FastCGI shibautorizer - NGINX - upstream sent too big header
nicolas roggli
nicolas.roggli at unige.ch
Fri Sep 16 14:31:44 UTC 2022
Hello Sean,
That was it, thank you very much.
> The issue appears to be because something is trying send an image in the
> Variable-Meta-largeLogo header and that is most likely over 512k. So
> either your server is misconfigured or whatever is creating the headers is
> parsing something incorrectly.
>
> Sean Portth
> Unicon, Inc.
>
> On Fri, Sep 16, 2022 at 7:20 AM nicolas roggli via users <
> users at shibboleth.net <https://shibboleth.net/mailman/listinfo/users>> wrote:
>
> >/Hello, />//>/I'm trying to setup Nginx with Shibboleth, and I am always getting this />/error: />//>/2022/09/16 12:08:02 [error] 49114#49114: *2629 upstream sent too big />/header while reading response header from upstream, client: />/10.194.56.230, server: my.server.com, request: "GET /secure HTTP/2.0", />/subreq />/uest: "/shibauthorizer", upstream: />/"fastcgi://unix:/var/run/shibboleth/shibauthorizer.sock:
> <fastcgi://unix/var/run/shibboleth/shibauthorizer.sock:>", host: />/"my.server.com" />//>/I tried to raise the buffer size in my config, but I stopped after 512k />/as I guess the problem might be elsewhere. />//>/Has someone any hints on what might happens? I have almost no knowledge />/of shibboleth, I don't know what I should look for. />//>/Part of my nginx.conf />//>/1 location = /shibauthorizer { />/2 internal; />/3 include fastcgi_params; />/4 fastcgi_pass unix:/var/run/shibboleth/shibauthorizer.sock; />/5 } />/6 />/7 location /Shibboleth.sso { />/8 include fastcgi_params; />/9 fastcgi_pass unix:/var/run/shibboleth/shibresponder.sock; />/10 } />/11 />/12 location /shibboleth-sp { />/13 alias /usr/share/shibboleth/; />/14 } />/15 />/16 location ^~ /secure { />/17 shib_request /shibauthorizer; />/18 include fastcgi_params; />/19 include shib_fastcgi_params; />/20 shib_request_set $shib_email $upstream_http_variable_mail; />/21 fastcgi_param EMAIL $shib_email; />/22 fastcgi_index index.php; />/23 fastcgi_param SCRIPT_FILENAME />/$document_root$fastcgi_script_name; />/24 fastcgi_pass unix:/run/php/php8.1-fpm.sock; />/25 } />//>/Here bellow some more debug output that preceeds the error. I can send />/more if needed... />//>/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream request: />/"/shibauthorizer?" />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream dummy
> handler />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream request: />/"/shibauthorizer?" />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream dummy
> handler />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream request: />/"/shibauthorizer?" />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http upstream process
> header />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 malloc: />/000056261F723C00:4096 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 recv: eof:1, avail:-1 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 recv: fd:19 4096 of 4096 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 recv: avail:1416 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record
> byte: 01 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record
> byte: 06 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record
> byte: 00 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record
> byte: 01 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record
> byte: 15 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record
> byte: 63 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record
> byte: 05 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record
> byte: 00 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi record />/length: 5475 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header: />/"Status: 200 OK" />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header: />/"Variable-AUTH_TYPE: shibboleth" />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header: />/"Variable-Meta-displayName: SWITCH edu-ID [Test]" />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header: />/"Variable-Meta-homeOrganization: test.eduid.ch" />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header: />/"Variable-Meta-homeOrganizationType: others" />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header: />/"Variable-Meta-informationURL: https://projects.switch.ch/eduid/" />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 posix_memalign: />/000056261F71F700:4096 @16 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header: />/"Variable-Meta-largeLogo: <img />//>/src='data:image/svg+xml\;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9
> />//>/zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjEiIGlkPSJMYXllcl8xIiB4PSIwcHgiIHk9IjBweCIgd2lkdGg9IjExMyIgaGVpZ2h0PSI4NSIgdmlld0JveD0iMCAwIDgwIDYwIiBzdHlsZT0iZW5hYmxlLWJhY2tncm91bmQ6bmV3IDAgMCA4MCA2M
> />//>/DsiIHhtbDpzcGFjZT0icHJlc2VydmUiPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgoJLnN0MHtmaWxsOiMwMDI0N0Q7fQo8L3N0eWxlPgo8Zz4KCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0yLjQsMTMuOWMwLTMuOSwxLjgtNC4zLDUuNC00LjNjMy4yLDAsNS40LDAuMSw1LjMsNC4xaC0xLjdjLTAuMS0yLjY
> />//>/tMC42LTIuNy0zLjctMi43Yy0zLjIsMC0zLjcsMC40LTMuNywyLjQgICBjMCwyLjgsMS4zLDIuNiw0LjEsMi42YzMuNSwwLjIsNS4yLDAuMSw1LjIsNC4xYzAsNC4xLTEuOSw0LjMtNS42LDQuM1MyLDI0LDIuMywxOS44SDRDMy45LDIzLDQuNiwyMyw3LjcsMjNzNCwwLDQtMi45ICAgYzAtMi44LTEuMi0yL
> />//>/jMtMy45LTIuNUM0LjgsMTcuNCwyLjQsMTcuNywyLjQsMTMuOXoiLz4KCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0zMS41LDI0LjRIMjlsLTMuOC0xMy4yaDBsLTMuOSwxMy4yaC0yLjVMMTQuMyw5LjdIMTZsNCwxMy4zSDIwbDMuOS0xMy4zaDIuNGwzLjksMTMuM2gwbDQuMS0xMy4zaDEuNyAgIEwzMS41LDI
> />//>/0LjR6Ii8+Cgk8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMzkuNSwyNC40aC0xLjdWOS43aDEuN1YyNC40eiIvPgoJPHBhdGggY2xhc3M9InN0MCIgZD0iTTQ3LjYsMjQuNEg0NlYxMS4yaC00LjdWOS43aDExLjF2MS41aC00LjdMNDcuNiwyNC40eiIvPgoJPHBhdGggY2xhc3M9InN0MCIgZD0iTTU3LjksMjQuN
> />//>/WMtMi43LDAtNC4zLTEuNy00LjMtNC42di01LjdjMC00LjEsMi41LTQuNiw2LjEtNC42aDEuNGMzLjEsMCw0LDEuMyw0LDQuMnYwLjVoLTEuN3YtMC40ICAgYzAtMi0wLjQtMi44LTIuNi0yLjhoLTAuOWMtMy40LDAtNC42LDAuNC00LjYsMy4xdjRjMCwzLjMsMC4xLDQuOCwyLjksNC44aDJjMi43LDAsMy4
> />//>/1LTAuNCwzLjUtMi41di0xLjJoMS43djEuNCAgIGMwLDMuNC0yLjEsMy43LTUuMSwzLjdMNTcuOSwyNC41eiIvPgoJPHBhdGggY2xhc3M9InN0MCIgZD0iTTc5LjIsMjQuNGgtMS43di02LjdINjl2Ni43aC0xLjZWOS43SDY5djYuNGg4LjZWOS43aDEuN0w3OS4yLDI0LjR6Ii8+CjwvZz4KPGc+Cgk8cGF0a
> />//>/CBjbGFzcz0ic3QwIiBkPSJNMTQuOSw0Ni44YzAsNC4zLTIuNSw0LjUtNi4zLDQuNWMtNS4yLDAtNi4zLTEuNy02LjMtNi45YzAtNC45LDAuOC03LDYuMy03YzUuNiwwLDYuMywxLjYsNi4zLDcuNkg1LjYgICBjMCwyLjksMC4xLDMuOSwzLDMuOWMxLjgsMCwzLjEsMCwzLjEt
> />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: 0 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi header: />/"Variable-Meta-organizationURL: http://www.test.eduid.ch/" />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 http fastcgi parser: -2 />/2022/09/16 12:08:02 [debug] 49114#49114: *2629 upstream split a header />/line in FastCGI records />/2022/09/16 12:08:02 [error] 49114#49114: *2629 upstream sent too big />/header while reading response header from upstream, client: />/10.194.56.230, server: my.server.com, request: "GET /secure HTTP/2.0", />/subreq />/uest: "/shibauthorizer", upstream: />/"fastcgi://unix:/var/run/shibboleth/shibauthorizer.sock:
> <fastcgi://unix/var/run/shibboleth/shibauthorizer.sock:>", host: />/"my.server.com"/
//
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220916/67c83f90/attachment.htm>
More information about the users
mailing list