-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http body truncated sending to transparent proxy when transfer-encoding = chunked #1710
Comments
Hi @bkcsfi - my first requirement before we dive into this further would be for you to upgrade Caddy to the latest and then update the issue. 😉 Thanks! |
aha, yes I will, sorry I didn't notice that. |
Still fails with Caddy 0.10.3, same problem |
Okay. Does it happen without QUIC? Gonna ping @lhecker on this just in case he has an idea. |
-quic option was only used with 0.9.5 in the zzrot/alpine-caddy docker image. I switched to docker image abiosoft/caddy to upgrade to 0.10.3. That image does not use -quic,
|
@bkcsfi Do you have a full recording of a failed request including headers and the full body (fully unmodified)? If so please send that (only the incoming request) to [email protected] and I'll take a look at what's happening here. I wouldn't mind signing a NDA if you want to. 🙂 |
I have sent a zip'd version of the original request flow. |
Thanks Leonard, for going above and beyond! (Just a note for future reference, now that you made me think about it -- NO contributors to the Caddy project should have to sign an NDA. I would especially never volunteer to sign one. No point in volunteering away certain freedoms for volunteer work!) |
@mholt If I had an issue like this at my workplace and would have to share the request recording it might actually literally be forbidden to do so by certain (privacy protection) laws, without having every viewer of that data sign a NDA. So yeah, I can fully understand it if you have to sign one sometimes, since it might not even be in the submitters' or even the submitters' companies' hands to decide this. In fact it might actually even be a good thing in case of e.g. those privacy protection laws. |
@bkcsfi @mholt Sadly I've been unable to reproduce the problem. Can you maybe help me debug this by running through my steps below? Maybe I've done something wrong, or missed something… I've written a small utility to debug this problem: https://github.com/lhecker/echoserver Build caddy
Created the Caddyfile in the current directory with:
Run caddy
Spawn the echoserver on :5003 in a second shell
Send the sample payload in a third shell
Note: By default netcat will close the connection as soon as it finished reading from stdin. To make it stay open and wait for the HTTP reply I've appended a ResultYou should receive the 100-Continue and a small 200-Ok status header like this:
…followed by an exact copy of the sample payload (which, as mentioned, is what |
@mholt @bkcsfi I just got an idea... Maybe it has to do with the Currently caddy doesn't handle the So in case that your upstream server is really strict about it, it might close the connection due to the violation of HTTP's Expect/Continue spec. Is it possible for you to verify that @bkcsfi? On the other hand if it was really this problem, you should see the first few bytes of the body being sent to the upstream instead of there being none. |
I will try to setup wireshark to capture tcp flags and re-transmit the failed chunked encoding message to caddy to determine what is happening. However I do not think this is the cause of the problem because the downstream app (pyas2) does in fact send back an 100 continue and then follows that up with a 200 OK plus return headers. what I'm seeing is that caddy is not transmitting the initial chunk size nor any portion of the http request body to the downstream app. The downstream app does attempt to process the (empty) http body, and fails with a decryption error. The app then sends back headers and an http body indicating a decryption error. Since the downstream app appears to respond within seconds of the initial request, I suspect that caddy is actually sending a TCP FIN on the downstream connection, which causes the downstream app to detect the half close and go ahead and process what it thinks it had read as the http body (i.e. 0 bytes). |
Hi all, I'm beginning to think this issue should be closed. In the previous tcpflow captures sent to @lhecker , the caddy->app tcpflow showed that there wasn't any body or chunked length being sent from caddy to the app. today I setup tcpdump and wireshark to capture both client->caddy and caddy->app packets. Now, wireshark shows that the message body is being sent correctly to the app from caddy. I exported the 'body' contents and checked md5sum, its the same as the body sent to caddy from the client. I cannot explain why the previous tcpflows failed to show body contents, yet today tcpdump indicates everything is ok. before opening this issue w/ caddy, I had opened an issue with the app I am using, pyas2, regarding chunked transfer. I didn't get a definitive response from the pyas2 issue but a few days ago someone else has posted to that issue indicating that they have the same issue with chunked transfer. Therefore I now think that chunked transfer problem is most likely in the app, and not in caddy, and that somehow I had a mis-fire capturing the tcpflow's that I previously sent. sorry for wasting your time on this, and thanks for your help. |
1. What version of Caddy are you using (
caddy -version
)?0.9.5
2. What are you trying to do?
I am proxying incoming AS2 (http) connections to PyAS2
3. The Caddyfile
4. How did you run Caddy (give the full command and describe the execution environment)?
running in docker image zzrot/alpine-caddy, the command line is
5. Please paste any relevant HTTP request(s) here.
I used tcpflow to capture the inbound http request to caddy, and another tcpflow to capture the http proxied to pyas2.
I would like to provide those files privately, but here's a preview of some headers
A. the incoming http request sent to Caddy, some names have been changed
B. the proxied http request sent to PyAS2 from Caddy
Notice the beginning chunk size 2000 is missing after the blank header line. There's no body at all
C. Response sent from PyAS2 back to caddy (partial, names changed)
D. Response sent from Caddy to requester (partial, names changed)
6. What did you expect to see?
I expect the downstream proxy to receive the same data that was sent to caddy
7. What did you see instead (give full error messages and/or log)?
It seems like caddy silently truncates the data sent to the proxy, entirely dropping the body portion from the forwarded request
8. How can someone who is starting from scratch reproduce the bug as minimally as possible?
I can send you the tcpflow file and you can send it to your own caddy server for testing
9. More thoughts
We are receiving many other messages from this trading partner, but as best I can tell the partner sends them either with content-length, or transfer-encoding: chunked. Whenever the transfer-encoding is chunked, the transmission fails, when it's content-length it works
Possibly the sending biztalk server isn't chunking data correctly, but caddy doesn't complain about a decode problem. I'm not sure where that complaint would go, here's the log entry
I used the od program on another file to check the chunking and it seemed correct, example (not this transmission) shown below
The text was updated successfully, but these errors were encountered: