** Description changed:
Environment:
- - OS: Ubuntu 24.04 LTS (noble), arm64
- - nginx package: nginx 1.24.0-2ubuntu7.10
- - nginx flavor: nginx-extras 1.24.0-2ubuntu7.10
- - headers-more package: libnginx-mod-http-headers-more-filter 1:0.37-2build1
- - Architecture: arm64
- - TLS/HTTP: HTTPS with HTTP/2 enabled
+ - OS: Ubuntu 24.04 LTS (noble), arm64
+ - nginx package: nginx 1.24.0-2ubuntu7.10
+ - nginx flavor: nginx-extras 1.24.0-2ubuntu7.10
+ - headers-more package: libnginx-mod-http-headers-more-filter 1:0.37-2build1
+ - Architecture: arm64
+ - TLS/HTTP: HTTPS with HTTP/2 enabled
- Summary:
- When the headers-more dynamic module is enabled and `more_set_headers
"Server: TJ Server";` is configured, nginx workers crash repeatedly while
serving HTTP/2 requests.
- Clients see intermittent `ERR_CONNECTION_RESET`, `ERR_EMPTY_RESPONSE`,
WebSocket close code `1006`, and curl may report an invalid HTTP/2 header field.
+ Summary:
+ When the headers-more dynamic module is enabled and `more_set_headers
"Server: TJ Server";` is configured, nginx workers crash repeatedly while
serving HTTP/2 requests.
+ Clients see intermittent `ERR_CONNECTION_RESET`, `ERR_EMPTY_RESPONSE`,
WebSocket close code `1006`, and curl may report an invalid HTTP/2 header field.
- The issue disappears when the headers-more module/directive is
+ The issue disappears when the headers-more module/directive is
disabled while keeping HTTP/2 enabled. Normal nginx `add_header`
security headers continue to work correctly.
- Relevant configuration:
- ```nginx
- include /etc/nginx/modules-enabled/*.conf;
+ Relevant configuration:
+ ```nginx
+ include /etc/nginx/modules-enabled/*.conf;
http {
11:27:57 [77/1841]
- server_tokens off;
- more_set_headers "Server: TJ Server";
+ server_tokens off;
+ more_set_headers "Server: TJ Server";
- server {
- server_name mystock.emoco.kr;
+ server {
+ server_name .....;
- listen 443 ssl http2;
- ssl_certificate
/etc/letsencrypt/live/mystock.emoco.kr/fullchain.pem;
- ssl_certificate_key
/etc/letsencrypt/live/mystock.emoco.kr/privkey.pem;
+ listen 443 ssl http2;
+ ......
- add_header X-Content-Type-Options "nosniff" always;
- add_header X-Frame-Options "SAMEORIGIN" always;
- add_header Referrer-Policy "strict-origin-when-cross-origin" always;
- add_header Permissions-Policy "camera=(), microphone=(),
geolocation=()" always;
- add_header Strict-Transport-Security "max-age=31536000" always;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header X-Frame-Options "SAMEORIGIN" always;
+ add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+ add_header Permissions-Policy "camera=(), microphone=(),
geolocation=()" always;
+ add_header Strict-Transport-Security "max-age=31536000" always;
- location / {
- proxy_pass http://localhost:3000;
- proxy_http_version 1.1;
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-Proto $scheme;
- }
+ location / {
+ proxy_pass http://localhost:3000;
+ proxy_http_version 1.1;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
- location /api {
- proxy_pass http://localhost:8000;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_set_header Host $host;
- proxy_read_timeout 86400s;
- proxy_send_timeout 86400s;
- }
- }
- }
+ location /api {
+ proxy_pass http://localhost:8000;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $host;
+ proxy_read_timeout 86400s;
+ proxy_send_timeout 86400s;
+ }
+ }
+ }
- Actual behavior:
- After enabling more_set_headers "Server: TJ Server"; with HTTP/2, nginx
workers crash repeatedly.
+ Actual behavior:
+ After enabling more_set_headers "Server: TJ Server"; with HTTP/2, nginx
workers crash repeatedly.
- systemd journal examples:
+ systemd journal examples:
- nginx[1697786]: double free or corruption (!prev)
- nginx[1697785]: worker process 1697786 exited on signal 6 (core dumped)
- nginx[1697785]: worker process 1697788 exited on signal 11 (core dumped)
+ nginx[1697786]: double free or corruption (!prev)
+ nginx[1697785]: worker process 1697786 exited on signal 6 (core dumped)
+ nginx[1697785]: worker process 1697788 exited on signal 11 (core dumped)
- curl example:
+ curl example:
- curl: (92) Invalid HTTP header field was received: frame type: 1,
+ curl: (92) Invalid HTTP header field was received: frame type: 1,
stream: 1, name: [], value: [...]
- Browser symptoms:
+ Browser symptoms:
- GET /icon.svg net::ERR_CONNECTION_RESET
- GET /api/... net::ERR_EMPTY_RESPONSE
+ GET /icon.svg net::ERR_CONNECTION_RESET
+ GET /api/... net::ERR_EMPTY_RESPONSE
WebSocket closed: 1006
- Expected behavior:
- nginx should not crash. more_set_headers should either set the Server
header safely for HTTP/2 responses or reject/ignore unsupported header
manipulation without corrupting
- HTTP/2 response headers or causing worker process crashes.
+ Expected behavior:
+ nginx should not crash. more_set_headers should either set the Server
header safely for HTTP/2 responses or reject/ignore unsupported header
manipulation without corrupting
+ HTTP/2 response headers or causing worker process crashes.
- Reproduction observations:
+ Reproduction observations:
- - HTTP/2 enabled + headers-more disabled: stable
- - HTTP/2 enabled + normal add_header security headers: stable
- - HTTP/2 enabled + server_tokens off: stable
- - HTTP/2 enabled + more_set_headers "Server: TJ Server";: worker crashes
and invalid HTTP/2 headers
- - Disabling only headers-more while keeping HTTP/2 enabled stops the crashes
+ - HTTP/2 enabled + headers-more disabled: stable
+ - HTTP/2 enabled + normal add_header security headers: stable
+ - HTTP/2 enabled + server_tokens off: stable
+ - HTTP/2 enabled + more_set_headers "Server: TJ Server";: worker crashes
and invalid HTTP/2 headers
+ - Disabling only headers-more while keeping HTTP/2 enabled stops the crashes
- Package versions:
+ Package versions:
- nginx version: nginx/1.24.0 (Ubuntu)
+ nginx version: nginx/1.24.0 (Ubuntu)
- nginx 1.24.0-2ubuntu7.10
- nginx-common 1.24.0-2ubuntu7.10
- nginx-extras 1.24.0-2ubuntu7.10
- libnginx-mod-http-headers-more-filter 1:0.37-2build1
+ nginx 1.24.0-2ubuntu7.10
+ nginx-common 1.24.0-2ubuntu7.10
+ nginx-extras 1.24.0-2ubuntu7.10
+ libnginx-mod-http-headers-more-filter 1:0.37-2build1
- Workaround:
- Disable the headers-more module/directive and keep only:
+ Workaround:
+ Disable the headers-more module/directive and keep only:
- server_tokens off;
+ server_tokens off;
- This hides the nginx version but leaves Server: nginx.
+ This hides the nginx version but leaves Server: nginx.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2155992
Title:
headers-more dynamic module crash | Signal 11 and 6 Crashes due to
ABI breakage on 1.24.0-2ubuntu7.10 and 1.28.3-2ubuntu1.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/2155992/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
