Nginx throws a 502 (invalid header) when downloading a file attachment if filename has a space chara

musicdenotation · March 23, 2014, 11:36pm

Hello,
I have nginx set as a reverse proxy for a mail server and it throws this
502 (invalid header) error while trying to fetch a file with a space in
the
filename. Any clues on where is this bug in the nginx code ? I searched
on
the net and found this one forum but it points to some issue in the java
code (not sure where that is as nginx is pretty much in C

Thanks
-Kunal

Kunal_P · March 24, 2014, 1:07am

Hi,

I have nginx set as a reverse proxy for a mail server and it throws
this 502 (invalid header) error while trying to fetch a file with a
space in the filename. Any clues on where is this bug in the nginx code?

Prior to jumping to conlusion about bugs in nginx, how does this
response
header actually look like?

Section 19.5.1 in RFC2616 [1] mandates the content of the filename-parm
needs to be a quoted string:

filename-parm = “filename” “=” quoted-string
[…]
An example is
Content-Disposition: attachment; filename=“fname.ext”

Does your response header correctly quote the filename?

Regards,

Lukas

[1] HTTP/1.1: Appendices

Kunal_P · March 24, 2014, 3:11am

What debugs should i enable & how to see these response headers ? I do
see
this error though.

2014/03/03 14:04:32 [error] 11259#0: *6 upstream sent invalid header
while reading response header from upstream, client: 127.0.0.1,
server: xxx.default, request: “GET
/service/home/~/?auth=co&loc=en_GB&id=259&part=3 HTTP/1.1”, upstream:
“https://127.0.1.1:8443/service/home/~/?auth=co&loc=en_GB&id=259&part=3”,
host: “xxx”, referrer: “https://xxx/ https://server.zimbra.com/”

So can this be that the upstream is sending the right header (because it
works fine when there is no space in the filename) but nginx is parsing
it
incorrectly ?

Thanks
-Kunal

Kunal_P · March 24, 2014, 11:57am

Hi,

What debugs should i enable & how to see these response headers ? I do
see this error though.

Just use curl for example and request it directly from your backend:
curl -k -I
“https://127.0.1.1:8443/service/home/~/?auth=co&loc=en_GB&id=259&part=3”

So you can check the actual response header.

Regards,

Lukas

Kunal_P · March 24, 2014, 11:33am

On Mon, Mar 24, 2014 at 2:11 AM, Kunal P. [email protected]
wrote:

So can this be that the upstream is sending the right header (because it
works fine when there is no space in the filename) but nginx is parsing it
incorrectly ?

Use the web developer tools in your browser to see the header and/or
try encoding the filename (not sure about this last one).
Or GET it yourself with telnet or something.

Cheers,
Nuno

Kunal_P · March 24, 2014, 6:46pm

I used the web browser but didn’t see this Content-disposition header in
the response. Only saw these response headers.

Response Headersview source
1. Connection:
  keep-alive
2. Content-Length:
  1159
3. Content-Type:
  text/html
4. Date:
  Mon, 24 Mar 2014 17:15:00 GMT
5. Server:
  nginx

Using the curl to get the file directly from the backend server keeps
throwing the http 404 must authenticate error don’t know why as i am
supplying the -u username:password as well

kunal@zdev-vm048:~$ curl -u testuser1:testpass -k -I "
https://127.0.1.1:8443/service/home/~/?auth=co&loc=en_GB&id=259&part=3"

HTTP/1.1 404 must authenticate

Date: Mon, 24 Mar 2014 17:38:56 GMT

Content-Type: text/html; charset=ISO-8859-1

Cache-Control: must-revalidate,no-cache,no-store

Content-Length: 320

Thanks

-Kunal

Kunal_P · March 24, 2014, 7:36pm

I downloaded another file and the Content-Disposition header lists the
filename with space under quotes correctly “zcs error.docx” thereby
proving
that its nginx which is not parsing it correctly. Correct me if i am
wrong.

Cache-Control:
no-store, no-cache
Connection:
keep-alive

Content-Disposition: attachment; filename=“zcs error.docx”
4. Content-Encoding:
gzip
5. Content-Type:
application/vnd.openxmlformats-officedocument.wordprocessingml.document;
name=“zcs error.docx”

Thanks
-Kunal

Kunal_P · March 24, 2014, 8:00pm

Hi,

I downloaded another file and the Content-Disposition header lists the
filename with space under quotes correctly “zcs error.docx” thereby
proving that its nginx which is not parsing it correctly. Correct me if
i am wrong.

Is this specific response going through nginx or directly from the
browser
to the backend?

Enable debugging logs and collect the traces:
http://nginx.org/en/docs/debugging_log.html

Regards,

Lukas

Kunal_P · March 24, 2014, 7:16pm

Hi Kunal,

I used the web browser but didn’t see this Content-disposition header
in the response. Only saw these response headers.

We need to see the Content-disposition, everything else makes no sense.

Are you trying against the nginx frontend or your backend? If it is
nginx
you’re connecting to, you abviously need a filename without spaces
otherwise
the response will not show up on your browser.

Using the curl to get the file directly from the backend server keeps
throwing the http 404 must authenticate error don’t know why as i am
supplying the -u username:password as well

Fix your authentication problem. Only you know how your backend
authenticates users, we can’t tell you that (perhaps you need cookies).

Regards,

Lukas

Kunal_P · March 24, 2014, 9:17pm

hmm…thanks Lukas.
So its my backend server only which is causing this issue.

Thanks
-Kunal

Kunal_P · March 24, 2014, 10:09pm

hmm…thanks Lukas.
So its my backend server only which is causing this issue.

From the information provided in this thread, I can’t tell.

We would need the exact response header that makes nginx return
the 502 response plus detailed informations about your setup (output
of nginx -v and your configuration).

Regards,

Lukas

Kunal_P · March 24, 2014, 10:28pm

Never mind there’s nothing wrong with nginx here.
It was one of the response headers sent by an upstream server (mainly
Content-Description:
2013923 10H56M56S633_PV.doc�) including this non-ascii char ‘?’ which
the
nginx didn’t like and hence flagged it saying that it received an
invalid
header.

Thanks
-Kunal

Kunal_P · March 24, 2014, 10:48pm

Never mind there’s nothing wrong with nginx here.
It was one of the response headers sent by an upstream server
(mainly Content-Description: 2013923 10H56M56S633_PV.doc�) including
this non-ascii char ‘?’ which the nginx didn’t like and hence flagged
it saying that it received an invalid header.

Thanks for confirming.

Nginx does the right thing here, headers must not contain non-ascii
chars
per RFC.

Regards,

Lukas

Kunal_P · March 24, 2014, 8:44pm

FYI, nginx has not problems passing filenames with spaces along:

curl -I http://direct-apache/content-disposition-header.php

HTTP/1.1 200 OK
Date: Mon, 24 Mar 2014 19:40:22 GMT
Server: Apache/2.4.2 (Win32) OpenSSL/1.0.1c PHP/5.4.4
X-Powered-By: PHP/5.4.4
Cache-Control: no-store, no-cache
Connection: keep-alive
Content-Disposition: attachment; filename=“zcs error.docx”
Content-Type:
application/vnd.openxmlformats-officedocument.wordprocessingml.document;
name=“zcs error.docx”

curl -I “http://nginx-rev-proxying/content-disposition-header.php”

HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 24 Mar 2014 19:41:03 GMT
Content-Type:
application/vnd.openxmlformats-officedocument.wordprocessingml.document;
name=“zcs error.docx”
Connection: keep-alive
X-Powered-By: PHP/5.4.4
Cache-Control: no-store, no-cache
Content-Disposition: attachment; filename=“zcs error.docx”