worker process 107 exited on signal 11 (core dumped) set_real_ip_from with nchan_authorize_request

[Kolobok12309]

Nginx crashed if i use set_real_ip_from (and pass header X-Real-Ip) and use nchan_authorize_request

set_real_ip_from 0.0.0.0/0;

location = /auth {
    proxy_pass ${WS_AUTH_URL};
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Subscriber-Type $nchan_subscriber_type;
    proxy_set_header X-Publisher-Type $nchan_publisher_type;
    proxy_set_header X-Prev-Message-Id $nchan_prev_message_id;
    proxy_set_header X-Channel-Id $nchan_channel_id;
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header X-Forwarded-For $remote_addr;
  }

location ~ ^/user/(?<user>(\d+))$ {
  nchan_authorize_request /auth;
  nchan_subscriber;
  nchan_channel_id "users" $user;
  nchan_channel_group "users";
}

If i comment nchan_authorize_request or set_real_ip_from or not pass header, all be fine

Nginx 1.25.2-alpine
Nchan 1.3.6

Core dump

Core was generated by `nginx: worker process     '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000557b2732b464 in ngx_cidr_match ()
(gdb) backtrace
#0  0x0000557b2732b464 in ngx_cidr_match ()
#1  0x0000557b2736b27b in ?? ()
#2  0x0000557b2736e42f in ngx_http_get_forwarded_addr ()
#3  0x0000557b273b1717 in ?? ()
#4  0x0000557b2736c409 in ngx_http_core_generic_phase ()
#5  0x0000557b27368a5f in ngx_http_core_run_phases ()
#6  0x0000557b27370645 in ngx_http_run_posted_requests ()
#7  0x00007f8407c89e0f in nchan_requestmachine_run (rm=rm@entry=0x7f8407be35c0)
    at //nchan-1.3.6/src/util/nchan_fake_request.c:326
#8  0x00007f8407c8a772 in nchan_requestmachine_request (rm=0x7f8407be35c0, params=params@entry=0x7ffc1e2f3070)
    at //nchan-1.3.6/src/util/nchan_fake_request.c:489
#9  0x00007f8407c9338e in nchan_subscriber_subrequest (sub=sub@entry=0x7f8407be3800, 
    params=params@entry=0x7ffc1e2f3070) at //nchan-1.3.6/src/subscribers/common.c:315
#10 0x00007f8407c938bd in nchan_subscriber_authorize_subscribe_request (sub=0x7f8407be3800, 
    ch_id=0x7f8407c5f7b0) at //nchan-1.3.6/src/subscribers/common.c:128
#11 0x00007f8407c80484 in nchan_pubsub_handler (r=0x7f8407c5e880) at //nchan-1.3.6/src/nchan_module.c:793
#12 0x0000557b2736d388 in ngx_http_core_content_phase ()
#13 0x0000557b27368a5f in ngx_http_core_run_phases ()
#14 0x0000557b27372986 in ?? ()
#15 0x0000557b27372cd2 in ?? ()
#16 0x0000557b27349361 in ?? ()
#17 0x0000557b2734014b in ngx_process_events_and_timers ()
#18 0x0000557b273478fd in ?? ()

[slact]

Do you have a separate upstream block that proxy_pass refers to?

[Kolobok12309]

Do you have a separate upstream block that proxy_pass refers to?

Yea, nchan placed after another nginx proxy
Or, mb i'm wrong understand you, ${WS_AUTH_URL} is env with url(not upstream). Example http://tests-auth:4000/ws

[slact]

I suspect if you change the var to refer to an upstream block by name, this will work.

Upstreams routed by URL alone don't travel the same code path as ones that go though an upstream block. This has always been a pain in the ass, even without Nchan.

[Kolobok12309]

I try it yesterday, same error

upstream auth {
  server tests-auth:4000; # Docker instance
}

server {
  ...
  location = /auth {
    proxy_pass http://auth/ws;
    ...
  }
  ...
}

Mb maybe I'm using upstream wrong?

[Kolobok12309]

But all worked if i move set_real_ip_from 0.0.0.0/0; to location block (use it for allow/deny access to publication, pub and sub separated location).

From to

From

server {
  set_real_ip_from 0.0.0.0/0;

  location = /auth {
    proxy_pass ${WS_AUTH_URL};
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Subscriber-Type $nchan_subscriber_type;
    proxy_set_header X-Publisher-Type $nchan_publisher_type;
    proxy_set_header X-Prev-Message-Id $nchan_prev_message_id;
    proxy_set_header X-Channel-Id $nchan_channel_id;
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header X-Forwarded-For $remote_addr;
  }

  location ~ ^/user/(?<user>(\d+))$ {
    nchan_authorize_request /auth;
    nchan_subscriber;
    nchan_channel_id "users" $user;
    nchan_channel_group "users";
  }

  location ~ ^/pub/user/(?<user>(\d+))$ {
    access 127.0.0.1; # In real case more ips
    deny all;

    nchan_publisher;
    nchan_channel_id $user;
    nchan_channel_group "users";
  }
}

To

server {
  location = /auth {
    proxy_pass ${WS_AUTH_URL};
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Subscriber-Type $nchan_subscriber_type;
    proxy_set_header X-Publisher-Type $nchan_publisher_type;
    proxy_set_header X-Prev-Message-Id $nchan_prev_message_id;
    proxy_set_header X-Channel-Id $nchan_channel_id;
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header X-Forwarded-For $remote_addr;
  }

  location ~ ^/user/(?<user>(\d+))$ {
    nchan_authorize_request /auth;
    nchan_subscriber;
    nchan_channel_id "users" $user;
    nchan_channel_group "users";
  }

  location ~ ^/pub/user/(?<user>(\d+))$ {
    set_real_ip_from 0.0.0.0/0;
    access 127.0.0.1; # In real case more ips
    deny all;

    nchan_publisher;
    nchan_channel_id $user;
    nchan_channel_group "users";
  }
}

[slact]

Huh, that's wild. I'll see if I can fix this.

[Kolobok12309]

Huh, that's wild. I'll see if I can fix this.

I can create minimal repro in docker containers if you need

[slact]

Nah I got it. This is one of those bugs that's about struggling with Nginx guts.