New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Puma errors and performs badly when receiving a non-HTTPS request while TLSv1.3-configured #2115
Comments
Ok, so it seems like there is both a problem with my setup and with Puma:
|
What version of OpenSSL are you using? Could this be using TLSv1.3? If so, somewhere I have code for this (guard against HTTP req to HTTPS). It was specific to TLSv1.3, TLSv1.2 seemed ok? |
What exactly do you mean by "guarding" HTTP request to HTTPS port? I am not sure I understand what behavior should be expected in that case. |
I reopened #986, which is about error messages to SSL-conf pumas. In that case though, people get Puma::HttpParserError when making a non-SSL request to an SSL-configured Puma. |
I don't recall the details, as some of this goes back to when 1.1.1 was in beta. It is TLSv1.3 specific. I might equate "How should OpenSSL respond to a HTTP/non-SSL request when the server connection is HTTPS/SSL?" to the question of "How should a mail server respond to dictionary attacks?". Somewhere, maybe the OpenSSL wiki, they specifically mention TLSv1.3, how the new behavior is different, and how it may affect servers designed to handle multiple requests, with obviously the ability to only handle a finite number of them. I'll look for my old code. In the meantime, maybe someone can use the test framework to throw a bunch of HTTP requests at a Puma server configured for SSL (using OpenSSL 1.1.1d) and see what happens? All the CI on Actions using Ruby 2.5 and later uses 1.1.1d... |
Thanks, @MSP-Greg for the detailed answer. To whomever might be interested in the setup, I managed to get everything working with Puma: Therefore I am indeed pretty sure that the issue is only happening when sending a plain HTTP request to an HTTPS port - at least when using TLS 1.3 (since the same setup with Serveo was working in the past - the only thing that I can think about that changed are the OpenSSL/TLS version) |
Awesome. I will close, as this issue is now linked to our main issue for "we need more descriptive errors when Puma gets a HTTP connection when configured for HTTPS" 👍 |
@nateberkopec fine, but I believe it's a bit more than just needing "more descriptive errors". |
@MSP-Greg agree? |
Yes. I think. Considering:
That's more in line with what I recall. IOW, the http connection was not closed ASAP and held server resources. From what I recall, the code I had set a fixed time that a connection's handshake had to be completed in. If it wasn't, it was closed and removed. I think it only did so if the connection was considered TLSv1.3, which seems to happen with an HTTP connection since there's no 'downgrade' mechanism. I think. Let me find that code. |
@MSP-Greg sorry for the delay. Thanks for the PR ! So, I did the following: Using the same config as above while simply removing the
SSH log shows that the requet is going through:
Rails and Puma are logging nothing. So bottom line, it works in the sense that it is not throwing errors anymore nor timed out, but it's also not indicative at all of what's happening, which could be confusing for some. Not sure if that's the intended behavior. My suggestion is to make it a bit more verbose - if not actually responding to requests like Passenger does - maybe at least showing that the request was received & closed in the logs. EDIT:
I won't be of much help on the PR itself as I am not familiar with Puma internals, but as I understand it what I suggested above might be a bit more tricky than I thought. |
I tried to reproduce this directly against Puma 4.3.3 in macOS (using
@nakwa you are only able to trigger the error using your proxy setup, right? |
@dentarg , not necessarily, I was able to isolate the problem and reproduce it with the proxy setup, but I am pretty sure I also ran into this in other contexts, for instance while querying rails locally from other services (that is, other microservices in my setup). |
The bug: Timeout / Puma throwing an error when querying Rails through a reverse proxy.
This is similar to #1708 but I thought it was worth summarizing/detailing again, in a separate issue (also because the context/usage is different).
SSH Outputs (reverse proxy forwarding):
The browser ends-up with a gateway time-out response from Nginx (reverse-proxy server):
The error above is only thrown on timeout, or on canceling the request.
Puma config:
To Reproduce
It works fine. Of course, both 80 and 443 are open and accessible. LetsEncrypt certificate is valid.
Expected behavior
I expect to be able to query the rails app using https, through the proxy server.
I tried many different configurations, clean install, ways of installing OpenSSL/LibreSSL, using ngrok, Serveo, setting up owner reverse proxy (current setup described), different ways of generating the SSL certificates. No chance so far.
I also tried forking and updating Puma/reactor.rb accordingly to the suggestion of @MSP-Greg in #1708 (#1708 (comment)). In that case it doesn't throw anything right away, but ends up timing-out and crashing.
I am not comfortable playing with OpenSSL & co, so I am still not sure whether this is an issue from Puma, or if something could be fixed in my setup.
Desktop:
Question:
Referring to #1708 (comment) , would attempting to disable/prevent Tls 1.3 on Nginx be of any help?
The text was updated successfully, but these errors were encountered: