Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression: Caddy 2.9.0 returns 411 Length Required for some sites #6757

Closed
spurgeonbj opened this issue Jan 1, 2025 · 30 comments · Fixed by #6759
Closed

Regression: Caddy 2.9.0 returns 411 Length Required for some sites #6757

spurgeonbj opened this issue Jan 1, 2025 · 30 comments · Fixed by #6759
Labels
bug 🐞 Something isn't working
Milestone

Comments

@spurgeonbj
Copy link

After upgrading from Caddy 2.8.4 to 2.9.0, Joomla sites started returning HTTP 411 ("Length Required") errors for certain requests. Downgrading to Caddy 2.8.4 resolves the issue, indicating a regression or stricter enforcement of request header handling in 2.9.0.

The problem seems related to:

  1. Handling of requests without a Content-Length header.

. Requests that were previously allowed in Caddy 2.8.4 now fail in 2.9.0.

  1. Interaction with Joomla's rewrites.

. Joomla relies on rewrites for dynamic routing (e.g., /index.php?{query}). The rewrites still work, but certain requests (possibly POST or other non-GET methods) fail with 411.

Steps to Reproduce:

Configure a Joomla site with the following minimal Caddyfile:

example.com {
    root * /var/www/samplesite
    php_fastcgi unix//run/php/php7.4-fpm.sock
    file_server

    @joomlaNotFound {
        not file {path}
        not file {path}/index.php
    }
    rewrite @joomlaNotFound /index.php?{query}
}

Make a POST request without a Content-Length header:

curl -X POST https://dev.apcwo.org/path -d '' -v

Observe a 411 response in Caddy 2.9.0. The same configuration works in Caddy 2.8.4.

Expected Behavior: Caddy should handle requests without a Content-Length header the same way as in version 2.8.4 or provide clear guidance on how to adapt the configuration.

Observed Behavior: Caddy 2.9.0 returns 411 errors for requests that worked in 2.8.4, breaking Joomla functionality.

Additional Details:

Joomla uses rewrites heavily, and the issue seems tied to how Caddy processes requests during rewrites.
The problem was tested with PHP-FPM and occurs even with minimal configurations.
Caddy logs show no additional details besides the 411 response.
Downgrading to Caddy 2.8.4 immediately resolves the issue.

Environment:

Caddy Version: 2.9.0
PHP Version: 7.4 (PHP-FPM)
Joomla Version: (3.10)
OS: (Ubuntu 20.04)

Suggestions for Debugging:

Review changes in Caddy 2.9.0 related to request handling or HTTP compliance.
Investigate interactions between the rewrite directive and PHP-FPM.

@FatihKoz
Copy link

FatihKoz commented Jan 1, 2025

Issue also affects Laravel applications running with Caddy.

@devzkhalil
Copy link

I cannot setup my laravel project using Caddy 2.9.0

@Brawl345
Copy link

Brawl345 commented Jan 1, 2025

Same thing happening to my WordPress site. I have only observed this in Firefox though. Downgrading fixed it.

@teddysun
Copy link

teddysun commented Jan 1, 2025

Same issue.
I think I found the reason.
The following two PRs are the reasons.

#6638
#6661

I revoked these two PRs and compiled manually again, and the problem was solved.

@WeidiDeng
Copy link
Member

Add request_buffers to your reverse proxy configuration and see if the problem is fixed.

@teddysun 6638 is not the cause, that actually fixes the buffering problem. Revert 6661 and see if it will happen.

These two patches are implemented to solve the ddos attacks reported. However, request buffering will be needed if content length is not specified.

Any access logs will be appreciated to see if any alternative approaches without enabling explicit request buffering can be done.

@spurgeonbj spurgeonbj changed the title Regression: Caddy 2.9.0 returns 411 Length Required for Joomla Sites Regression: Caddy 2.9.0 returns 411 Length Required for some sites Jan 1, 2025
@teddysun
Copy link

teddysun commented Jan 1, 2025

@WeidiDeng

Yes, revert #6661 and problem was solved.

@dzervelce
Copy link

Ubuntu 22 (ARM), PHP 8.3.
Same problem - after upgrading to 2.9.0 from 2.8.4 all websites return 411 error, also when making GET request from Chrome 132.
Downgrading back to 2.8.4 solved this issue.

@WeidiDeng
Copy link
Member

@teddysun Can you test if xcaddy build fastcgi_buffer fixes this issue?

@Telesphoreo
Copy link

I am having this issue, but oddly only on a few select servers. Downgrading has not fixed it for me. Tried Firefox and the first request went through, but subsequent ones did not. This is very odd

@rwinkhart
Copy link

Encountered this issue on my basic HTML+CSS+PHP sites. Was fixed by reverting #6661.

@WeidiDeng
Copy link
Member

@rwinkhart Can you test if xcaddy build fastcgi_buffer fixes this issue?

@mholt
Copy link
Member

mholt commented Jan 2, 2025

@teddysun @Telesphoreo @dzervelce @Brawl345 @spurgeonbj We know that downgrading fixes the issue; it's already an established regression -- but please notice @WeidiDeng is asking if others can verify whether #6759 fixes it without having to revert and downgrade. If no one experiencing the issue can verify this then we cannot release a patch. Weidi has even provided instructions multiple times now for an easy way to compile Caddy with the proposed patch: xcaddy build fastcgi_buffer -- we would greatly appreciate that you try it so we can release a proper patch. 🙂 Thank you!

@Telesphoreo
Copy link

Telesphoreo commented Jan 2, 2025

Yes, I added request_buffers 100m inside my php_fastcgi block and it did fix it. Very weird on why this only happened on one server (regardless of PHP being used for the actual subdomain). I have one local VM that builds caddy with xcaddy and deploying it to all of those went fine. On a few servers that I just update with apt, some had issues and some didn't. They all have the same Caddy configuration. Very weird that downgrading didn't fix it for me, but adding that block did fix it.

Edit: The fix did work. You can ignore everything else. I am definitely very tired and have everything mixed up. I did not realize that the caddy add-package command upgraded you to 2.9.0 even though I had downgraded with apt. Basically, all the servers I deployed a self built caddy binary worked. Some upgraded fine with apt, some did not. I realize now that all the inconsistencies were my use of the add-package command on the servers that install caddy from apt.

@rwinkhart
Copy link

rwinkhart commented Jan 2, 2025

@WeidiDeng The build seems to be failing due to an import cycle when I try that. Haven't used xcaddy before (I've just been building with go build). All I did was install it and run your suggested command, so I'm not sure if I did something wrong. Tried on two different computers using xcaddy from the Alpine repos and from the AUR.

2025/01/02 01:47:43 [INFO] exec (timeout=0s): /usr/bin/go build -o /home/cuan/caddy/caddy -ldflags -w -s -trimpath -tags nobadger,nomysql,nopgx 
package caddy
        imports github.com/caddyserver/caddy/v2/modules/standard
        imports github.com/caddyserver/caddy/v2/modules/caddyhttp/standard
        imports github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy
        imports github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy/fastcgi
        imports github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy: import cycle not allowed

Edit: Though this could probably be assumed, I thought I should specify that it does build fine without specifying fastcgi_buffer.

@zwieratko
Copy link

I have the same problem. After upgrading from Caddy 2.8.4 -> 2.9.0 the site was broken/unresponsive. I can confirm that after adding request_buffers 4k to the php_fastcgi directive everything is fine.
Sorry, I couldn't do the build.

zwerimex.com {
    root * /var/www/zw_test01
    encode zstd gzip
    try_files {path} {path}.php {path}.html

    file_server

    php_fastcgi unix//run/php/php8.3-fpm.sock {
        request_buffers 4k
    }

    header {
        Permissions-Policy "accelerometer=(), autoplay=(), camera=(), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(), payment=(), serial=(), usb=()"
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Frame-Options "deny"
        X-Content-Type-Options "nosniff"
        Referrer-Policy "no-referrer-when-downgrade"
    }
}

@teddysun
Copy link

teddysun commented Jan 2, 2025

@teddysun @Telesphoreo @dzervelce @Brawl345 @spurgeonbj We know that downgrading fixes the issue; it's already an established regression -- but please notice @WeidiDeng is asking if others can verify whether #6759 fixes it without having to revert and downgrade. If no one experiencing the issue can verify this then we cannot release a patch. Weidi has even provided instructions multiple times now for an easy way to compile Caddy with the proposed patch: xcaddy build fastcgi_buffer -- we would greatly appreciate that you try it so we can release a proper patch. 🙂 Thank you!

After #6759 commit 3ba88fe
I tested again.
All the issues I found were resolved. LGTM.
I hope there will be more tests and merge into the master as soon as possible.

@spurgeonbj
Copy link
Author

Thanks a ton! #6759 LGTM too! God bless you abundantly in all that concerns you!

@jum
Copy link
Contributor

jum commented Jan 2, 2025

Happy to report that fastcgi_buffer fixes HTTP/3 error 411 problems from nextcloud via HTTP/3 for me.

@skrlance
Copy link

skrlance commented Jan 2, 2025

Happy to report that fastcgi_buffer fixes HTTP/3 error 411 problems from nextcloud via HTTP/3 for me.

I am unable to use xCaddy on my Almalinux 9 server to build with fastcgi_buffer. Instead I tried adding the syntax request_buffers 100m or request_buffers 4k both didn't solved the issue.

        php_fastcgi unix//run/php-fpm/www.sock {
        request_buffers 100m
        }

All images stopped displaying in WordPress admin before or after I used request_buffers syntax. Difference is that previously it wasn't displaying and after it didn't loaded.

@mholt
Copy link
Member

mholt commented Jan 2, 2025

Thank you to everyone who tested @WeidiDeng's hotfix! (And huge thanks to Weidi for the quick PR.) We will probably rework the details of the patch later but for now it seems like it does the job.

@mholt mholt added the bug 🐞 Something isn't working label Jan 2, 2025
@mholt mholt added this to the v2.9.1 milestone Jan 2, 2025
@rnestler
Copy link

rnestler commented Jan 5, 2025

The upgrade to 2.9.0 broke accessing the web-interface of my self-hosted nextcloud instance over HTTP/3. HTTP/2 still worked, also the nextcloud desktop clients worked. Adding request_buffers to the php_fastcgi section seemed to work:

     php_fastcgi 127.0.0.1:9000 {
+        request_buffers 4096

But then I got an error when trying to log in and the desktop clients stopped working properly.

Reverting to 2.8.4 fixed the issue.

@skrlance
Copy link

skrlance commented Jan 5, 2025

The upgrade to 2.9.0 broke accessing the web-interface of my self-hosted nextcloud instance over HTTP/3. HTTP/2 still worked, also the nextcloud desktop clients worked. Adding request_buffers to the php_fastcgi section seemed to work:

 php_fastcgi 127.0.0.1:9000 {
  •    request_buffers 4096
    

But then I got an error when trying to log in and the desktop clients stopped working properly.

Reverting to 2.8.4 fixed the issue.

Reverting back to v2.8.4 didn't worked for me and I still had to add request buffers 10m. It did worked then but thumbnails aren't displaying in WordPress media library.

@Telesphoreo
Copy link

Yeah, Pterodactyl (PHP Laravel) broke under 2.9.0 even with the request buffers fix. I (correctly) downgraded to 2.8.4 and everything started working again.

@skrlance
Copy link

skrlance commented Jan 6, 2025

Yeah, Pterodactyl (PHP Laravel) broke under 2.9.0 even with the request buffers fix. I (correctly) downgraded to 2.8.4 and everything started working again.

How to correctly downgrade to 2.8.4? Thanks

@spurgeonbj
Copy link
Author

spurgeonbj commented Jan 6, 2025

Yeah, Pterodactyl (PHP Laravel) broke under 2.9.0 even with the request buffers fix. I (correctly) downgraded to 2.8.4 and everything started working again.

How to correctly downgrade to 2.8.4? Thanks

I did like this with ChatGPT's help - on Ubuntu 22.04

To test the PR #6759 on your system, you'll need to build Caddy from the specific branch or commit associated with the pull request. Here's how you can do it step-by-step:

Steps to Test PR #6759
Clone the Caddy Repository: If you haven't already cloned the repository, do so:

git clone https://github.com/caddyserver/caddy.git
cd caddy

Fetch and Checkout the PR Branch: Fetch the pull request's branch and check it out locally:

git fetch origin pull/6759/head:pr-6759
git checkout pr-6759

This command fetches the pull request into a local branch named pr-6759.

Build Caddy from Source: Ensure you have Go installed (at least version 1.19) to build Caddy. Then, run the following commands:

go mod tidy
go build -o caddy

The caddy binary will be created in the current directory.

Replace the Existing Caddy Binary: Stop the currently running Caddy service:

sudo systemctl stop caddy
Replace the existing binary with your newly built binary:

sudo cp ./caddy /usr/bin/caddy
Ensure the binary has executable permissions:

sudo chmod +x /usr/bin/caddy
Restart the Caddy Service: Start Caddy with the new binary:

sudo systemctl start caddy
Test Your Site

@rnestler
Copy link

rnestler commented Jan 6, 2025

How to correctly downgrade to 2.8.4? Thanks

On Debian based systems it should be as easy as sudo apt-get install caddy=2.8.4

@Telesphoreo
Copy link

Telesphoreo commented Jan 6, 2025

If you installed with apt, then yes, the command above works. If you built with xcaddy then it's as simple as xcaddy build v2.8.4 and moving the binary to /usr/bin.

If you're on Debian you will need go. You can easily install the latest version from snap with the following

sudo apt install snapd -y
sudo snap install --classic go
ln -s /snap/bin/go /usr/bin/go 

Then install xcaddy (commands pulled from official documentation)

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-xcaddy.list
sudo apt update
sudo apt install xcaddy

Then run xcaddy build v2.8.4 and then mv caddy /usr/bin.
Or, you can build the master branch which has the fix: xcaddy build master then mv caddy /usr/bin.

You should already have a caddy user and group but if you don't, then:

sudo groupadd --system caddy
sudo useradd --system \
    --gid caddy \
    --create-home \
    --home-dir /var/lib/caddy \
    --shell /usr/sbin/nologin \
    --comment "Caddy web server" \
    caddy

If you don't already have a caddy service then:
In /etc/systemd/system make a new file caddy.service and paste https://github.com/caddyserver/dist/blob/master/init/caddy.service in

Then you can finally run

sudo systemctl daemon-reload
sudo systemctl enable --now caddy

and now you have Caddy custom built with xcaddy from scratch! Since I deploy it to so many servers at once, you can make a script to SCP it over automatically to all of your servers.

@mkalus
Copy link

mkalus commented Jan 7, 2025

Building using xcaddy fastcgi_buffer did not solve my issue. Still getting 411 responses on http3.

@Telesphoreo
Copy link

Building using xcaddy fastcgi_buffer did not solve my issue. Still getting 411 responses on http3.

Try building the master branch. And make sure your restart caddy after moving the binary

@mkalus
Copy link

mkalus commented Jan 7, 2025

Building using xcaddy fastcgi_buffer did not solve my issue. Still getting 411 responses on http3.

Try building the master branch. And make sure your restart caddy after moving the binary

Thanks, that works without issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug 🐞 Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.