http 502 error with CSP hashes

  • Resolved esadc

    (@esadc)


    1 year, 11 months ago

    When I set External source csp mode: to hash, I get a 502 error when an unauthenticated user visits wp-admin or when the WordPress customizer is opened.

    Server Setup:
    Ubuntu 22.04 LXC
    Nginx 1.18.0
    PHP 8.1
    WordPress 6.1.1

    • This topic was modified 1 year, 11 months ago by esadc.
Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Giuseppe

    (@mociofiletto)

    Thanks for the report. I will investigate this issue on next days.

    Please write if you are using any cache system and if, deactivating it, you are sill facing this issue

    • This reply was modified 1 year, 11 months ago by Giuseppe.
    Thread Starter esadc

    (@esadc)

    I’m using Cloudflare Cache (standard cache level) with Nginx micro cache on my reverse proxy (pages are cached for 1 second).
    I disabled both and I’m still encountering 502 errors.
    Update:
    After a few hours my server stopped responding, I was forced to restart nginx and php-fpm. I’ve reverted back to nonces for the time being.

    • This reply was modified 1 year, 11 months ago by esadc.
    Plugin Author Giuseppe

    (@mociofiletto)

    I think the problem is the maximum size allowed by your server for the HTTP headers.

    No unseafe-inline assumes it is set to 8k that is a value that can be set both in Apache, IIS and in nginx, but nginx can be set to allow only 4k of output in http headers.

    Just to be sure this is the problem, can you please modify in your installation the line 370 (assuming you are using v 1.1.0) [ https://plugins.trac.www.ads-software.com/browser/no-unsafe-inline/tags/1.1.0/public/class-no-unsafe-inline-public.php#L370 ] in the file public/class-no-unsafe-inline-public.php changing the value 8192 to 4096

    OR

    set the max http output header of your server to 8k (https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) and write here if something changes?

    More: have a look in Log table in the admin page of the plugin and look for something like “CSP header is too long…”

    Thanks in advance for your cooperation

    • This reply was modified 1 year, 11 months ago by Giuseppe.
    Thread Starter esadc

    (@esadc)

    I’ve set logging level to debug and the only thing that shows up is this, timestamps do not match up to when the issue occurs.
    2023-03-17 08:40:36 | WARNING | CSP headers not sent because headers were sent by at line 0

    I modified the file at/wp-content/plugins/no-unsafe-inline/public/class-no-unsafe-inline-public.php and set max_response_header_size to 4096 but I still got 502 errors.

    I’ve also tried addinglarge_client_header_buffers 4 8k; to nginx then restarting nginx but the issue still occured.

    Plugin Author Giuseppe

    (@mociofiletto)

    Reading here [ https://www.metricfire.com/blog/understanding-nginx-502-bad-gateway-php-fpm/#strongWhat-does-NGINX-502-Bad-Gateway-meanstrong ] error 502 could be sent by reverse proxy when the php-fpm timeout expires or the process is not running.

    So this could mean that if you disable the reverse proxy, you should get an error by the php server. Can you check php-fpm logs or try to disable the reverse proxy and see what error is reported?

    I didn’t understand if the issue occurs when capturing is enabled or when the CSP protection is enabled.

    More, can you check what happens with php 8.0? Did you try to disable every other plugin and see what happens?

    If it is ok for you, can you post the link to the website?

    Please report any kind of information about the system and used plugins.

    Thanks

    Thread Starter esadc

    (@esadc)

    Ok I’ve found the issue, there is something with wp-code and certain php code that are causing a 502 error.

    Hide WP Version

    <?php
add_filter('the_generator', '__return_empty_string');
remove_action('wp_head', 'wp_generator');
function remove_wpversion_cssjs( $src ) {

    if ( strpos( $src, 'ver=' ) )

        $src = remove_query_arg( 'ver', $src );

    return $src;

}
add_filter( 'style_loader_src', 'remove_wpversion_cssjs');
add_filter( 'script_loader_src', 'remove_wpversion_cssjs');

    Remove Rest API from headers

    <?php 
remove_action('xmlrpc_rsd_apis', 'rest_output_rsd');
remove_action('wp_head', 'rest_output_link_wp_head');
remove_action('template_redirect', 'rest_output_link_header', 11, 0);

    There is nothing inside of php logs, timestamps do not match up.

    [19-Mar-2023 00:00:09] NOTICE: error log file re-opened
[20-Mar-2023 07:25:11] NOTICE: Terminating ...
[20-Mar-2023 07:25:11] NOTICE: exiting, bye-bye!
[20-Mar-2023 07:25:59] NOTICE: fpm is running, pid 160
[20-Mar-2023 07:25:59] NOTICE: ready to handle connections
[20-Mar-2023 07:25:59] NOTICE: systemd monitor interval set to 10000ms
[20-Mar-2023 13:32:18] NOTICE: Terminating ...
[20-Mar-2023 13:32:18] NOTICE: exiting, bye-bye!
[20-Mar-2023 13:32:18] NOTICE: fpm is running, pid 2454
[20-Mar-2023 13:32:18] NOTICE: ready to handle connections
[20-Mar-2023 13:32:18] NOTICE: systemd monitor interval set to 10000ms
[20-Mar-2023 13:43:20] NOTICE: Terminating ...
[20-Mar-2023 13:43:20] NOTICE: exiting, bye-bye!
[20-Mar-2023 13:43:20] NOTICE: fpm is running, pid 2702
[20-Mar-2023 13:43:20] NOTICE: ready to handle connections
[20-Mar-2023 13:43:20] NOTICE: systemd monitor interval set to 10000ms
[20-Mar-2023 13:44:01] NOTICE: Terminating ...
[20-Mar-2023 13:44:01] NOTICE: exiting, bye-bye!
[20-Mar-2023 13:44:01] NOTICE: fpm is running, pid 2811
[20-Mar-2023 13:44:01] NOTICE: ready to handle connections
[20-Mar-2023 13:44:01] NOTICE: systemd monitor interval set to 10000ms
[20-Mar-2023 13:44:13] NOTICE: Terminating ...
[20-Mar-2023 13:44:13] NOTICE: exiting, bye-bye!
[20-Mar-2023 13:44:13] NOTICE: fpm is running, pid 2888
[20-Mar-2023 13:44:13] NOTICE: ready to handle connections
[20-Mar-2023 13:44:13] NOTICE: systemd monitor interval set to 10000ms

    I’ve bypassed by Reverse Proxy and directly connected to WordPress and the 502 errors are gone, but they do occur when I connect via Reverse Proxy.

    I’ve also noticed this inside my Nginx Reverse Proxy error logs

    2023/03/21 09:35:00 [error] 1550167#1550167: *32377 upstream sent too big header while reading response header from upstream, client: 0.0.0.0, server: example.com, request: "GET /wp-login.php?redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2F&reauth=1 HTTP/2.0", upstream: "https://0.0.0.0:443/wp-login.php?redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2F&reauth=1", host: "example.com"
    • This reply was modified 1 year, 11 months ago by esadc.
    Plugin Author Giuseppe

    (@mociofiletto)

    Ok, the last line seems to confirm that the problem is about the response header dimension.

    I think it says that the reverse proxy received an answer by the server (the http response with the page) that has a header too big for the reverse proxy (I don’t know if this is configurable in any way).
    When using hashes for external content, in the CSP policy (that “No unsafe-inline” tries to send via HTTP header) there is one hash for every external script, so the response header length becomes bigger than it is when using nonce (which is one for a page).
    This should not be a problem because HTTP protocol doesn’t impose any max length to response headers (as it doesn’t have any max length for the whole response) but webservers, CDN, etc.. impose a limit. You can read here for some more info: https://maxchadwick.xyz/blog/http-response-header-size-limits )
    What “No unsafe-inline” tries to do is:
    A) using nonces as default settings
    B) check for the csp header length generated before it is sent and, if the header is bigger than a common used max size (8k), trying to sent a “simplified” CSP policy, or to deploy the CSP via a HTTP meta tag (you can see the code in the method output_csp_headers in the file public/class-no-unsafe-inline-public.php )
    Here it seems that the max response header’s size allowed by the server is bigger than the max size allowed by the proxy, so the proxy sees it as an illegal response and sends a 502 error to the client.
    I don’t think I can do anything in the PHP code to deal with this issue, but making configurable by the user the max header size that “No unsafe-inline” will send.

    I will work on this, but for now (and in general), I think it is better to use nonce for external content because in almost every case this will generate a CSP header shorter than the one generated using hashes.

    Really thanks for your tests and cooperation.
    Let me know if I can close this issue.

    Thread Starter esadc

    (@esadc)

    okay that’s good to know, I’ll play around with my Nginx config and see if it fixes the issue (Don’t have time atm).

    I don’t think I can do anything in the PHP code to deal with this issue

    Not sure I entirely understand this. when I removed the PHP code snippets I listed in my previous post that fixed the 502 errors, or is it that somehow the code snippets listed above adds additional JS/CSS that need hashes (I don’t see how that could happen) that then leads to the response header being too big?

    I think it is better to use nonce for external content

    The primary reason why I want to use hashes instead of nonces is because I want to staticly cache pages, this means that nonces will never change (Until cache is cleared) for each page which opens up a CSP bypass.

    Thread Starter esadc

    (@esadc)

    I’ve added the following to my wordpress server block and it fixed my issue

    proxy_buffers 8 16k;
proxy_buffer_size 16k;

    Thank you for your help!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘http 502 error with CSP hashes’ is closed to new replies.