-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Transfer-Encoding: chunked causing denial of service #107
Comments
Do you know if that happens also with Nginx? |
@shyim Previously we've been using nginx on our Shopware 6.4 setup without any issues. Here is the config we've used: nginx.conf |
would solve it right 🤔 . I don't know tbh if that is too low or too high 🙈 |
I found that too, but could not get that to work. If I understood that correct, it would crash on requests greater than 4k. Nginx would solve that by buffering the request to a file, which caddy does not support. Thats what someone wrote on some issue in those threads. I think that was an Issue I found over at Nextcloud. |
I try some configuration on monday and add also an nginx variant. I think it's better maintained than caddy 😅 |
Buffers are not working, you cannot also forbid Transfer-Encoding requests in caddy: caddyserver/caddy#6628 I would suggest you to switch to nginx image for know: ghcr.io/shopware/docker-base:8.3-nginx, it's build in the same way as caddy. I will add this to README |
|
|
@shyim why don’t you consider dropping Caddy entirely and using the FrankenPHP variant, which doesn’t require FPM and is built on top of Caddy? |
@WeidiDeng can confirm, denial of service is no longer possible after applying that fix. However, the malicious requests will get a 502 response now.
|
Is this the caddyfile in use? Can you enable debug logging? Add
to the top the caddyfile and post the resulting output when 502 is encountered. |
Those are all the logs I get when sending a single request via
|
@dallyger I think I know what's the problem. The request buffering part is more complicated than I initially think. I created another patch With both patches above mentioned patches applied, you can handle |
@WeidiDeng can confirm, if I use |
- remove support for multiple PHP versions - remove support for Caddy image (see: shopware/docker#107) - finish CI pipeline with image builds and pushes to start writing Helm Chart
Summary:
A request with the header "Transfer-Encoding: chunked" will cause Caddy to
spawn a php_fastcgi process, which hangs forever.
After upgrading to Shopware 6.6 (using
shopware/docker
), our shop wouldtimeout every couple hours/days due to bot traffic until manually restarted.
Our old setup with nginx did not have that issue.
Temporary solution
I've added the following entry to our Varnish config to block such requests:
Another option would be to set
request_terminate_timeout = 120s
inphp.conf
, so hanging requests are automatically terminated after two minutes.How to reproduce:
Setup a Shopware instance:
composer create-project shopware/production:6.6.6.1 . composer req shopware/docker
Start a docker container from an image build by using that project by adding
the following to
compose.yaml
:And finally, send a broken request using
curl
:Request will hang and no body is returned:
Run the following command to observe an additional, forever open socket:
docker compose exec web netstat -alWx
Repeat this 5 times (default value of
pm.max_children
) and the shop isunresponsive and any further requests will hang forever too, even if they're
not chunked. Or a
502 timeout
occurs, if behind a reverse proxy.See also
Some related issues I've found. However, I could not get the solutions
mentioned to work yet. The
request_buffers 4k
setting did not work for me.The text was updated successfully, but these errors were encountered: