RX_OVERFLOW returns TCP reset instead of HTTP 414 #2735
Comments
|
I agree with the gist of this, except that "414 URI Too Long" doesn't sound right, unless it was just the URI that lead to the overflow (which would really be something). "413 Payload Too Large" appears to be the right response for this: BTW @sgran +1 for the avatar. |
|
Hi, Yeah, I am seeing this for the request URI (which is amazing), but it's because the query params are being programmatically generated from other request/reply events - our clients need to learn how to ask for pages instead of all things all at once. I can see that differentiating between URI and other headers in the return code might be a good thing, so perhaps they do want different responses. |
|
We talked about some possible approaches at bugwash today, but @bsdphk was not around and we want to get his input. A point that was mentioned is that closing the connection causes the least amount of processing for abusive clients -- avoids Varnish getting DOSsed by a flood of oversized requests. But that doesn't mean that we aren't open to different solutions (just not ready to decide today). |
|
I quite understand. I got the impression from reading over the structure of things that this is on purpose, and it makes sense in many settings. I guess I'm hoping for a way to override the default behaviour with either a config switch or in VCL. |
|
Originally we decided to just close on abusive input, to improve DoS resistance. That still sounds sensible to me, but if there is a need for more civilized behaviour, we could make a feature to control it (default open to discussion) |
|
We bugwashed it, and my previous comment stands. If we want to modulate behaviour, it has to be a featureflag, we cannot ask VCL since we cannot represent the request for inspection. |
|
I have varnish behind nginx. |
|
I will find someone to work on this. |
We have a edit: quick search yields |
|
in nginx I have I tightened uri length limit in nginx and avoid RX_OVERFLOW, but others can encounter it too |
Hi there,
I'm uncertain about whether I am seeing correct behaviour in varnish or not. I am looking at how varnish handles RX_OVERFLOW, and it seems like there is a better behaviour available than closing the socket - HTTP 414 seems designed for this case.
As I say, I'm not certain whether you consider this a bug. I quite understand that closing the connection is the simplest way to deal with an overlong request header. I have a use case where it would be better for my clients if we sent them a 4xx response code for these - request parameters that we see are typically generated programmatically from the output of other queries, so can have quite large sets of parameters to iterate over. It's not the end of the world if each client has to learn that "connection reset" ends up meaning the same thing as "HTTP 414", but it would make it simpler to explain to them what's going on if they were getting a 4xx error code.
The behaviour appears to be by design and not an accident of compilation, but we have seen this behaviour on various versions of varnish from 4.1 to 6.0, on Debian and Ubuntu.
The text was updated successfully, but these errors were encountered: