search

nginx-shib / nginx-http-shibboleth

Shibboleth auth request module for nginx
https://github.com/nginx-shib/nginx-http-shibboleth/wiki
Other
209 stars 27 forks source link

Worker process aborts (core dumped) when accessing a resource protected by Shibboleth (v.1.24) #55

Closed fluca1978 closed 8 months ago

fluca1978 commented 8 months ago

Description the bug

I have installed nginx 1.24.0 from nginx Ubuntu repositories, and then with pkg-oss I compiled and installed the modules:

nginx-module-headersmore-dbg_1.24.0+1.0-1~jammy_amd64.deb
nginx-module-headersmore_1.24.0+1.0-1~jammy_amd64.deb
nginx-module-shibboleth-dbg_1.24.0+1.0-1~jammy_amd64.deb
nginx-module-shibboleth_1.24.0+1.0-1~jammy_amd64.deb

If I'm right the test suite is against nginx 1.23 and less, so using 1.24 could be the problem, but I don't know how to either compile the module against the Ubuntu nginx version (1.18,0, not r1.18.0) nor install a packaged 1.22 version from nginx repository.

I followed the configuration instructions in https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/CONFIG.rst. When I try to access a normal (unprotected) resource, either http or https, everything work fine. The /Shibboleth.sso provides me the metadata, the /shibauthenticator location (if set not to private) works too redirecting to the IDP login page, so apparently Shibboleth is working. However, when accessing a protected resource there is no request at all towards the IDP and the connection get reset on the client.

Expected behaviour

I would expect to be redirected to the IDP login page.

Steps to Reproduce Issue

1) install nginx 1.24.0 from nginx repository on Ubuntu 22.04 2) pkg-oss to build headers_more sudo sh build_module.sh -n headers_more_nginx -v 1.24.0 https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v0.36.tar.gz 3) pkg-oss to build shibboleth module sudo sh build_module.sh -n shibboleth -v 1.24.0 https://github.com/nginx-shib/nginx-http-shibboleth/archive/refs/tags/v2.0.1.tar.gz 4) install the modules produces at steps 2 and 3 via dpkg 5) configure nginx to protect a resource 6) restart nginx and access the resource

Setup & Logs

In the error logs I have:

$ sudo tail /var/log/nginx/error.log 
2023/12/12 12:33:26 [notice] 42805#42805: start worker process 42818
2023/12/12 12:33:26 [notice] 42805#42805: signal 29 (SIGIO) received
2023/12/12 12:33:26 [notice] 42805#42805: signal 17 (SIGCHLD) received from 42817
2023/12/12 12:33:26 [alert] 42805#42805: worker process 42817 exited on signal 11 (core dumped)
2023/12/12 12:33:26 [notice] 42805#42805: start worker process 42819
2023/12/12 12:33:26 [notice] 42805#42805: signal 29 (SIGIO) received
2023/12/12 12:33:26 [notice] 42805#42805: signal 17 (SIGCHLD) received from 42818
2023/12/12 12:33:26 [alert] 42805#42805: worker process 42818 exited on signal 11 (core dumped)
2023/12/12 12:33:26 [notice] 42805#42805: start worker process 42820
2023/12/12 12:33:26 [notice] 42805#42805: signal 29 (SIGIO) received

I made nginx to produce a core dump in common location, but there is not enough information (or I cannot extract it):

$ sudo gdb $(which nginx) /tmp/core.nginx.42806
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/nginx...
(No debugging symbols found in /usr/sbin/nginx)

warning: Can't open file /[aio] (deleted) during file-backed mapping note processing

warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing
[New LWP 42806]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `nginx: worker process                   '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055997257da32 in ?? ()
(gdb) bt
#0  0x000055997257da32 in ?? ()
#1  0x00005599725e6a23 in ?? ()
#2  0x0000559972553994 in ngx_http_finalize_request ()
#3  0x0000559972546cec in ngx_http_core_access_phase ()
#4  0x00005599725408fd in ngx_http_core_run_phases ()
#5  0x000055997254b9b8 in ngx_http_run_posted_requests ()
#6  0x0000559972534503 in ?? ()
#7  0x000055997252fde4 in ngx_process_events_and_timers ()
#8  0x0000559972535bcb in ?? ()
#9  0x000055997252cf12 in ngx_spawn_process ()
#10 0x000055997252d978 in ?? ()
#11 0x0000559972534ae5 in ngx_master_process_cycle ()
#12 0x0000559972508d39 in main ()

Configuration of the resource:

server {
listen 80;

    location /test {
             alias /var/www/html/;
             shib_request /shibauthorizer;
             shib_request_use_headers on;
             include shib_clear_headers;
    }

  #FastCGI authorizer for Auth Request module
  location = /shibauthorizer {
#       internal;
        include fastcgi_params;
        fastcgi_pass unix:///tmp/authorizer.socket;
  }

  #FastCGI responder
  location /Shibboleth.sso {
      include fastcgi_params;
       fastcgi_pass unix:///tmp/responder.socket;
  }

}

Versions and Systems

$ shibd -v
shibboleth 3.3.0

$ nginx -V
nginx version: nginx/1.24.0
built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1) 
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.24.0/debian/debuild-base/nginx-1.24.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy
fluca1978 commented 8 months ago

I can confirm that installing nginx 1.22.1 and the modules with pkg-oss solved the problem, so it is an incompatibility issue.