Maximum header size restricted to 4096 bytes

[kusold]

I have an application that uses a large header size, but fasthttp limits the size of the header by default.

Authelia should be able to pass through configurations to fasthttp:
https://godoc.org/github.com/valyala/fasthttp#Server

authelia/internal/server/server.go

Lines 106 to 107 in 3fb84fa

	logging.Logger().Fatal(fasthttp.ListenAndServe(portPattern,
	middlewares.LogRequestMiddleware(router.Handler)))

Alternatively: Is there a reason to use fasthttp? What was net/http not able to provide?

I downgraded to v3, and validated that my setup works. This is a regression in v4.

[clems4ever]

Hello @kusold , thank you for reporting this issue. I'm wondering what is that header holding more than 4096 bytes sent to Authelia? Is it supposed to be delivered to Authelia somehow?
If it's X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host, X-Forwarded-URI or X-Real-IP, I guess it's a regression. Otherwise it's a misconfiguration, this header should simply be stripped in the reverse proxy configuration in order to not transmit headers that are not supposed to reach Authelia.

Regarding your question about fasthttp, I had to make a choice at some point and I wanted Authelia to handle a high throughput and reduce the price of the hop to the minimum. But I'm open to change my mind if I see any valid reason to rollback.

[kusold]

The header is a large JWT token that needs to get passed to a backend service (kibana in this particular case) for authorization purposes. I currently have the service setup with a bypass rule in Authelia, but it still is subject to the header size limit.

[clems4ever]

Ok so right now this header should simply be stripped because it is not supposed to be sent to Authelia. However, it could definitely be a problem when OAuth2 is implemented. I will keep this use case in mind for the future.

Please strip the header and let us know if everything works for you in v4 or if you need more assistance.

[nightah]

@kusold have you had any luck with this?

[kusold]

@nightah I downgraded to v3, because it doesn’t have a header size limit. The main bottleneck is that because Traefik sends every request through Authelia, there isn’t a way to strip the header for Authelia but preserve it for the receiving service.

[james-d-elliott]

@kusold if you're still interested in solving this, mind testing it for me? I think I have a fix sorted out.

If you're using docker, the image will be tagged authelia/authelia:feature-read-buffer-size if not you can grab an artifact from here: https://buildkite.com/authelia/authelia/builds/1245

You will need to add read_buffer_size: to your configuration.

[nightah]

ping @kusold would be great to get your feedback on this so that we can close this issue off.

[nightah]

@kusold, I'm closing this off in the interim.

We will leave the feature-read-buffer-size container there until either you have the opportunity to test or we can simulate your specific use case.

Feel free to ping either of us when/if you get a chance and we can re-open this issue and look to hopefully get that change merged in.

[james-d-elliott]

@kusold this may be able to be solved by a configuration change with Traefik in the next release. See traefik/traefik#7226

[Mrs-Feathers]

i'm having the same issue, but for nginx

[james-d-elliott]

Configure the buffers: https://www.authelia.com/configuration/miscellaneous/server/

[Mrs-Feathers]

sadly, that documentation was unhelpful, the page you linked to basically just said "you should change them" and the link for the actual page on buffers was confusing. i couldn't solve this issue so, appologies but i've moved on