[I] bug: Default NGINX-proxy installation don't pass huge HTTP headers after succsessfull OIDC authorization. [apisix]

[via GitHub]

kodxxl opened a new issue, #10295:
URL: https://github.com/apache/apisix/issues/10295

   ### Current Behavior
   
   When using the openid-connect plugin, a third-party proxy server displays a 
502 Bad Gateway error. This happens after successful authorization and sending 
to redirect_uri . Debugging shows that NGINX out of the box cannot process the 
huge response header and crashes.
   
   ### Expected Behavior
   
   После настройки прокси-сервера с опциями:
   http {
     proxy_buffer_size 32k;
     proxy_buffers 8 16k;
     proxy_busy_buffers_size 32k;
   }
   ошибка устраняется.
   
   ### Error Logs
   
   **NGINX out of the box:**
   ```
   2023/10/06 09:22:37 [debug] 73312#73312: *59 http upstream request: 
"/anything/redirect_uri?state=17298ce5e6cebef25add8a1f65d2698a&session_state=b99c338f-6795-4f2d-b2eb-39cfd39e125d&code=2668d1e9-edd0-4260-a75c-8d075facbcee.b99c338f-6795-4f2d-b2eb-39cfd39e125d.27e5ed78-cbf8-46fb-a252-a828e9fbadf8"
   2023/10/06 09:22:37 [debug] 73312#73312: *59 http upstream process header
   2023/10/06 09:22:37 [debug] 73312#73312: *59 malloc: 000055E718B06CE0:4096
   2023/10/06 09:22:37 [debug] 73312#73312: *59 posix_memalign: 
000055E718B07CF0:4096 @16
   2023/10/06 09:22:37 [debug] 73312#73312: *59 recv: eof:0, avail:-1
   2023/10/06 09:22:37 [debug] 73312#73312: *59 recv: fd:11 4096 of 4096
   2023/10/06 09:22:37 [debug] 73312#73312: *59 recv: avail:2172
   2023/10/06 09:22:37 [debug] 73312#73312: *59 http proxy status 302 "302 
Moved Temporarily"
   2023/10/06 09:22:37 [debug] 73312#73312: *59 http proxy header: "Date: Fri, 
06 Oct 2023 09:22:37 GMT"
   2023/10/06 09:22:37 [debug] 73312#73312: *59 http proxy header: 
"Content-Type: text/html"
   2023/10/06 09:22:37 [debug] 73312#73312: *59 http proxy header: 
"Content-Length: 217"
   2023/10/06 09:22:37 [debug] 73312#73312: *59 http proxy header: "Connection: 
close"
   **2023/10/06 09:22:37 [error] 73312#73312: *59 upstream sent too big header 
while reading response header from upstream**, client: 10.244.5.98, server: , 
request: "GET 
/anything/redirect_uri?state=17298ce5e6cebef25add8a1f65d2698a&session_state=b99c338f-6795-4f2d-b2eb-39cfd39e125d&code=2668d1e9-edd0-4260-a75c-8d075facbcee.b99c338f-6795-4f2d-b2eb-39cfd39e125d.27e5ed78-cbf8-46fb-a252-a828e9fbadf8
 HTTP/1.1", upstream: 
"http://127.0.0.1:31280/anything/redirect_uri?state=17298ce5e6cebef25add8a1f65d2698a&session_state=b99c338f-6795-4f2d-b2eb-39cfd39e125d&code=2668d1e9-edd0-4260-a75c-8d075facbcee.b99c338f-6795-4f2d-b2eb-39cfd39e125d.27e5ed78-cbf8-46fb-a252-a828e9fbadf8";,
 host: 
"25824aca-8d32-4927-8973-1295a4893db8-10-244-4-159-80.spch.r.killercoda.com"
   2023/10/06 09:22:37 [debug] 73312#73312: *59 http next upstream, 8
   2023/10/06 09:22:37 [debug] 73312#73312: *59 free rr peer 1 4
   2023/10/06 09:22:37 [debug] 73312#73312: *59 finalize http upstream request: 
502
   2023/10/06 09:22:37 [debug] 73312#73312: *59 finalize http proxy request
   2023/10/06 09:22:37 [debug] 73312#73312: *59 close http upstream connection: 
11
   2023/10/06 09:22:37 [debug] 73312#73312: *59 free: 000055E718A93860, unused: 
48
   2023/10/06 09:22:37 [debug] 73312#73312: *59 event timer del: 11: 4058755
   2023/10/06 09:22:37 [debug] 73312#73312: *59 reusable connection: 0
   2023/10/06 09:22:37 [debug] 73312#73312: *59 http finalize request: 502, 
"/anything/redirect_uri?state=17298ce5e6cebef25add8a1f65d2698a&session_state=b99c338f-6795-4f2d-b2eb-39cfd39e125d&code=2668d1e9-edd0-4260-a75c-8d075facbcee.b99c338f-6795-4f2d-b2eb-39cfd39e125d.27e5ed78-cbf8-46fb-a252-a828e9fbadf8"
 a:1, c:1
   2023/10/06 09:22:37 [debug] 73312#73312: *59 http special response: 502, 
"/anything/redirect_uri?state=17298ce5e6cebef25add8a1f65d2698a&session_state=b99c338f-6795-4f2d-b2eb-39cfd39e125d&code=2668d1e9-edd0-4260-a75c-8d075facbcee.b99c338f-6795-4f2d-b2eb-39cfd39e125d.27e5ed78-cbf8-46fb-a252-a828e9fbadf8"
   2023/10/06 09:22:37 [debug] 73312#73312: *59 xslt filter header
   2023/10/06 09:22:37 [debug] 73312#73312: *59 HTTP/1.1 502 Bad Gateway
   ```
   **NGINX after tuning buffer sizes:**
   ```
   2023/10/06 09:14:12 [debug] 63061#63061: *67 http proxy status 302 "302 
Moved Temporarily"
   2023/10/06 09:14:12 [debug] 63061#63061: *67 http proxy header: "Date: Fri, 
06 Oct 2023 09:14:12 GMT"
   2023/10/06 09:14:12 [debug] 63061#63061: *67 http proxy header: 
"Content-Type: text/html"
   2023/10/06 09:14:12 [debug] 63061#63061: *67 http proxy header: 
"Content-Length: 217"
   2023/10/06 09:14:12 [debug] 63061#63061: *67 http proxy header: "Connection: 
close"
   2023/10/06 09:14:12 [debug] 63061#63061: *67 malloc: 00005576DE230D80:4063
   2023/10/06 09:14:12 [debug] 63061#63061: *67 http proxy header: "Set-Cookie: 
session=nN7vePfHZuJD-tSSFoPPKg|1696587252|SQ1DSIl4MlGUqd2LfhDka8eMjpF_-SYeidRNqjES3Xi3Q3idWnExfnXdySYVVONoqMcLNf1d_DAqqnz3Jysshx-V9ODdYWu1ly2m_UMH4oG9x4CA79xOLMR07t9_BvHrQNH1IB6btTGfA6Kj-hceob6z9yaxAIsi8FEs5L1Lhk1teTicQA3xlA8vDbv2QqUUovoLhrA8XzL1eBKMSDXO9qi69mf1NXElPUxcNy3qhlvBN2heIHBuXH_UPKKY472jcnpis_A4oxqGsnZ1NBbRJJ4-VoIZkhjxRqgigMslLq2KlXWBp4sClA1vRiwSHDz8SgPphWcWEPkjzF2rv8lTpLyfkqdy1QgXahEHPPKwyBKhYX_OpyDqZuBIgXkLvA2Llq7rvC_dexVM5JlLo0zSTYLR8iimAwbsdKzlj2C-YGELQ0_r6reY2jDdpRfx46epek1lqR0_f8WQrIAPSQ7kXZ4QAPjOiLdjIis-7Ihw-4Op4JjVmLzip2975xqmKbZnMOImvD2751WfG90r60PyXCiwC_c7Yy_wgLXag5OW2psDZKtNlwFmSIeQMAsD6f3VhwdNu-dDRjStWDGF2tUboMnbspk-4IuSD9zDcPrg6Jt7t9kn9NtLdpxpftkM9Nee6la8Tc8tWmQ5hkMoh9gx10vQcJZs9bQ9XbjHCfI96pizZuMxkEsWiBbvCialxwZR9EIcjrHx0REeIyuWxPmJzVFFoBtxssPpYa5cifeepp79srME20sepjgtg-WnDY1-QWtxVxc0QHGNuJmn2fxnyY1c66t4LiNDkGMhr5P0agwIOba-tJ-dRQbUMqNV7b15HyiT4kYuknxlnUCMLBPsDpf7nbRthbpT-FE6ZNrybNfC
 
tRAcnXrHCkolDfhvQWAoGgMQ1cCOwX9_snjZgb5VkqGuZmv8Txl06s4mXHASIYd-DRaKLemLKeWI74Sd5iblBa-Qyze9hzkG_9gtWfrMVPFA8u7jjTcTEAfOP7UzWyuD7xf5Snb1cG18vyh62zZd3J5Wcdg_RhwcL9Ak6ZiVS1v9vgBLMepZ88DJxpdVGOA6nc7FVjETIa0lGvkoXgiiBrDrAgUXlQ0NjLt8LYh44C1TgfHIsIia74yOT8HRTQdK06Yq_HcBAQAju7JErkHpkECG8hjh5dGrHHYy3Q04MV58SgNCtjl3uqFdMouVG15uFmtAHp5KQ5wKb3FwEgiAv8NJmlCf1JFDTe4Q0mk1MnJwBjH1YOP7yuCIXOAPuV0Rc2pKCs25IxZUJxmHacgzd_Dk-4pAgf80JqplllpwfYoyayBDAWO-Tj7uDG_K4OvG6r2T6nCwOBbBObB6Ef7QvACT2sosfaP2R-1dvaSPo3lCjx72SAQuLNrtd7w-Uc6K6VxvUvc9xAjlaU4-4V-izWGNbnzXcqdISoL8fdfEth665noHuAJw6rHMuseMTQw_HAt32sCYwoTUQY37-_PusVlHSDO5l35Husqe-g_GRgGie76xkArD7cXgZ1WTEjGKIstHIuYCZNbX9TDfDAkGiONJecj5FPdI6ioovUI3WP3l80Rc_1UjPXJOhOdKhLlZdA4tOdI-WaJfa7cqqK5pEAoMNdAJlm-blY_N5mKR9qHtLHuRQ9A5zgnGuRjit_oWBC7ads8yoHhAl4ZeiDqhqwZhCqsvtrzrYXceuF_XJVuplKQRG6Omx_oMWRZuFZ_0s-aTwiU52Cn5Hbj85pLpac7_kWr3DP687qdeHwDI6WBk2PKsvFrGFg3BJ6XcV7lEYC9AzXRlx6h0R4yKfQ833OHPyV9wfbFdX3CwIhhwU-R3GXRV9JC48SHY6MUcyT18iMGuCiBN3eUCSxBz4NfeByc9G3H8SMVW5mrZV
 LRvHxYvD5h6XYhC2YQomhkiPS8ltGbUdmntD0R2b9sjR5oVEcXfrPhF
   2023/10/06 09:14:12 [debug] 63061#63061: *67 http proxy header: "Set-Cookie: 
session_2=e_lMXSjhGPnwEvku1GJIXEwCiqWhlfyJ3mggW3SHbHUbTvkCxB8iJ2YQewtqC1_WK0m6h4_qSgxTZuBEMDHBscpPUmBksBPCMY5OXeblnP61KY53IjCuu5XSIZK95pXc4UwGpma3u1dIDX2ET9F0L8VqRTnO9o13ZHHTlT07VuuTVQHbZ1EnA0GboHAaB_TJp-ElgrsZmJbLd1ayMrwlbPXtuhLCyqwTOvxwdx0FKLRdAupiAshstGWJmA0Vg7jy1Ue_DMU_fpepJBHYP-tn4dfvBskQrbKg63yFZG8BTU-Jjb85Ek3VancUAbXPpkCvbCdiPSIng9ejxJBL7RZzzQ7EhaYoG_vJQ8kS6R8cDWUGO9ckQkupdZ9wmfYB80IdrSrIz5INfUODu00DykjvHlWOFkICzBoPm0KMYxvoDxMjCjGVlrIKIYmE-puLbGPDc152tmWuIZQr51K2myVlXHvAP8S4WZ0BXBVab4F_6N_gf59jWMgt30lwB6CAhs_tprOwrWOw40uMxKBxuAn0N4eZbRw4KV0qErM4AAp99gwVl_67jOfqTg2WMYHnGypwg5SkyWTH2z6NN6ljS18fkHli35GF7H9DWo_UFsEkxPWibimo_Qk3R8gO6Y4nRRvcM_x5NnVhG4p82QgIZBJbW7c2F1cKEZLT8brpnEdLr2xDQPJc4fWCpuwvAxuZs0JwMkMWZNa3Ze_sjbZKmmJrBBhCPYAEF05JEMis02Kj5yL0317iEdD4_TFzGfSa2d9ysoOoUbzxA-d8IN3-Lg-DzFVYZJxlgYdZevIeEYpDIeHHzA-gV2qGC0Sz-0IwWQWO7efLh04Ua6bB_kdxkVplasVH7KD6akc-am2l0gN25qbVcaHXWndwT8FaCnbF05OB7PDrPZ-aY-Z_
 
QUgknKF_04a5UVav7qdfU-f9n_cQm6z8R7Qo7qT7H13PYJrhg-uUZGcaBgUZPs07xaVi-yUnQyQ5N0kSoYxS2nGz-9f4z2zsmcBvEhGZiDH5y3mjrAbwIcuf0FO8eryNTewuLLGB7zcgIPVnX_zw6izr91GQIVqHLnTt2ZqPCDZ163mZwN3Ts-mhZPBFA7U1OF5n6tpyjHsB04sMCrmvTV5ioxe7yTzPmbFXxliV7qE-dvQyVu-NXH9VVnD4cvfsWdWYbta2eBtWUP1B4ytRVcNrXsUwyHw_AYn4rQVQ3NrYsOEVUfg3sSrCMkfL2U-tzwrDBRYpKHf_KGBKe3VRGYuZJ7QYiSyK1TAj8JAUOHHagRxAr3N2-01Zc5wQXlUWYai4UHmKSgnBczXy3NwdZ_2cIUQ60pgVGHT6wduTQTJ82ZTLFvcFM7pBoBQn7mdb7mlXesyVrZwcIVLD8OGEklJRfzDEFL4-Rg7bR2Stos-1qYsPiMaa4hxU33kvFGJFNyQzGMoWAYR7Qu11Hr6UTpJ42uqYxe-8qEOSQWvMnNLoQSpPxYhMeP_0p1Kle3z0-aEC3AzFn4f7vv9uHkm4WLZKQI39th0mrbB5TxklLJh5_3aT8BsJ67mF38VGDZgPxXZiGondJZp4z4o5vLBe1h8nTMz5B0nUpPqmhHelkciXUBTTNBEEVDet0OScLpnsjGptefu4GZ2wliTgPIy0hcGTpLOkhm4g3f0Yi7WXhTFunUFSC6hmJJ4Qy52EopkhCZVq8t7mw_NRxBKqezRlFVUFlF2pcRh58uqzmqbZT8zGE2YsKPJt5J9ty39-5SxYxr65L2u6id45MtIgbc-QQ4EshUlimv0fbUPKziYq6Ik8oae2JdYJyDgY8bGMii-lS3lNoOM4Jww6e9sqiLyEwZUK3dJbCUpNkYK9EWoql-xvcCK4tM4917ow8jfqDbEW4qJkqUUleH8ZHHsn6CY_RDOEY7TjyMBLuPmTw
 pXuX__rZ7RfzhGq3sM_pe63HjiNRstK-o12K7tg|vAXcDuEg5l5oluN
   2023/10/06 09:14:12 [debug] 63061#63061: *67 http proxy header: "Location: 
/anything/login"
   2023/10/06 09:14:12 [debug] 63061#63061: *67 http proxy header: "Server: 
APISIX/3.5.0"
   2023/10/06 09:14:12 [debug] 63061#63061: *67 http proxy header done
   2023/10/06 09:14:12 [debug] 63061#63061: *67 xslt filter header
   2023/10/06 09:14:12 [debug] 63061#63061: *67 malloc: 00005576DE2A1D00:6299
   ```
   
   ### Steps to Reproduce
   
   1. Install Apisix
   2. Create an account with the OpenID provider
   3. Set up a route with the openid-connect plugin enabled
   4. Install and configure a third-party NGINX proxy server
   5. Try logging in to the openid provider through a third party NGINX proxy
   6. Get a 502 error
   
   ### Environment
   
   - APISIX version (run `apisix version`): 3.5.0
   - Operating system (run `uname -a`): Linux 5.4.0-131-generic
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): 
openresty/1.21.4.2
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org