Do not pass the Content-Length header

Question

Do not pass the Content-Length header

Closed this issue 5 years ago · 18 comments

Because the script does not pass the body the Content-Length header must be omitted. This mistake causes issues with Apache.

Also investigate whether any other headers rely on a request body being present.

Answer 1 · 2018-11-21T12:52:20.000Z

I solved it by removing the header in related backend config like so:

backend auth_request
  …
  reqidel ^Content-Length:.*
  server auth_request oauth-proxy:4180

Answer 2 · 2018-11-21T12:55:10.000Z

@erkiesken Thank you. I'm going to fix this in the Lua script, though, to be batteries included. I already have a patch, but am currently waiting for another administrator to confirm the Content-Length actually is the root cause of their issues.

Did you encounter issues with the Content-Length header yourself?

Answer 3 · 2018-11-21T12:56:25.000Z

I just checked that it was an open issue and just-in-case added the rule. My backend server is configured to be directly the oauth2-proxy process, so no Apache or other web server involved.

Answer 4 · 2019-03-16T16:34:35.000Z

I also ran into this problem with the content-length. I changed the source code to

if header == "content-length" then
        headers[header] = ""
else
        headers[header] = v
end

It works now.

Answer 5 · 2019-03-16T17:05:05.000Z

@SurinameClubcard Thank you for the feedback. Can you tell me what you are using as the backend? This issue is not yet resolved, because I was waiting for a confirmation by the reporter (I did not experience the issue myself).

Answer 6 · 2019-03-16T17:12:06.000Z

@SurinameClubcard Thank you for the feedback. Can you tell me what you are using as the backend? This issue is not yet resolved, because I was waiting for a confirmation by the reporter (I did not experience the issue myself).

I'm using Authelia (https://github.com/clems4ever/authelia) as the backend. My http-request looks like this:

	http-request         lua.auth-request authelia_backend_ipvANY /api/verify

I think I had the same problem as @erkiesken but I'm processing the auth-request in a haproxy frontend and I need the content-length to stay correct in that frontend.

Answer 7 · 2019-03-16T17:14:06.000Z

I think I had the same problem as @erkiesken but I'm processing the auth-request in a haproxy frontend and I need the content-length to stay correct in that frontend.

Yes, if anything it should be fixed in this script not worked around in the config.

Thank you for your feedback. I'll take a look at Authelia and run my own tests.

Answer 8 · 2019-03-16T17:23:09.000Z

I would be interested to see how you connect haproxy to authelia. I managed to accomplish this myself but it took me quite some time. I am no haproxy expert though and because I'm running haproxy on pfSense I had to manually fix some dependencies because on FreeBSD there is no luasocket available for lua 5.3. Had to build it myself and it turns out that luasocket (in it current form) isn't compatible with lua 5.3? I had to change some source code in luasocket to get it completely functional. But again, no expert on this. haproxy(-devel, which is 1.8.x) on pfSense is compiled against lua 5.3 and I wanted to keep that intact.

Answer 9 · 2019-03-16T17:40:44.000Z

I don't use FreeBSD myself. I would perform the tests on my Ubuntu 16.04 workstation (possibly inside of a Docker container). The issues getting lua-socket running with Lua 5.3 are clearly unrelated though. Consider asking the ports maintainer to create a port that is compatible with Lua 5.3 or “packaging” (is this the proper term?) a version that is newer than the current one. If I understand it correctly the current one is the tagged version 22cd583 (which is older than the required 0b03eec16b as documented in the README). Unfortunately the lua-socket creator does not appear to do proper tagging of versions 😕

The configuration itself I suppose will be similar to yours. There is not much you can do differently there.

Answer 10 · 2019-03-16T17:41:59.000Z

Unfortunately the lua-socket creator does not appear to do proper tagging of versions

see also: lunarmodules/luasocket#168

Answer 11 · 2019-03-16T22:22:19.000Z

I took the luasocket's source code already part of the ports which came with FreeBSD 11.2. I actually don't know what version that is. I did have to manually add some patches to it. Far from ideal, but now that I have luasocket for lua 5.3 build and packaged, I don't think I would have to build it once again. Happy to share the sources though if asked.

Answer 12 · 2019-03-17T00:08:40.000Z

I actually don't know what version that is.

I believe it's the super-old tagged 3.0-rc1 based off this web page: https://www.freshports.org/net/luasocket/

Happy to share the sources though if asked.

I suggest contacting the ports maintainer (lx@) whether they are interested in that. But it's probably easier for them to just “package” the current git HEAD. We might get a proper new tag for luasocket, though. See my previous comment for the upstream issue, requesting a new tag.

Answer 13 · 2019-03-17T08:10:17.000Z

Thanks for patching the content-length bug,

Answer 14 · 2019-12-30T05:40:27.000Z

I took the luasocket's source code already part of the ports which came with FreeBSD 11.2. I actually don't know what version that is. I did have to manually add some patches to it. Far from ideal, but now that I have luasocket for lua 5.3 build and packaged, I don't think I would have to build it once again. Happy to share the sources though if asked.

Hi apologies for resurrecting this but I am encounting this exact issue w/ pfSense+HAProxy trying to get haproxy-auth-request to work. I've feel like I'm really close; I added the freebsd ports repo, installed luasocket from that, then removed the repo. I've patched a settimeout error in luasocket, but I'm stuck on a c-call error:
Dec 29 21:29:02 haproxy[93415]: Lua function 'auth-request': runtime error: attempt to yield across a C-call boundary from [C] field 'request', /var/etc/auth-request.lua:67 C function line 25.

Could you share your fix? @SurinameClubcard

Answer 15 · 2019-12-30T11:05:54.000Z

FWIW: I worked with HAProxy Technologies to get a license change for their native lua HTTP client and want to update my script to use that library to avoid all the luasocket mess. I did not get around to doing that however.

Answer 16 · 2020-01-02T09:45:21.000Z

Could you share your fix? @SurinameClubcard

Late reply. Still interested? I did a quick search through my local data and I do think I can digg it up from an old VM.

Answer 17 · 2020-01-02T11:48:07.000Z

Yes, please. You can e-mail it to me liquidthex (at) liquidthex.com or just post it here so others can benefit (I think we might be literally the only two, though).

Answer 18 · 2020-01-03T10:38:24.000Z

I will look into it today.

EDIT:
Judging from the command-line history, this is what I apparently did:

install FreeBSD in a VM
git clone https://github.com/pfsense/FreeBSD-ports.git pfSense-ports
cd pfSense-ports
edit Mk/bsd-default-versions.mk, change LUA_DEFAULT from 5.2 to 5.3
cd net/luasocket
make clean
make patch
replace work/luasocket-3.0-rc1/src/{luasocket.c,mime.c,except.c} and work/luasocket-3.0-rc1/gem/gem.c with the attached corresponding source files
make
make package
scp the package from work/pkg to your destination of interest. In my case I uploaded it into my pfSense VM and installed it with pkg install *.txz I believe.

except.txt
gem.txt
luasocket.txt
mime.txt

I wasn't prepared to properly patch the files at that time, so I performed above hack! ;-)

Let me know if this helps.