[英]502 bad gateway, header size
由於我們的組織正在為員工使用 SSO,當用戶嘗試使用 shibboleth 登錄時,我們會收到 502 錯誤網關。
擁有更多組訪問權限並嘗試登錄的用戶會收到 502,但訪問權限較少的用戶可以登錄。
所有訪問的最大 header 大小為 32768。
我們在 docker 中嘗試了--max-http-header-size 42768
,但它沒有幫助。 正常訪問的用戶(小於 header 大小)可以登錄。
我們的設置:VM1 托管 nginx 作為反向代理。 配置如下。 VM2主機多台docker。
server {
listen 80;
server_name **********;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
client_body_timeout 60s;
client_header_timeout 60s;
keepalive_timeout 70s;
send_timeout 60s;
client_body_buffer_size 32k;
client_header_buffer_size 32k;
client_max_body_size 0;
large_client_header_buffers 4 32k;
access_log off;
error_log /data/nginx/logs/****_error.log warn;
location / {
proxy_pass http://******:8098;
}
}
Error log:
2019/09/25 10:25:38 [error] 20070#0: *123 upstream prematurely closed
connection while reading response header from upstream, client: ****,
server: ******, request: "GET /auth/shibboleth?redirect=L2FjY291bnQ=
HTTP/1.1", upstream: "http://******:8098/auth/shibboleth?redirect=L2FjY291bnQ=",
host: "*****", referrer:
"https://******/profile/SAML2/Redirect/SSO?execution=e1s2"
2019/09/25 10:25:50 [error] 20070#0: *125 upstream prematurely closed
connection while reading response header from upstream, client: ****,
server: *****, request: "GET / HTTP/1.1", upstream: "http://****:8098/",
host: "*****"
Docker setup
FROM node:8-alpine as intermediate
RUN apk add --no-cache git openssh alpine-sdk python2
RUN python2 -m ensurepip && \
rm -r /usr/lib/python*/ensurepip && \
pip install --upgrade pip setuptools && \
if [[ ! -e /usr/bin/python ]]; then ln -sf /usr/bin/python2
/usr/bin/python; fi
WORKDIR /usr/src/app
RUN touch config.js && mkdir config
COPY package*.json ./
RUN http_proxy="http://****:3128" https_proxy="http://****:3128" npm install
COPY . .
RUN rm -rf .private
FROM node:8-alpine
WORKDIR /usr/src/app
COPY --from=intermediate /usr/src/app /usr/src/app
EXPOSE 8080
CMD [ "node", "app.js", "-p 8080" ]
這顯然很常見。 修復:
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
參見例如
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.