Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable secure headers option for GLS #2521

Open
willnode opened this issue Feb 5, 2024 · 1 comment
Open

Disable secure headers option for GLS #2521

willnode opened this issue Feb 5, 2024 · 1 comment

Comments

@willnode
Copy link

willnode commented Feb 5, 2024

Issue report

Question 1: What is the problem?

Secure headers preventing bun.sh with GLS (Generic Language Support) to respond properly, giving response "Incomplete response received from application".

I'm looking for a config to disable it, but I think there's none.

Bun.sh has an issue in ignoring HTTP requests with weird characters in the header keys. There's an ongoing fix for some characters but I don't think it will fix !~ prefix given by Passenger because these characters are non-standard.

  • What is the expected behavior?

No !~Passenger-Client-Address header is sent so Bun.sh run correctly.

  • What is the actual behavior?

There's !~Passenger-Client-Address header sent at Bun.

  • How can we reproduce it?

Setup NGINX server with:

server {
    ....
    passenger_enabled on;
    passenger_app_start_command "env PORT=$PORT strace  -e recvfrom,sendto -s 1000 -o strace_output.txt bun app.ts";
}

app.ts

const server = Bun.serve({
      port: parseInt(Bun.env.PORT || "3000"),
      fetch(request) {
          return new Response("Welcome to Bun!");
      },
      });

Output from strace_output.txt

sendto(12, [{nlmsg_len=20, nlmsg_type=RTM_GETADDR, nlmsg_flags=NLM_F_REQUEST|NLM_F_DUMP, nlmsg_seq=1707147534, nlmsg_pid=0}, {ifa_family=AF_UNSPEC, ...}], 20, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 20
recvfrom(15, "GET / HTTP/1.1\r\nConnection: close\r\nuser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r\ncache-control: max-age=0\r\naccept-encoding: gzip, deflate\r\ndnt: 1\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\nhost: susqohu.sga.dom.my.id\r\nupgrade-insecure-requests: 1\r\nX-Forwarded-For: 125.164.19.220\r\n!~Passenger-Client-Address: 125.164.19.220\r\n\r\n", 524288, MSG_DONTWAIT, NULL, NULL) = 416
recvfrom(15, "GET /favicon.ico HTTP/1.1\r\nConnection: close\r\nuser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r\naccept-encoding: gzip, deflate\r\ndnt: 1\r\nreferer: http://susqohu.sga.dom.my.id/\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\nhost: susqohu.sga.dom.my.id\r\nX-Forwarded-For: 125.164.19.220\r\n!~Passenger-Client-Address: 125.164.19.220\r\n\r\n", 524288, MSG_DONTWAIT, NULL, NULL) = 411
recvfrom(16, "GET / HTTP/1.1\r\nConnection: close\r\nuser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r\ncache-control: max-age=0\r\naccept-encoding: gzip, deflate\r\ndnt: 1\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\nhost: susqohu.sga.dom.my.id\r\nupgrade-insecure-requests: 1\r\nX-Forwarded-For: 125.164.16.49\r\n!~Passenger-Client-Address: 125.164.16.49\r\n\r\n", 524288, MSG_DONTWAIT, NULL, NULL) = 414
recvfrom(15, "GET /favicon.ico HTTP/1.1\r\nConnection: close\r\nuser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r\naccept-encoding: gzip, deflate\r\ndnt: 1\r\nreferer: http://susqohu.sga.dom.my.id/\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\nhost: susqohu.sga.dom.my.id\r\nX-Forwarded-For: 125.164.16.49\r\n!~Passenger-Client-Address: 125.164.16.49\r\n\r\n", 524288, MSG_DONTWAIT, NULL, NULL) = 409

(notice there's recvfrom but not sendto, didn't send anything)

This is a test running env PORT=49999 strace -e recvfrom,sendto -s 1000 -o strace_output.txt bun app.ts

recvfrom(13, "GET / HTTP/1.1\r\nHost: susqohu.sga.dom.my.id:49999\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/>
sendto(13, "HTTP/1.1 200 OK\r\ncontent-type: text/plain;charset=utf-8\r\nDate: Mon, 05 Feb 2024 16:29:47 GMT\r\nContent-Length: 15\r\n\r\nWelcome to Bun!", 131, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 131
recvfrom(13, "GET /favicon.ico HTTP/1.1\r\nHost: susqohu.sga.dom.my.id:49999\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r>
sendto(13, "HTTP/1.1 200 OK\r\ncontent-type: text/plain;charset=utf-8\r\nDate: Mon, 05 Feb 2024 16:29:47 GMT\r\nContent-Length: 15\r\n\r\nWelcome to Bun!", 131, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 131
recvfrom(13, "GET / HTTP/1.1\r\nHost: susqohu.sga.dom.my.id:49999\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/>
sendto(13, "HTTP/1.1 200 OK\r\ncontent-type: text/plain;charset=utf-8\r\nDate: Mon, 05 Feb 2024 16:29:48 GMT\r\nContent-Length: 15\r\n\r\nWelcome to Bun!", 131, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 131
recvfrom(13, "GET /favicon.ico HTTP/1.1\r\nHost: susqohu.sga.dom.my.id:49999\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r>
sendto(13, "HTTP/1.1 200 OK\r\ncontent-type: text/plain;charset=utf-8\r\nDate: Mon, 05 Feb 2024 16:29:48 GMT\r\nContent-Length: 15\r\n\r\nWelcome to Bun!", 131, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 131
recvfrom(13, "", 524288, MSG_DONTWAIT, NULL, NULL) = 0

Notice there's recvfrom and sendto. Responses sent successfully.

Question 5: Your app's programming language (including any version managers) and framework (including versions):

Bun 1.0.26, NginX 1.22.1

Question 7: Anything else about your setup that we should know?

I just want an option to disable secure headers, if any.

@willnode
Copy link
Author

willnode commented Feb 5, 2024

Just in case anyone looking for a temporary solution: https://github.com/domcloud/proxy-fix/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants