Hi Maxim,
Op 30-6-2021 om 21:17 schreef Maxim Dounin:
Hello!
On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote:
Thanks! That makes sense to me. I like to understand things a little
better and hope you can help with that:
1) Why is the result different when I disable keepalive in Nginx? After
disabling keepalive the second request isn't executed anymore.
Because multiple requests in the same connection only work with
keepalive. As long as keepalive is disabled, only the first
request in the connection is processed. To make additional
requests the client have to open additional connections.
Thank you! That should have been obvious.
2) Do you know why Apache respond the same as Nginx with
keepalive disabled?
Because keepalive is disabled on the Apache server you are testing
against? As long as keepalive is enabled, the same requests work
perfectly with Apache and return two responses as they should.
Keepalive is enabled in Apache. I enabled more verbose logging to find
the cause. Apache doesn't allow the first request and gives a 400 error,
error log:
(22)Invalid argument: [client xx.xx.xx.xx:xxxxx] AH01590: Error
reading/parsing chunk
I suppose the connection is closed directly because of the error and
therefore the second request isn't executed. I changed my test to
confirm that Apache will handle the 2 requests within the same connection:
POST / HTTP/1.1
Content-Length: 0
Foo: bar
Host: vulnerable-domain.com
GET /admin7 HTTP/1.1
X-Foo: k
That works. It looks like Apache is very picky in the processing of the
Transfer-Encoding header.
Thank you for your help!
Kind regards,
Hans
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
