enabled
Summary:
When the headers-more dynamic module is enabled and `more_set_headers
"Server: TJ Server";` is configured, nginx workers crash repeatedly while
serving HTTP/2 requests.
Clients see intermittent `ERR_CONNECTION_RESET`, `ERR_EMPTY_RESPONSE`,
WebSocket close code `1006`, and curl may report an invalid HTTP/2 header field.
The issue disappears when the headers-more module/directive is
disabled while keeping HTTP/2 enabled. Normal nginx `add_header`
security headers continue to work correctly.
Relevant configuration:
```nginx
include /etc/nginx/modules-enabled/*.conf;
http {
11:27:57 [77/1841]
server_tokens off;
more_set_headers "Server: TJ Server";
server {
server_name mystock.emoco.kr;
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mystock.emoco.kr/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/mystock.emoco.kr/privkey.pem;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(),
geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /api {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
}
}
}
Actual behavior:
After enabling more_set_headers "Server: TJ Server"; with HTTP/2, nginx
workers crash repeatedly.
systemd journal examples:
nginx[1697786]: double free or corruption (!prev)
nginx[1697785]: worker process 1697786 exited on signal 6 (core dumped)
nginx[1697785]: worker process 1697788 exited on signal 11 (core dumped)
curl example:
curl: (92) Invalid HTTP header field was received: frame type: 1,
stream: 1, name: [], value: [...]
Browser symptoms:
GET /icon.svg net::ERR_CONNECTION_RESET
GET /api/... net::ERR_EMPTY_RESPONSE
WebSocket closed: 1006
Expected behavior:
nginx should not crash. more_set_headers should either set the Server header
safely for HTTP/2 responses or reject/ignore unsupported header manipulation
without corrupting
HTTP/2 response headers or causing worker process crashes.
Reproduction observations:
- HTTP/2 enabled + headers-more disabled: stable
- HTTP/2 enabled + normal add_header security headers: stable
- HTTP/2 enabled + server_tokens off: stable
- HTTP/2 enabled + more_set_headers "Server: TJ Server";: worker crashes and
invalid HTTP/2 headers
- Disabling only headers-more while keeping HTTP/2 enabled stops the crashes
Package versions:
nginx version: nginx/1.24.0 (Ubuntu)
nginx 1.24.0-2ubuntu7.10
nginx-common 1.24.0-2ubuntu7.10
nginx-extras 1.24.0-2ubuntu7.10
libnginx-mod-http-headers-more-filter 1:0.37-2build1
Workaround:
Disable the headers-more module/directive and keep only:
server_tokens off;
This hides the nginx version but leaves Server: nginx.
** Affects: nginx (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2155992
Title:
headers-more dynamic module crash
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/2155992/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
