Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Websocket data will be truncated if HTTP header is too long #208

Closed
ccpz opened this issue Jul 8, 2016 · 6 comments
Closed

Websocket data will be truncated if HTTP header is too long #208

ccpz opened this issue Jul 8, 2016 · 6 comments
Labels
Component: mosquitto-broker Type: Enhancement A new feature for a minor or major release.
Milestone
1.5

Comments

@ccpz
Copy link

ccpz commented Jul 8, 2016
edited

Since libwebsockets V1.7.0, it adds a max_http_header_data in info struct:

https://github.com/warmcat/libwebsockets/blob/master/changelog#L370

  • max_http_header_data: 0 for default (1024) or set the maximum amount of known
    http header payload that lws can deal with. Payload in unknown http
    headers is dropped silently. If for some reason you need to send huge
    cookies or other HTTP-level headers, you can now increase this at context-
    creation time.

Therefore if mosquitto's websocket interface receives a HTTP header over 1024 bytes, all additional bytes will be dropped. Maybe it is better to make this value configurable at mosquitto config file?
@ccpz ccpz changed the title Websocket will disconnected if HTTP header is too long Websocket data will be truncated if HTTP header is too long Jul 8, 2016
@ralight
Copy link
Contributor

ralight commented Jul 8, 2016

Is this a problem you are seeing in practice? If so, could you give me an example? A single header >1024 bytes is pretty big.

@ccpz
Copy link
Author

ccpz commented Jul 9, 2016

We have a web site based on Laravel framework 5.2, when user login, it will open a websockets channel using paho-javascript library from browser to Nginx reverse proxy, it forwards to mosquitto websockets server (in order to prevent CSRF problem):

location /websockets/ {
        proxy_pass http:https://127.0.0.1:9001/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;
    }

Therefore it will also forwards the full HTTP headers to mosquitto, And here is the PCAP file:
websockets.zip

@ralight
Copy link
Contributor

ralight commented Jul 9, 2016

I've had it confirmed that max_http_header_data is for the entirety of the headers, I'll see about making this an option.

@Hades32
Copy link

Hades32 commented Dec 15, 2016

This is a very practical issue. We share the same domain for all services (including the "/mqtt" websocket endpoint). Therefor all requests will get all the cookies. Cookies with several KB are really nothing special. So, I think the default should be at least 4-8KB.

Currently I work around it with a HAProxy config:
reqidel ^Cookie:.*

@ralight ralight added this to the 1.5 milestone Feb 19, 2017
@ralight ralight added the Type: Enhancement A new feature for a minor or major release. label Feb 19, 2017
@PierreF PierreF mentioned this issue Oct 3, 2017
Closed
@memoryhole
Copy link

It doesn't looks like this made it into a release. What would it take to get it there?

@ralight
Copy link
Contributor

ralight commented Apr 26, 2019

@memoryhole I'm pleased to say it is in version 1.6 (so I'm closing this now).

@ralight ralight closed this as completed Apr 26, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Aug 7, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Component: mosquitto-broker Type: Enhancement A new feature for a minor or major release.
Projects
None yet
Milestone
1.5
Development

No branches or pull requests
4 participants
@memoryhole @ralight @Hades32 @ccpz