1

As our organization is using SSO for staff we are getting 502 bad gateway when users try to login with shibboleth.

The users who has more groups access, and try to login they are getting 502, but the users who has less access they are able to logged in.

The maximum header size with all the access is 32768.

We tried the --max-http-header-size 42768 in docker, how ever it was not helpful. The users with normal access(less header size) is able to log in.

Our setup: VM1 host the nginx as reverse proxy. The configuration is below. VM2 host more than one docker. 

server {
listen 80;
server_name **********;

proxy_buffering off;
proxy_set_header X-Real-IP  $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;

client_body_timeout 60s;
client_header_timeout 60s;
keepalive_timeout 70s;
send_timeout 60s;

client_body_buffer_size 32k;
client_header_buffer_size 32k;
client_max_body_size 0;
large_client_header_buffers 4 32k;

access_log off;
error_log /data/nginx/logs/****_error.log warn;

location / {
    proxy_pass http://******:8098;
}

}

Error log:
2019/09/25 10:25:38 [error] 20070#0: *123 upstream prematurely closed 
connection while reading response header from upstream, client: ****, 
server: ******, request: "GET /auth/shibboleth?redirect=L2FjY291bnQ= 
HTTP/1.1", upstream: "http://******:8098/auth/shibboleth?redirect=L2FjY291bnQ=", 
 host: "*****", referrer: 
"https://******/profile/SAML2/Redirect/SSO?execution=e1s2"
2019/09/25 10:25:50 [error] 20070#0: *125 upstream prematurely closed 
connection while reading response header from upstream, client: ****, 
server: *****, request: "GET / HTTP/1.1", upstream: "http://****:8098/", 
 host: "*****"

  Docker setup

  FROM node:8-alpine as intermediate

  RUN apk add --no-cache git openssh alpine-sdk python2
  RUN python2 -m ensurepip && \
    rm -r /usr/lib/python*/ensurepip && \
    pip install --upgrade pip setuptools && \
    if [[ ! -e /usr/bin/python ]]; then ln -sf /usr/bin/python2 
  /usr/bin/python; fi

  WORKDIR /usr/src/app

  RUN touch config.js && mkdir config
  COPY package*.json ./
  RUN http_proxy="http://****:3128" https_proxy="http://****:3128" npm install

  COPY . .
  RUN rm -rf .private


 FROM node:8-alpine

 WORKDIR /usr/src/app
 COPY --from=intermediate /usr/src/app /usr/src/app

 EXPOSE 8080
 CMD [ "node", "app.js", "-p 8080" ]
Dino
  • 7,779
  • 12
  • 46
  • 85
Suhail-webi
  • 21
  • 6

1 Answers1

1

This is apparently common. The fix:

proxy_buffer_size          128k;
proxy_buffers              4 256k;
proxy_busy_buffers_size    256k;

See e.g.

Peter V. Mørch
  • 13,830
  • 8
  • 69
  • 103