-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reproducible HTTP 502 error in OAuth /oauth/authorize #12915
Comments
I took some time looking through the logs but couldn't find anything helpful, sorry! |
Hey @ashfurrow, I've been hitting this again recently, so I did some digging, and I can only reproduce it on mastodon.technology, not on other 3.4.1 instances like eg mastodon.art. So, I suspect it might be specific to your fork or config. Details below. Let me know if you want me to file an issue on https://github.com/ashfurrow/mastodon/issues! It looks like there's an overall character limit on the URL or path or query string. For example, this URL correctly returns an error that the client id is invalid: ...and if I fill in a valid client id and secret, it works. However, if I add a few characters, eg: ...it 502s, even with a valid client id/secret. If I remove characters from the query string, regardless of where, the 502 goes away. (Oddly, the exact limit seems a bit flaky. I'm hitting it around 551 chars, but it's not always exactly the same. Maybe it's overall HTTP request payload, including headers, which vary a bit due to timestamps or something similar?) I can add many more characters to the end on eg mastodon.art, and it doesn't 502 the same way: |
still flaky on mastodon.technology, details in mastodon/mastodon#12915 (comment)
Apologies, it may not be mastodon.technology specific after all. I see it on the other two instances I originally tested this on too, mas.to and mstdn.social, both 3.4.1. Here are the longest Adding a character to the end of either one triggers the 502. (And again, it doesn't seem to be perfectly consistent, sometimes it's a few characters in either direction.) Odd that I can't trigger it on mastodon.art though! |
My users are continuing to hit this on a growing number of interactions with Mastodon OAuth, now sometimes even on initial login. I may look at debugging and fixing it myself soon. |
Haven't yet been able to reproduce this against a local Mastodon server built from HEAD. It handled this 785-character URL fine:
|
Production Mastodon instances still 502 though, eg mastodon.technology:
(Not that exact URL, of course, since I've redacted the client id and secret. Happy to provide the exact URL somewhere non-public if anyone wants to dig in.) |
I have a similar issue since this morning with mastodon.social running 3.4.6. |
I suspect that it doesn't happen on localhost because the error is returned by nginx. Mastodon does not return HTTP 502 errors on its own. HTTP 502 means "Bad gateway" and means nginx could not get or process the response from the gateway (Mastodon). I believe I found the corresponding error in /var/log/nginx/error.log:
|
The "solution" is to increase the size of the proxy buffers in nginx, but this isn't really a distributable solution, and I'm concerned about the implications on other types of requests. It seems like it could be a mistake on behalf of the doorkeeper gem in sending back a header that's way too long. |
Thank you for investigating! |
Any mitigations identified (even to go from very flaky to somewhat flaky) or possible for the workaround nginx proxy buffer increase to be done for mastodon.social ? Currently blocking all signup attempts from Bridgy EDIT: It repeatedly failed when trying from Firefox (container) where i was logged in to Mastodon.social, but it worked in Chromium where i was not logged in. Confirmed that simply logging out before trying to authorize was a consistent workaround for me, regardless of browser/container. |
Can confirm @mlncn's workaround:
|
@Nezteb @mlncn confirmed, that workaround works for me too! I'll follow up in doorkeeper-gem/doorkeeper#1554 |
workaround was working for me, but stopped over the weekend. Tested on 2 computers (both macOs, chrome), on regular window and also incognito |
I can confirm that using the proxy buffer settings mentioned here for my Mastodon instance Nginx configuration did indeed fix the 502 errors. |
My (and other) users keep hitting this and getting confused and blocked by it. It's preventing a sizeable fraction of them from using my service at all. @Gargron @ClearlyClaire and other maintainers, I understand that you're reluctant to increase the nginx proxy buffer sizes, but as people have confirmed here and in doorkeeper-gem/doorkeeper#1554 (comment), it clearly does fix this problem. The lengths of the redirect URLs and headers from doorkeeper seem correct, not a mistake. Could we increase the proxy buffers a moderate amount, so that it's hopefully not too invasive but still solves the problem? |
I ended up working around this by storing the OAuth redirect state in memory on my end, which let me reduce the redirect URL length. I'll leave this open to track on Mastodon's end. |
Thank you. I added these three lines:
I think they could technically go in a http, server, or location block, but I chose to add them to the |
Hi all! I keep hitting a 502 in
/oauth/authorize
in 3.0.1. Is this a known issue? Here are the steps to reproduce:/oauth/token
./oauth/token
.state
, eg:This last request 502s with the standard We're sorry, but something went wrong on our end. error page.
I tried three 3.0.1 instances just now - 2020-01-21 05:36:12 UTC on mastodon.technology, 05:49:03 mas.to, 06:10:37 mstdn.social - and they all behaved the same way.
Any idea what's going on? My only guess is that the
state
in the last request is longer than some limit, but that seems unlikely. (It was originally 331 chars before I redacted parts of it.)@ashfurrow, any chance you could look through the mastodon.technology logs around that time ^ and see if you can correlate the
/oauth/authorize
502 with anything?Thanks in advance!
The text was updated successfully, but these errors were encountered: