Enable setting max http header size via environment variable

[hoffmc]

What version of Cloud Foundry and CF CLI are you using? (i.e. What is the output of running cf curl /v2/info && cf version?

2.125.0, 6.41

What version of the buildpack you are using?

1.6.40

If you were attempting to accomplish a task, what was it you were attempting to do?

I need to run a nodejs app on CF with node 8.15 or later while keeping max http header size above 8K.

In node 8.14, there was a breaking change decreasing max http header size from 80K to 8K. This broke our application. node 8.15 added a cli option to set the max http header size. However, setting custom commands for the buildpack is not documented and an enivronment variable, which would imo the best solution, doesn't exist for setting the max http header size option.

See for details:

• https://github.com/nodejs/node/releases/tag/v8.15.0
• cli: add --max-http-header-size flag nodejs/node#24811

This also affects node 6, 10, 11. The maximum header size for recent versions is 8K, but since the latest releases it's possible to configure it via the mentioned command line parameter.

What did you expect to happen?

Make the max http header size configurable in the buildpack via an environment variable.

What was the actual behavior?

Cannot use a node version higher than 8.13 due to the regression in 8.14 and following.

Can you provide a sample app?

For any nodejs app using node 8.14 or higher, requests will fail if header size exceeds 8K.

Please confirm where necessary:

• I have included a log output
• My log includes an error message
• [X ] I have included steps for reproduction

Enable setting max http header size via environment variable

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/163173673

The labels on this github issue will be updated when the story is started.

[kardolus]

Hi @choffmsap! Thanks for reporting your issue.

Have a look at CVE-2018-12121 related to the header size; apparently one can perform a DOS attack with headers larger than 8k.

If you would like to use headers larger than 8k, you may be able to do so by specifying a start command in package.json, like the one below

"scripts": {
    "start": "node server.js --max-http-header-size 81000"
  },

Any chance you could give this a try?

[hoffmc]

Hi @kardolus , thanks for pointing out the way how to modify the startup command.

Your suggestion works, except that there need is = missing, and the parameter needs to be put after the node command, i.e.

"scripts": {
    "start": "node --max-http-header-size=81000 server.js"
  },

I still think that having and optional environment variable would be user-friendly, but this solution works as well.

[tylerphelan]

@choffmsap We think that since this Node change was due to a CVE and that it's possible to set with the start command that it would not be a good idea to offer max http header size as a first-class feature with an environment variable.

If there's more you would like to discuss about this, feel free to re-open this issue and we are happy to re-consider.