SPDY68 / POST to proxy / nginx worker segfault
Phil Pennock
nginx+phil at spodhuis.org
Tue Mar 12 18:24:45 UTC 2013
nginx 1.3.14, SPDY patch version 68.
Sitting in front of a PGP keyserver, with configuration as below, if I
have "spdy" on the "listen" lines, then Chrome gets an error for no data
returned and I get errors in errorlog:
2013/03/12 18:08:43 [alert] 8546#0: worker process 8815 exited on signal 11
2013/03/12 18:09:35 [alert] 8546#0: worker process 9085 exited on signal 11
2013/03/12 18:09:36 [alert] 8546#0: worker process 9089 exited on signal 11
Below, nginx version output, nginx.conf server block, and curl output
from a working query when SPDY is enabled but not used (because it's
curl), over https.
(The server in this case has a cert from my private CA
https://www.security.spodhuis.org/ has details, including PGP
signature, if anyone wants to verify)
----------------------------8< cut here >8------------------------------
# nginx -V
nginx version: nginx/1.3.14
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx-error.log --user=www --group=www --with-file-aio --with-ipv6 --with-google_perftools_module --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx-access.log --add-module=/usr/ports/www/nginx-devel/work/giom-nginx_accept_language_module-02262ce --add-module=/usr/ports/www/nginx-devel/work/samizdatco-nginx-http-auth-digest-bd1c86a --with-http_dav_module --with-http_gunzip_module --with-http_stub_status_module --add-module=/usr/ports/www/nginx-devel/work/masterzen-nginx-upload-progress-module-a788dea --add-module=/usr/ports/www/nginx-devel/work/nginx_upstream_fair-20090923 --add-module=/usr/ports/www/nginx-devel/work/nginx_upstream_hash-0.3.1 --add-module=/usr/ports/www/nginx-devel/work/nginx-sticky-module-1.0 --add-module=/usr/ports/www/nginx-devel/work/simpl-ngx_devel_kit-48bc5dd --add-module=/usr/ports/www/nginx-devel/work/agentzh-encrypted-session-nginx-module-c752861 --add-module=/usr/ports/www/nginx-devel/work/arut-nginx-let-module-a5e1dc5 --with-pcre --add-module=/usr/ports/www/nginx-devel/work/agentzh-set-misc-nginx-module-658c235 --add-module=/usr/ports/www/nginx-devel/work/yaoweibin-nginx_tcp_proxy_module-b83e5a6 --with-http_spdy_module --with-http_ssl_module
----------------------------8< cut here >8------------------------------
----------------------------8< cut here >8------------------------------
server {
# need default_server for SNI to work with session resumption, unless
# you accept the same SSL cache. Hrm. We do, for now.
listen 94.142.241.93:443 ssl;
listen [2a02:898:31:0:48:4558:73:6b73]:443 ssl;
server_name sks.spodhuis.org;
ssl on;
ssl_certificate /www/conf/tls/ssl-sks-web.crt;
ssl_certificate_key /www/conf/tls/ssl-sks-web.key;
ssl_verify_client off;
access_log /var/log/nginx/sks-tls.log combine-tls;
location / {
root /www/sites/sks.spodhuis.org/content;
index index.html;
}
location ~ /\. {
deny all;
}
location /pks {
proxy_pass http://127.0.0.1:11371;
proxy_pass_header Server;
add_header Via "1.1 sks.spodhuis.org:443 (nginx)";
proxy_ignore_client_abort on;
}
location /sks-peers {
proxy_pass http://127.0.0.1:8001;
proxy_set_header X-Real-IP $remote_addr;
}
}
----------------------------8< cut here >8------------------------------
% gpg -a --export $gpg_key_work | curl --data-urlencode keytext at - -vs https://sks.spodhuis.org/pks/add 2>&1 | pbcopy
----------------------------8< cut here >8------------------------------
* About to connect() to sks.spodhuis.org port 443 (#0)
* Trying 2a02:898:31::48:4558:73:6b73...
* Failed to connect to 2a02:898:31::48:4558:73:6b73: No route to host
* Trying 94.142.241.93...
* Connected to sks.spodhuis.org (94.142.241.93) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /opt/local/share/curl/curl-ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using ECDHE-RSA-AES128-SHA256
* Server certificate:
* subject: C=NL; ST=Noord Holland; O=GlobNIX Systems; CN=sks.spodhuis.org; emailAddress=keyserver at spodhuis.org
* start date: 2011-08-10 04:59:54 GMT
* expire date: 2013-05-01 04:59:54 GMT
* subjectAltName: sks.spodhuis.org matched
* issuer: C=US; O=GlobNIX Systems; OU=Certification Authority; CN=GlobNIX Certificate Authority 3; emailAddress=certificates at globnix.org
* SSL certificate verify ok.
> POST /pks/add HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sks.spodhuis.org
> Accept: */*
> Content-Length: 18437
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
} [data not shown]
< HTTP/1.1 200 OK
< Date: Tue, 12 Mar 2013 18:22:58 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 129
< Connection: keep-alive
< Server: sks_www/1.1.4
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: 0
< X-HKP-Results-Count: 1
< Via: 1.1 sks.spodhuis.org:443 (nginx)
<
{ [data not shown]
* Connection #0 to host sks.spodhuis.org left intact
<html><body>Key block added to key server database.
New public keys added: <br>1 key(s) added successfully.<br></html></body>
----------------------------8< cut here >8------------------------------
More information about the nginx
mailing list