"Extra Headers" in newer mc client

[zllovesuki]

Expected behaviour

mc cp should yield successful upload.

Actual behaviour

comm-wche84-lt:essays rachel$ mc --debug cp /Users/rachel/Downloads/giphy.gif Rachel/hexo/stop-it.gif
mc: <DEBUG> GET /hexo/?location= HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-07-13T00:53:22Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20180720/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20180720T231455Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Fri, 20 Jul 2018 23:14:58 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Accept-Encoding
Vary: Origin
X-Amz-Request-Id: 154336C08C9A46BE
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  620.68303ms

mc: <DEBUG> GET /hexo/?delimiter=%2F&max-keys=1000&prefix=stop-it.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-07-13T00:53:22Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20180720/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20180720T231456Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Fri, 20 Jul 2018 23:14:58 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Accept-Encoding
Vary: Origin
X-Amz-Request-Id: 154336C08DD18908
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  17.170555ms

mc: <DEBUG> HEAD /hexo/stop-it.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-07-13T00:53:22Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20180720/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20180720T231456Z

mc: <DEBUG> HTTP/1.1 404 Not Found
Connection: close
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Date: Fri, 20 Jul 2018 23:14:58 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Origin
X-Amz-Request-Id: 154336C08F2D3BF8
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  22.167836ms

mc: <DEBUG> GET /hexo/?delimiter=%2F&max-keys=1000&prefix=stop-it.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-07-13T00:53:22Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20180720/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20180720T231456Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Fri, 20 Jul 2018 23:14:58 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Accept-Encoding
Vary: Origin
X-Amz-Request-Id: 154336C0907ABE20
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  26.127676ms

mc: <DEBUG> HEAD /hexo/stop-it.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-07-13T00:53:22Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20180720/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20180720T231456Z

mc: <DEBUG> HTTP/1.1 404 Not Found
Connection: close
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Date: Fri, 20 Jul 2018 23:14:58 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Origin
X-Amz-Request-Id: 154336C09206FE55
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  21.589167ms

...oads/giphy.gif:  1.16 MB / 1.16 MB  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓  100.00% 1.53 MB/s 0smc: <DEBUG> PUT /hexo/stop-it.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-07-13T00:53:22Z
Content-Length: 1219402
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20180720/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-meta-com.apple.quarantine, Signature=**REDACTED**
Content-Type: image/gif
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20180720T231456Z
X-Amz-Meta-Com.apple.quarantine: 0082;5b526676;Safari;
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Fri, 20 Jul 2018 23:15:00 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Origin
X-Amz-Request-Id: 154336C0FBF99F70
X-Xss-Protection: 1; mode=block

11d
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>There were headers present in the request which were not signed</Message><Key></Key><BucketName></BucketName><Resource>/hexo/stop-it.gif</Resource><RequestId>3L137</RequestId><HostId>3L137</HostId></Error>
0

mc: <DEBUG> Response Time:  1.792951893s

mc: <ERROR> Failed to copy `/Users/rachel/Downloads/giphy.gif`. Insufficient permissions to access this file `https://rachel.objectstore.co/hexo/stop-it.gif`
 (3) cp-main.go:404 cmd.doCopySession(..) Tags: [/Users/rachel/Downloads/giphy.gif]
 (2) common-methods.go:196 cmd.uploadSourceToTargetURL(..) Tags: [https://rachel.objectstore.co/hexo/stop-it.gif]
 (1) common-methods.go:130 cmd.putTargetStream(..) Tags: [Rachel, https://rachel.objectstore.co/hexo/stop-it.gif]
 (0) client-s3.go:656 cmd.(*s3Client).Put(..)
 Release-Tag:RELEASE.2018-07-13T00-53-22Z | Commit:70dcf20d747d | Host:comm-wche84-lt.local | OS:darwin | Arch:amd64 | Lang:go1.10.2 | Mem:6.6MB/17MB | Heap:6.6MB/12MB
...oads/giphy.gif:  1.16 MB / 1.16 MB  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓  100.00% 663.50 KB/s 1s

Steps to reproduce the behaviour

mc cp src dst_on_minio

mc version

comm-wche84-lt:essays Rachel$ mc version
Version: 2018-07-13T00:53:22Z
Release-tag: RELEASE.2018-07-13T00-53-22Z
Commit-id: 70dcf20d747d305f73a117b4787acf46e6809d99

System information

Darwin

@harshavardhana mentioned that it should've been fixed in #2193 but no cigar.

[zllovesuki]

maybe nginx added something juicy to the headers and then Minio complains?

[harshavardhana]

@zllovesuki do you have Nginx proxy between Minio? can you point directly to Minio and see if that works?

[zllovesuki]

@harshavardhana well, it's running on Kubernetes so the Ingress is always there. I don't think nginx is the problem because prior versions of mc works fine with Nginx in between the user and Minio.

[harshavardhana]

@harshavardhana well, it's running on Kubernetes so the Ingress is always there. I don't think nginx is the problem because prior versions of mc works fine with Nginx in between the user and Minio.

Then perhaps I need to reproduce this locally perhaps recent changes in signature v4 are causing the issue. @zllovesuki

[zllovesuki]

Still broken as of current release on homebrew.

Rachels-MacBook:~ rachel$ mc version
Version: 2018-09-10T23:39:12Z
Release-tag: RELEASE.2018-09-10T23-39-12Z
Commit-id: c352cadd4be2c6bed64884c78d1e8a8ac6efaf3f

[harshavardhana]

Still broken as of current release on homebrew.

From what I can see this has to do with your nginx proxy, I am not sure what its trying to do with the headers. I can't seem to be able to reproduce it.

[tholu]

Still broken for me as well, reproducible with Minio behind nginx and mc on MacOS.

Version: 2018-09-26T00:42:43Z
Release-tag: RELEASE.2018-09-26T00-42-43Z
Commit-id: 87f7e65c4c837c8886bf2dd8800c445983b36187

Previous versions of mc worked fine. The Minio webinterface works fine as well.

@zllovesuki Have you found a solution?

[tholu]

My nginx configuration:

upstream minio_servers {
    server 127.0.0.1:9001;
    server 127.0.0.1:9002;
    server 127.0.0.1:9003;
    server 127.0.0.1:9004;
}

server {
    server_name my.minio.server;
    client_max_body_size 512M;

    location / {
        proxy_set_header Host $http_host;
        proxy_pass       http://minio_servers;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/my.minio.server/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my.minio.server/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

[tholu]

Found the issue!

This is the extra header that is only added for files with a custom xattr attribute on MacOS: X-Amz-Meta-Com.apple.quarantine: 0082;5bbe2ec5;Keka;

Check existing attributes with: xattr file.zip
You can get rid of attributes (here: com.apple.quarantine) by:
xattr -d com.apple.quarantine file.zip

After that, uploading with mc works just fine.

[zllovesuki]

Interesting, I will check my computer later.

[zllovesuki]

Can confirm.

Rachels-MacBook:~ rachel$ xattr -d com.apple.quarantine ~/Downloads/ezgif.com-optimize.gif 
Rachels-MacBook:~ rachel$ mc --debug cp ~/Downloads/ezgif.com-optimize.gif rachel/dist/hue.gif
mc: <DEBUG> GET /dist/?location= HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20181013T010120Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Sat, 13 Oct 2018 01:01:21 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Accept-Encoding
Vary: Origin
X-Amz-Request-Id: 155D054E3C2F83F1
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  411.104274ms

mc: <DEBUG> GET /dist/?delimiter=%2F&max-keys=1000&prefix=hue.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20181013T010121Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Sat, 13 Oct 2018 01:01:21 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Accept-Encoding
Vary: Origin
X-Amz-Request-Id: 155D054E3E630800
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  30.125179ms

mc: <DEBUG> HEAD /dist/hue.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20181013T010121Z

mc: <DEBUG> HTTP/1.1 404 Not Found
Connection: close
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Date: Sat, 13 Oct 2018 01:01:21 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Origin
X-Amz-Request-Id: 155D054E4051BC08
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  32.376025ms

mc: <DEBUG> GET /dist/?delimiter=%2F&max-keys=1000&prefix=hue.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20181013T010121Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Transfer-Encoding: chunked
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Content-Type: application/xml
Date: Sat, 13 Oct 2018 01:01:21 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Accept-Encoding
Vary: Origin
X-Amz-Request-Id: 155D054E424FF8C5
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  33.95394ms

mc: <DEBUG> HEAD /dist/hue.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20181013T010121Z

mc: <DEBUG> HTTP/1.1 404 Not Found
Connection: close
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Date: Sat, 13 Oct 2018 01:01:21 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Origin
X-Amz-Request-Id: 155D054E444DEED8
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  28.903296ms

...optimize.gif:  1.99 MB / 1.99 MB  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓  100.00% 3.15 MB/s 0smc: <DEBUG> PUT /dist/hue.gif HTTP/1.1
Host: rachel.objectstore.co
User-Agent: Minio (darwin; amd64) minio-go/v6.0.6 mc/2018-09-10T23:39:12Z
Content-Length: 2083206
Authorization: AWS4-HMAC-SHA256 Credential=rachel/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
Content-Type: image/gif
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20181013T010121Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 200 OK
Content-Length: 0
Accept-Ranges: bytes
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
Date: Sat, 13 Oct 2018 01:01:22 GMT
Etag: "c0e09c3ba99d1133c8c848e29fb27430"
Strict-Transport-Security: max-age=15724800; includeSubDomains
Vary: Origin
X-Amz-Request-Id: 155D054E84C7E947
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  1.088734018s

...optimize.gif:  1.99 MB / 1.99 MB  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓  100.00% 1.82 MB/s 1s

Is it a good idea for mc to strip such attrs?

[harshavardhana]

Is it a good idea for mc to strip such attrs?

We can support it @zllovesuki - it must be a bug.

[harshavardhana]

looks like this is working fine when I directly use Minio

mc: <DEBUG> POST /sjm-airlines/rhel-server-7.4-x86_64-dvd.iso?uploads= HTTP/1.1
Host: localhost:9000
User-Agent: Minio (linux; amd64) minio-go/v6.0.8 mc/2018-10-11T22:45:56Z
Content-Length: 0
Authorization: AWS4-HMAC-SHA256 Credential=minio/20181013/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-meta-user.xdg.origin.url, Signature=**REDACTED**
Content-Type: application/x-iso9660-image
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20181013T010537Z
X-Amz-Meta-User.xdg.origin.url: https://access.cdn.redhat.com//content/origin/files/sha256/43/431a58c8c0351803a608ffa56948c5a7861876f78ccbe784724dd8c987ff7000/rhel-server-7.4-x86_64-dvd.iso?_auth_=1520282889_258e1e3f3dc397397d0dace5891c60aa
Accept-Encoding: gzip

The problem seems to be coming in from the nginx trying to do something with these headers, can you enable MINIO_HTTP_TRACE=/dev/stdout to see what nginx is sending to Minio?

@zllovesuki ^^

[zllovesuki]

@harshavardhana stdout is going to explode if I do TRACE on the prod server. Maybe you can reference @tholu's config?

[harshavardhana]

@harshavardhana stdout is going to explode if I do TRACE on the prod server. Maybe you can reference @tholu's config?

@zllovesuki you can even write to a file @zllovesuki ? MINIO_HTTP_TRACE=trace.log

[zllovesuki]

Finally I have time to sit down...

Here's the trace file. minio-trace.txt

For reference this is the yaml for test minio:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: minio-test
  namespace: objectstore
spec:
  rules:
  - host: test.objectstore.co
    http:
      paths:
      - backend:
          serviceName: minio-test
          servicePort: 9000
        path: /
  tls:
  - hosts:
    - test.objectstore.co
    secretName: objectstore-tls-gs
---
apiVersion: v1
kind: Service
metadata:
  name: minio-test
  namespace: objectstore
spec:
  ports:
  - port: 9000
    protocol: TCP
    targetPort: 9000
  selector:
    app: minio-test
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: minio-test
  name: minio-test
  namespace: objectstore
spec:
  replicas: 1
  selector:
    matchLabels:
      app: minio-test
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: minio-test
    spec:
      containers:
      - args:
        - server
        - /storage
        command:
        - minio
        env:
        - name: MINIO_ACCESS_KEY
          value: test
        - name: MINIO_SECRET_KEY
          value: testtest123
        - name: MINIO_BROWSER
          value: "off"
        - name: _MINIO_CACHE
          value: "off"
        - name: MINIO_HTTP_TRACE
          value: "/dev/stdout"
        image: minio/minio:RELEASE.2018-07-13T00-09-07Z
        imagePullPolicy: IfNotPresent
        name: minio
        ports:
        - containerPort: 9000
          protocol: TCP
        volumeMounts:
        - mountPath: /storage
          name: storage
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      volumes:
      - name: storage
        emptyDir: {}

Ingress controller from: https://github.com/kubernetes/ingress-nginx. Running image quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.19.0, with the following configuration:

apiVersion: v1
data:
  disable-access-log: "true"
  enable-dynamic-tls-records: "true"
  enable-modsecurity: "false"
  enable-owasp-modsecurity-crs: "false"
  enable-vts-status: "true"
  error-log-level: warn
  keep-alive: "60"
  load-balance: ip_hash
  max-worker-connections: "20480"
  proxy-body-size: 2g
  proxy-buffer-size: 64k
  proxy-connect-timeout: "5"
  proxy-read-timeout: "3600"
  proxy-send-timeout: "3600"
  proxy-stream-timeout: "604800"
  server-name-hash-max-size: "512"
  server-tokens: "false"
  ssl-ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-dh-param: default/nginx-dhparam-4096
  ssl-ecdh-curve: prime256v1:secp384r1:secp521r1
  ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
  ssl-session-tickets: "false"
  worker-processes: "4"
kind: ConfigMap
metadata:
  name: nginx-conf
  namespace: default

[harshavardhana]

@zllovesuki we found the solution #2569 and in-fact its Nginx problem

[zllovesuki]

for people Googling: set ignore-invalid-headers to false in your configmap

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.