FastCGI shibautorizer - NGINX - upstream sent too big header
Sean Porth
sporth at unicon.net
Fri Sep 16 12:23:46 UTC 2022
The issue appears to be because something is trying send an image in the
Variable-Meta-largeLogo header and that is most likely over 512k. So
either your server is misconfigured or whatever is creating the headers is
parsing something incorrectly.
Sean Portth
Unicon, Inc.
On Fri, Sep 16, 2022 at 7:20 AM nicolas roggli via users <
users at shibboleth.net> wrote:
> Hello,
>
> I'm trying to setup Nginx with Shibboleth, and I am always getting this
> error:
>
> 2022/09/16 12:08:02 [error] 49114#49114: *2629 upstream sent too big
> header while reading response header from upstream, client:
> 10.194.56.230, server: my.server.com, request: "GET /secure HTTP/2.0",
> subreq
> uest: "/shibauthorizer", upstream:
> "fastcgi://unix:/var/run/shibboleth/shibauthorizer.sock:", host:
> "my.server.com"
>
> I tried to raise the buffer size in my config, but I stopped after 512k
> as I guess the problem might be elsewhere.
>
> Has someone any hints on what might happens? I have almost no knowledge
> of shibboleth, I don't know what I should look for.
>
> Part of my nginx.conf
>
> 1 location = /shibauthorizer {
> 2 internal;
> 3 include fastcgi_params;
> 4 fastcgi_pass unix:/var/run/shibboleth/shibauthorizer.sock;
> 5 }
> 6
> 7 location /Shibboleth.sso {
> 8 include fastcgi_params;
> 9 fastcgi_pass unix:/var/run/shibboleth/shibresponder.sock;
> 10 }
> 11
> 12 location /shibboleth-sp {
> 13 alias /usr/share/shibboleth/;
> 14 }
> 15
> 16 location ^~ /secure {
> 17 shib_request /shibauthorizer;
> 18 include fastcgi_params;
> 19 include shib_fastcgi_params;
> 20 shib_request_set $shib_email $upstream_http_variable_mail;
> 21 fastcgi_param EMAIL $shib_email;
> 22 fastcgi_index index.php;
> 23 fastcgi_param SCRIPT_FILENAME
> $document_root$fastcgi_script_name;
> 24 fastcgi_pass unix:/run/php/php8.1-fpm.sock;
> 25 }
>
> Here bellow some more debug output that preceeds the error. I can send
> more if needed...
>
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream request:
> "/shibauthorizer?"
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream dummy handler
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream request:
> "/shibauthorizer?"
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream dummy handler
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream request:
> "/shibauthorizer?"
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream process header
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 malloc:
> 000056261F723C00:4096
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 recv: eof:1, avail:-1
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 recv: fd:19 4096 of 4096
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 recv: avail:1416
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record byte: 01
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record byte: 06
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record byte: 00
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record byte: 01
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record byte: 15
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record byte: 63
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record byte: 05
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record byte: 00
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record
> length: 5475
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header:
> "Status: 200 OK"
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header:
> "Variable-AUTH_TYPE: shibboleth"
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header:
> "Variable-Meta-displayName: SWITCH edu-ID [Test]"
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header:
> "Variable-Meta-homeOrganization: test.eduid.ch"
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header:
> "Variable-Meta-homeOrganizationType: others"
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header:
> "Variable-Meta-informationURL: https://projects.switch.ch/eduid/"
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 posix_memalign:
> 000056261F71F700:4096 @16
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header:
> "Variable-Meta-largeLogo: <img
>
> src='data:image/svg+xml\;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9
>
> zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjEiIGlkPSJMYXllcl8xIiB4PSIwcHgiIHk9IjBweCIgd2lkdGg9IjExMyIgaGVpZ2h0PSI4NSIgdmlld0JveD0iMCAwIDgwIDYwIiBzdHlsZT0iZW5hYmxlLWJhY2tncm91bmQ6bmV3IDAgMCA4MCA2M
>
> DsiIHhtbDpzcGFjZT0icHJlc2VydmUiPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgoJLnN0MHtmaWxsOiMwMDI0N0Q7fQo8L3N0eWxlPgo8Zz4KCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0yLjQsMTMuOWMwLTMuOSwxLjgtNC4zLDUuNC00LjNjMy4yLDAsNS40LDAuMSw1LjMsNC4xaC0xLjdjLTAuMS0yLjY
>
> tMC42LTIuNy0zLjctMi43Yy0zLjIsMC0zLjcsMC40LTMuNywyLjQgICBjMCwyLjgsMS4zLDIuNiw0LjEsMi42YzMuNSwwLjIsNS4yLDAuMSw1LjIsNC4xYzAsNC4xLTEuOSw0LjMtNS42LDQuM1MyLDI0LDIuMywxOS44SDRDMy45LDIzLDQuNiwyMyw3LjcsMjNzNCwwLDQtMi45ICAgYzAtMi44LTEuMi0yL
>
> jMtMy45LTIuNUM0LjgsMTcuNCwyLjQsMTcuNywyLjQsMTMuOXoiLz4KCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0zMS41LDI0LjRIMjlsLTMuOC0xMy4yaDBsLTMuOSwxMy4yaC0yLjVMMTQuMyw5LjdIMTZsNCwxMy4zSDIwbDMuOS0xMy4zaDIuNGwzLjksMTMuM2gwbDQuMS0xMy4zaDEuNyAgIEwzMS41LDI
>
> 0LjR6Ii8+Cgk8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMzkuNSwyNC40aC0xLjdWOS43aDEuN1YyNC40eiIvPgoJPHBhdGggY2xhc3M9InN0MCIgZD0iTTQ3LjYsMjQuNEg0NlYxMS4yaC00LjdWOS43aDExLjF2MS41aC00LjdMNDcuNiwyNC40eiIvPgoJPHBhdGggY2xhc3M9InN0MCIgZD0iTTU3LjksMjQuN
>
> WMtMi43LDAtNC4zLTEuNy00LjMtNC42di01LjdjMC00LjEsMi41LTQuNiw2LjEtNC42aDEuNGMzLjEsMCw0LDEuMyw0LDQuMnYwLjVoLTEuN3YtMC40ICAgYzAtMi0wLjQtMi44LTIuNi0yLjhoLTAuOWMtMy40LDAtNC42LDAuNC00LjYsMy4xdjRjMCwzLjMsMC4xLDQuOCwyLjksNC44aDJjMi43LDAsMy4
>
> 1LTAuNCwzLjUtMi41di0xLjJoMS43djEuNCAgIGMwLDMuNC0yLjEsMy43LTUuMSwzLjdMNTcuOSwyNC41eiIvPgoJPHBhdGggY2xhc3M9InN0MCIgZD0iTTc5LjIsMjQuNGgtMS43di02LjdINjl2Ni43aC0xLjZWOS43SDY5djYuNGg4LjZWOS43aDEuN0w3OS4yLDI0LjR6Ii8+CjwvZz4KPGc+Cgk8cGF0a
>
> CBjbGFzcz0ic3QwIiBkPSJNMTQuOSw0Ni44YzAsNC4zLTIuNSw0LjUtNi4zLDQuNWMtNS4yLDAtNi4zLTEuNy02LjMtNi45YzAtNC45LDAuOC03LDYuMy03YzUuNiwwLDYuMywxLjYsNi4zLDcuNkg1LjYgICBjMCwyLjksMC4xLDMuOSwzLDMuOWMxLjgsMCwzLjEsMCwzLjEt
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header:
> "Variable-Meta-organizationURL: http://www.test.eduid.ch/"
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: -2
> 2022/09/16 12:08:02 [debug] 49114#49114: *2629 upstream split a header
> line in FastCGI records
> 2022/09/16 12:08:02 [error] 49114#49114: *2629 upstream sent too big
> header while reading response header from upstream, client:
> 10.194.56.230, server: my.server.com, request: "GET /secure HTTP/2.0",
> subreq
> uest: "/shibauthorizer", upstream:
> "fastcgi://unix:/var/run/shibboleth/shibauthorizer.sock:", host:
> "my.server.com"
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220916/a8235894/attachment.htm>
More information about the users
mailing list