search

phusion / passenger

A fast and robust web server and application server for Ruby, Python and Node.js
https://www.phusionpassenger.com/
MIT License
5k stars 548 forks source link

Disable secure headers option for GLS #2521

Open willnode opened 9 months ago

willnode commented 9 months ago

Issue report

Question 1: What is the problem?

Secure headers preventing bun.sh with GLS (Generic Language Support) to respond properly, giving response "Incomplete response received from application".

I'm looking for a config to disable it, but I think there's none.

Bun.sh has an issue in ignoring HTTP requests with weird characters in the header keys. There's an ongoing fix for some characters but I don't think it will fix !~ prefix given by Passenger because these characters are non-standard.

No !~Passenger-Client-Address header is sent so Bun.sh run correctly.

There's !~Passenger-Client-Address header sent at Bun.

Setup NGINX server with:

server {
    ....
    passenger_enabled on;
    passenger_app_start_command "env PORT=$PORT strace  -e recvfrom,sendto -s 1000 -o strace_output.txt bun app.ts";
}

app.ts

const server = Bun.serve({
      port: parseInt(Bun.env.PORT || "3000"),
      fetch(request) {
          return new Response("Welcome to Bun!");
      },
      });

Output from strace_output.txt

sendto(12, [{nlmsg_len=20, nlmsg_type=RTM_GETADDR, nlmsg_flags=NLM_F_REQUEST|NLM_F_DUMP, nlmsg_seq=1707147534, nlmsg_pid=0}, {ifa_family=AF_UNSPEC, ...}], 20, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 20
recvfrom(15, "GET / HTTP/1.1\r\nConnection: close\r\nuser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r\ncache-control: max-age=0\r\naccept-encoding: gzip, deflate\r\ndnt: 1\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\nhost: susqohu.sga.dom.my.id\r\nupgrade-insecure-requests: 1\r\nX-Forwarded-For: 125.164.19.220\r\n!~Passenger-Client-Address: 125.164.19.220\r\n\r\n", 524288, MSG_DONTWAIT, NULL, NULL) = 416
recvfrom(15, "GET /favicon.ico HTTP/1.1\r\nConnection: close\r\nuser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r\naccept-encoding: gzip, deflate\r\ndnt: 1\r\nreferer: http://susqohu.sga.dom.my.id/\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\nhost: susqohu.sga.dom.my.id\r\nX-Forwarded-For: 125.164.19.220\r\n!~Passenger-Client-Address: 125.164.19.220\r\n\r\n", 524288, MSG_DONTWAIT, NULL, NULL) = 411
recvfrom(16, "GET / HTTP/1.1\r\nConnection: close\r\nuser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r\ncache-control: max-age=0\r\naccept-encoding: gzip, deflate\r\ndnt: 1\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\nhost: susqohu.sga.dom.my.id\r\nupgrade-insecure-requests: 1\r\nX-Forwarded-For: 125.164.16.49\r\n!~Passenger-Client-Address: 125.164.16.49\r\n\r\n", 524288, MSG_DONTWAIT, NULL, NULL) = 414
recvfrom(15, "GET /favicon.ico HTTP/1.1\r\nConnection: close\r\nuser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r\naccept-encoding: gzip, deflate\r\ndnt: 1\r\nreferer: http://susqohu.sga.dom.my.id/\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\nhost: susqohu.sga.dom.my.id\r\nX-Forwarded-For: 125.164.16.49\r\n!~Passenger-Client-Address: 125.164.16.49\r\n\r\n", 524288, MSG_DONTWAIT, NULL, NULL) = 409

(notice there's recvfrom but not sendto, didn't send anything)

This is a test running env PORT=49999 strace -e recvfrom,sendto -s 1000 -o strace_output.txt bun app.ts 

recvfrom(13, "GET / HTTP/1.1\r\nHost: susqohu.sga.dom.my.id:49999\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/>
sendto(13, "HTTP/1.1 200 OK\r\ncontent-type: text/plain;charset=utf-8\r\nDate: Mon, 05 Feb 2024 16:29:47 GMT\r\nContent-Length: 15\r\n\r\nWelcome to Bun!", 131, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 131
recvfrom(13, "GET /favicon.ico HTTP/1.1\r\nHost: susqohu.sga.dom.my.id:49999\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r>
sendto(13, "HTTP/1.1 200 OK\r\ncontent-type: text/plain;charset=utf-8\r\nDate: Mon, 05 Feb 2024 16:29:47 GMT\r\nContent-Length: 15\r\n\r\nWelcome to Bun!", 131, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 131
recvfrom(13, "GET / HTTP/1.1\r\nHost: susqohu.sga.dom.my.id:49999\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/>
sendto(13, "HTTP/1.1 200 OK\r\ncontent-type: text/plain;charset=utf-8\r\nDate: Mon, 05 Feb 2024 16:29:48 GMT\r\nContent-Length: 15\r\n\r\nWelcome to Bun!", 131, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 131
recvfrom(13, "GET /favicon.ico HTTP/1.1\r\nHost: susqohu.sga.dom.my.id:49999\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r>
sendto(13, "HTTP/1.1 200 OK\r\ncontent-type: text/plain;charset=utf-8\r\nDate: Mon, 05 Feb 2024 16:29:48 GMT\r\nContent-Length: 15\r\n\r\nWelcome to Bun!", 131, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 131
recvfrom(13, "", 524288, MSG_DONTWAIT, NULL, NULL) = 0

Notice there's recvfrom and sendto. Responses sent successfully.

Question 5: Your app's programming language (including any version managers) and framework (including versions):

Bun 1.0.26, NginX 1.22.1

Question 7: Anything else about your setup that we should know?

I just want an option to disable secure headers, if any.

willnode commented 9 months ago

Just in case anyone looking for a temporary solution: https://github.com/domcloud/proxy-fix/