-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
maxHeaderSize option on HTTPS server is not working #38954
Comments
Linking for reference: nodejs/help#3401 |
Hi, @SantanM How do you generate headers for your request? If possible, could you provide a code snippet containing both server and request? It would be very helpful. I've written a case with testing tools of Node.js, it passes on v12.19.0 (interestingly, fails on v14 and above, it seems maxHeaderSize is ignored (always 200)? but it may be different issue I guess...) 'use strict'
const assert = require('assert');
const common = require('../common');
const https = require('https');
const fixtures = require('../common/fixtures');
const options = {
key: fixtures.readKey('agent1-key.pem'),
cert: fixtures.readKey('agent1-cert.pem')
};
const maxHeaderSize = 8192
const body = 'hello world\n';
const serverCallback = function (req, res) {
res.writeHead(200, { 'content-type': 'text/plain' });
res.end(body);
};
// test header size is larger than maxHeaderSize
{
const server = https.createServer({
...options,
maxHeaderSize
}, serverCallback)
server.listen(0, common.mustCall(() => {
const serverPort = server.address().port
const reqOptions = {
hostname: '127.0.0.1',
port: serverPort,
path: '/',
method: 'GET',
rejectUnauthorized: false,
headers: {
"h": 'a'.repeat(maxHeaderSize + 1)
}
};
const req = https.request(reqOptions, common.mustCall((res) => {
assert.strictEqual(res.statusCode, 431)
res.on('data', function (d) {
});
res.on('end', common.mustCall(() => {
server.close()
}))
})).end()
}))
}
// test header size is in the range
{
const server = https.createServer({
...options,
maxHeaderSize
}, serverCallback)
server.listen(0, common.mustCall(() => {
const serverPort = server.address().port
const reqOptions = {
hostname: '127.0.0.1',
port: serverPort,
path: '/',
method: 'GET',
rejectUnauthorized: false,
headers: {
// some other header overhead
"h": 'a'.repeat(maxHeaderSize - 200)
}
};
const req = https.request(reqOptions, common.mustCall((res) => {
assert.strictEqual(res.statusCode, 200)
res.on('data', function (d) {
});
res.on('end', common.mustCall(() => {
server.close()
}))
})).end()
}))
} |
Well, never mind, |
Thanks for checking. Keep us updated on the next plan. |
Being able to set |
I think
The doc is wrong. For now, I think the only way to control the maximun header size of a HTTPS Server is via CLI option Also, it seems fairly simple to bring |
Fixes: #38954 PR-URL: #38992 Refs: #30570 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Michaël Zasso <[email protected]>
@Ayase-252 - The changes you made will be replicated to lower versions, more particularly to v14.XX? Could you confirm? |
@SantanM I think it has been released in v16.5.0. It has not been backported to v14.x yet. Hopefully soon. |
Fixes: #38954 PR-URL: #38992 Refs: #30570 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Michaël Zasso <[email protected]>
What steps will reproduce the bug?
Creating a server using HTTPS module with option
maxHeaderSize
, like below. While increasingmaxHeaderSize
, the server still shows 431 error for large header.How often does it reproduce? Is there a required condition?
It seems (according to the documentation) the options of HTTP server are applicable to HTTPS, but the value does not seem to work in my case (seeing 431 error always)
What is the expected behavior?
In doing so, I am expecting the large header sent to the server is accepted and does not return 431 error.
What do you see instead?
HTTP 431 error
Additional information
The test cases of
maxHeaderSize
option are covered only for HTTP Server module and not HTTPS. I don't think it has been tested with HTTPS module.The text was updated successfully, but these errors were encountered: