Проблема с POST и Firefox через HTTP/2
Nick Lavlinsky - Method Lab
nick на methodlab.info
Чт Апр 28 14:50:42 UTC 2016
Здравствуйте!
Недавно столкнулся со странной проблемой.
В новых версиях Firefox (точно в 46) при попытке послать POST-запрос при
работе через HTTP/2 после простоя около 5 минут получаем ошибку:
Невозможно установить безопасное соединение (в панели Network статус
запроса Aborted). Если не допускать простоя (часто посылать запросы)
проблема не возникает.
Та же самая система, тот же сервер но браузер Chrome 50 - нет проблем.
В логах Nginx ничего нет, кроме error_log:
13597#13597: *5 client sent stream with data before settings were
acknowledged while processing HTTP/2 connection
Но эта строчка появляется и при работе через Chrome, но проблем не вызывает.
Клиентская машина: Ubuntu 16.04, Firefox 46 (из стандартных пакетов).
Сервер: Ubuntu 14.04.
nginx -V
nginx version: nginx/1.9.15
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
--group=nginx --with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module
--with-http_dav_module --with-http_flv_module --with-http_mp4_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_stub_status_module --with-http_auth_request_module
--with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic
--with-http_geoip_module=dynamic --with-http_perl_module=dynamic
--add-dynamic-module=debian/extra/njs-1c50334fbea6/nginx --with-threads
--with-stream --with-stream_ssl_module --with-http_slice_module
--with-mail --with-mail_ssl_module --with-file-aio --with-ipv6
--with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
-Wl,-z,relro -Wl,--as-needed'
Конфигурация nginx:
user www-data;
worker_processes 8;
worker_rlimit_nofile 30000;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 8192;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
access_log /var/log/nginx/access.log;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
reset_timedout_connection on;
keepalive_timeout 120;
keepalive_requests 1000;
send_timeout 1200;
server_tokens off;
client_body_timeout 30;
client_header_timeout 30;
types_hash_max_size 2048;
server_names_hash_max_size 4096;
# Common limits
client_max_body_size 10m;
client_body_buffer_size 128k;
client_body_temp_path /var/nginx/client_body_temp;
proxy_connect_timeout 5;
proxy_send_timeout 10;
proxy_read_timeout 10;
proxy_buffer_size 4k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_temp_path /var/nginx/proxy_temp;
gzip on;
gzip_static on;
gzip_types text/plain text/css text/xml
application/x-javascript application/msword application/rtf
application/pdf application/vnd.ms-excel image/x-icon image/svg+xml
application/x-font-ttf;
gzip_comp_level 9;
gzip_proxied any;
gzip_min_length 1000;
gzip_disable "msie6";
gzip_vary on;
#open_file_cache max=10000 inactive=5m;
#open_file_cache_valid 5m;
#open_file_cache_errors on;
proxy_cache_valid 1h;
proxy_cache_key $scheme$proxy_host$request_uri$cookie_US;
proxy_cache_path /usr/local/nginx/cache levels=1:2
keys_zone=one:100m;
fastcgi_cache_path /usr/local/nginx/cache2 levels=1:2
keys_zone=two:100m;
limit_conn_zone $binary_remote_addr zone=lone:10m;
limit_req_zone $binary_remote_addr zone=ltwo:10m rate=3r/s;
limit_req_zone $binary_remote_addr zone=highspeed:10m rate=10r/s;
log_format postdata '$remote_addr - $time_local - $request_body';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets on;
ssl_session_timeout 28h;
ssl_dhparam /etc/nginx/dhparams.pem;
#ssl_buffer_size 4k;
http2_idle_timeout 10m;
resolver 8.8.8.8 8.8.4.4 valid=300s ipv6=off;
resolver_timeout 5s;
# For a hands-on explanation of using Accept negotiation, see:
#
http://www.igvita.com/2013/05/01/deploying-webp-via-accept-content-negotiation/
# For an explanation of how to use maps for that, see:
#
http://www.lazutkin.com/blog/2014/02/23/serve-files-with-nginx-conditionally/
map $http_accept $webp_suffix {
"~*webp" ".webp";
}
map $msie $cache_control {
"1" "private";
}
map $msie $vary_header {
default "Accept";
"1" "";
}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Конфигурация сервера, где проявляется проблема:
server {
listen 85.236.3.115;
listen 192.168.0.200;
server_name 4snext.metodlab.ru;
rewrite ^(.+)$ https://4snext.metodlab.ru$1;
}
server {
listen 85.x.x.x:443 ssl http2;
listen 192.1xx.x:443 ssl http2;
ssl_certificate /ee.crt;
ssl_certificate_key /e.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/bundle.crt;
add_header Strict-Transport-Security max-age=31536000;
server_name xxxxxdlab.ru;
error_log /var/log/nginx/multisite_next_error.log;
charset utf8;
location / {
proxy_pass http://127.0.0.1:9090/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 1g;
proxy_connect_timeout 60;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
limit_conn lone 20;
limit_req zone=ltwo burst=6 nodelay;
#access_log /var/log/nginx/postdata-msnext.log postdata;
}
location ^~ /pcgi/(internal|tmp|_session)/ {
deny all;
}
location ^~ /pcgi/modules/ {
location ~*
\.(ttf|eot|svg|woff|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|docx|xlsx|pptx|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|avi|swf|php)$
{
expires 1y;
root /home/httpd/multisite;
}
}
location ~* robots.txt { expires 1y;
root /etc/nginx; }
# Static files location
location ~*
\.(ttf|eot|svg|woff|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|docx|xlsx|pptx|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|avi|swf|php)$
{
expires 1y;
root /home/httpd/multisite_next/htdocs;
}
}
--
С уважением,
Лавлинский Николай,
Метод Лаб: делаем правильно!
www.methodlab.ru
+7 (499) 519-00-12
Подробная информация о списке рассылки nginx-ru