-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Finagle headers blocked by AWS CloudFront's new Cache/Origin Policies #869
Comments
Thanks for the heads up. Seems like a curious rule. |
My team stumbled on this problem – or at least very similar one – very recently, while sending requests to a server that we don't own. (Using Finagle version 19.9.0) After reading the code, and a bit of help from my coworker, I came up with this workaround to remove undesired headers from Finagle requests, but it feels a bit brittle: Http.client
.withStack(_.remove(Stack.Role("ClientContext")).remove(TraceInitializerFilter.role)) We are working around two issues here:
Could you implement a mechanism to easily disable finagle custom headers and/or officially document the correct way to do it? |
@GoldenCrystal I don't think we have the bandwidth to implement that right now, but we'd be happy to guide you through building it, if you do! |
I've filed a support case with AWS, but just a heads-up, and to save anyone else out there searching for answers...
AWS CloudFront launched a new Cache/Origin Policies feature a few weeks ago. While legacy policies can still be used for now, the new policy features are selected by default for new distributions.
The regression is that they completely reject all client requests containing HTTP header-names with a period (as
400 Bad Request
). There's currently no workaround for this other than to switch back to a legacy policy. Affects both HTTP and HTTPS requests.Discovered this when Twitterbot was failing to read meta-tags for Twitter Cards. Narrowed it down to a
Finagle-Ctx-com.twitter.finagle.Retries: 0
HTTP header that Twitterbot was only including in HTTP requests, not HTTPS requests. The Twitter Card Validator helpfully saysINFO: Page fetched successfully
despite it getting a400 Bad Request
....Why would anyone care about HTTP in this case? Because Twitter uses an
http://
protocol to decide how to render URLs that don't specify a protocol.eg. Typing
example.com
into a tweet will look for Twitter Card meta-tags onhttp://example.com
. With AWS CloudFront's new Cache/Origin Policies, this request is rejected, so Twitterbot never receives a301
redirecting tohttps://example.com
, and no card is displayed.So this isn't technically a bug in Finagle, but those headers sure are ugly. Either way, hopefully CloudFront will address this.
For what it's worth, AWS Elastic Load Balancer does not reject the requests, but appeared to be silently removing these headers from the requests. I have only briefly tested ELB with them, however. (Edit: Re-tested ELB with packet capture, and it is passing through all headers un-modified, so this part can be ignored.)
I'll post a report on the Twitter Developer forums as well.
The text was updated successfully, but these errors were encountered: