-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reverse_proxy: problems with fastcgi requests with unknown body length #6637
Comments
With 6638, that specific issue should be gone. However, for request bodies larger than whatever is defined will still cause problems, unless I checked nginx configurations, request and response buffering is on by default. But let's just buffer those requests with unknown content length for now. |
Done, it's now available in this patch. Though the maximum request body size can't be limited there, it's available in request_body. Set that if some clients send some arbitrary large body to mount a ddos attack. |
I'm experiencing the same issue, and it seems that many others are also affected by this. I'm not a development software engineer, so I'm not sure if I can ask you to show me how to temporarily mitigate this type of error. Currently, I have the following configuration in my Caddyfile, but it doesn't seem to work. I'm using Caddy through Docker, pulling the image directly from Docker Hub. Thank you very much!
|
@cottonthread this is currently another bug in Caddy. See: #6628 AFAIK there are 3 possible workarounds right now.
Or migrate away to something like Nginx. This is the solution Shopware now recommends, after I've raised this issue with them and they were unable to fix it. See the warning at https://github.com/shopware/docker?tab=readme-ov-file#readme |
Thank you very much for replying. I’m trying to test the first method you mentioned, but I’m not sure if I’m doing it correctly. From what I understand, every time the condition is met, it should respond with a 411 code, right? However, I’ve noticed that there’s no impact in the logs. The relevant code appears to be this: (blockphpbug) {
@blockChunkedEncoding {
header Transfer-Encoding chunked
}
respond @blockChunkedEncoding 411
request_body {
max_size 1MB
}
@noContentLength {
header Transfer-Encoding chunked
header !Content-Length
}
respond @noContentLength 411
}
http://example.com, http://www.example.com {
import blockphpbug
request_body {
max_size 1MB
}
php_fastcgi php:9000 {
index index.html
request_buffers 4k
response_buffers 4k
}
root * ./example.com
encode gzip
file_server
log
} I understand the important part is here: header Transfer-Encoding chunked
header !Content-Length It essentially indicates that if the |
You have to drop the |
Thank you very much for your response. I wanted to comment that if I write the rule as follows:
Every time I visit the website, it directly reports a 411 error because my website uses
But if you’re saying that
Or even:
Or is it simply not possible to fix this using any of these methods? Thank you very much for your patience. |
I don't think, that the index.php file is the issue here, as the request would most likely not even reach it. The request is routed like so: I'm sorry, but I don't think I can help you with that. I don't know Caddy or how to configure it. I am just using a project, that once shipped with Caddy by default and therefore reported this issue. Our solution was to deploy another reverse-proxy infront to prepare the requests and that project migrated to nginx. AFAIK your other examples are not yet working in caddy due to this transfer-encoding issue. Some patches were tested but not merged yet. Maybe @WeidiDeng, who authored those patches, can help and tell us what the status is? |
@cottonthread |
Thank you very much for your notice. Are you referring to the version at https://github.com/caddyserver/caddy/releases/tag/v2.9.0-beta.3? I'm not sure how to confirm the version you mentioned, but I suppose it would be one of the beta versions announced on the release page, right? |
I've built Caddy from master (last commit: 5ba1e06) |
Now I see that the official version 2.9 has fixed this problem, have you already updated it? And does it work just as well for you? I say this because I am using the Docker version of this program and due to my lack of knowledge of doing Build, I am not able to generate a custom version of Caddy. Thanks a lot! |
Right now, caddy has problems handling fastcgi requests when the client sends a body with unknown body length, for http1.1 it's usually chunked encoded body. Users have to buffer the request manually and the buffer doesn't work right now because
Content-length
is not set in this case, and it will leads to some easy attacks.Here, an attacker doesn't need to do much to block all processes spawned by php-fpm.
Caddy should handle this type of requests with a sane default just like nginx does, i.e. buffer requests with unknown body length in this case, and reject requests whose body is too large to buffer.
The text was updated successfully, but these errors were encountered: