All requests return 400 error when using Linux swag in front of roadrunner-based Shlink

[gabriel-lando]

How Shlink is set up

• Shlink Version: 3.6.0
• PHP Version: Not sure :(
• How do you serve Shlink: Docker image (tag: stable)
• Database engine used: MySQL (Docker image mysql:latest)

Summary

After upgrading to latest version, everything stopped working. When I tried to access any URL, I was receiving 400 Bad Request error.
I use Watchtower weekly to keep my images always up to date and I was using shlink:stable docker image.
This is the docker-compose YAML file I'm currently using:

version: "3"

services:
  shlink:
    image: shlinkio/shlink:stable
    pull_policy: always
    container_name: shlink
    restart: unless-stopped
    tty: true
    stdin_open: true
    external_links:
      - mysql:mysql
    environment:
      IS_HTTPS_ENABLED: "true"
      DEFAULT_DOMAIN: ${SHLINK_DOMAIN}
      DB_DRIVER: ${SHLINK_DB_DRIVER}
      DB_NAME: ${SHLINK_DB_NAME}
      DB_USER: ${SHLINK_DB_USER}
      DB_PASSWORD: ${SHLINK_DB_PASSWORD}
      DB_HOST: ${SHLINK_DB_HOST}
      GEOLITE_LICENSE_KEY: ${SHLINK_GEOLITE_KEY}
      DEFAULT_INVALID_SHORT_URL_REDIRECT: ${SHLINK_INVALID_REDIRECT}
      DEFAULT_REGULAR_404_REDIRECT: ${SHLINK_404_REDIRECT}
      DEFAULT_BASE_URL_REDIRECT: ${SHLINK_URL_REDIRECT}
    networks:
      - swag-network

networks:
  swag-network:
    name: swag

I tried a lot of times different ways to fix it, including testing different tags of the docker image. the one that is working for me is 3.6.0-openswoole. Found here.

Apparently, it seems an issue during the migration to the new docker runtime.

Follow the Docker logs after starting the stable tag:

2023-05-29T19:42:55.587040095Z Initializing database if needed... Success!
2023-05-29T19:42:56.257996950Z Updating database... Success!
2023-05-29T19:42:56.462195804Z Generating proxies... Success!
2023-05-29T19:42:56.622473012Z Clearing entities cache... Success!
2023-05-29T19:42:59.443052926Z Downloading GeoLite2 db file... Success!
2023-05-29T19:43:02.003282865Z DBG | ts=1685389382000112000 logger=rpc msg=plugin was started address=tcp://127.0.0.1:6001 list of the plugins with RPC methods:=["jobs","informer","lock","app","resetter"] 
2023-05-29T19:43:02.007814525Z DBG | ts=1685389382007457800 logger=jobs msg=driver ready pipeline=shlink driver=memory start=1685389382006990600 elapsed=0.000463939 
2023-05-29T19:43:02.008035023Z DBG | ts=1685389382007619000 logger=memory msg=pipeline was started driver=memory pipeline=shlink start=2023-05-29 19:43:02.007607254 +0000 UTC elapsed=27.213µs 
2023-05-29T19:43:02.115126210Z 2023-05-29T19:43:02+0000	DEBUG	server      	worker is allocated	{"pid": 37, "internal_event_name": "EventWorkerConstruct"}
2023-05-29T19:43:02.120645209Z 2023-05-29T19:43:02+0000	DEBUG	server      	worker is allocated	{"pid": 35, "internal_event_name": "EventWorkerConstruct"}
2023-05-29T19:43:02.134300150Z 2023-05-29T19:43:02+0000	DEBUG	server      	worker is allocated	{"pid": 36, "internal_event_name": "EventWorkerConstruct"}
2023-05-29T19:43:02.140990934Z 2023-05-29T19:43:02+0000	DEBUG	server      	worker is allocated	{"pid": 38, "internal_event_name": "EventWorkerConstruct"}
2023-05-29T19:43:02.246398144Z 2023-05-29T19:43:02+0000	DEBUG	server      	worker is allocated	{"pid": 40, "internal_event_name": "EventWorkerConstruct"}
2023-05-29T19:43:02.246436777Z 2023-05-29T19:43:02+0000	DEBUG	server      	worker is allocated	{"pid": 44, "internal_event_name": "EventWorkerConstruct"}
2023-05-29T19:43:02.246446226Z 2023-05-29T19:43:02+0000	DEBUG	server      	worker is allocated	{"pid": 43, "internal_event_name": "EventWorkerConstruct"}
2023-05-29T19:43:02.248997149Z 2023-05-29T19:43:02+0000	DEBUG	server      	worker is allocated	{"pid": 45, "internal_event_name": "EventWorkerConstruct"}
2023-05-29T19:43:02.251224562Z [INFO] RoadRunner server started; version: 2023.1.3, buildtime: 2023-05-11T12:32:12+0000

Current behavior

Right now, I can use my instance with 3.6.0-openswoole tag. But I noticed that this runner is being deprecated soon.

Expected behavior

I expect that it works with the new runner :D

How to reproduce

I'm not sure. I'm using the same instance for a long long time (about 1.5 years). In the past I had to update my env vars during an upgrade, but since then I never touched anything. Watchtower always could handle the updates for me.

If I return to any tag that uses Roadrunner runtime, the issue starts happening again.

Obs: I never tried to rollback to a previous version.

[acelaya]

When I tried to access any URL, I was receiving 400 Bad Request error.

It would be good to know what is the response body for those 400 errors, because according to your logs, the server started successfully, but it is not registering any incoming request, which makes me think there's something in front of Shlink returning those errors.

[gabriel-lando]

Ohh that's exactly the response body :)

And I'm pretty sure that this response came from the shlink service, because if I turn it off, I receive the default NGINX 502 error (I'm using the Linuxserver's SWAG docker with NGINX as the reverse proxy for this service)

One (maybe important) information that I forgot to mention:

• I have 2 domains.
• My DEFAULT_DOMAIN env var value is exam.ple.
• The domain exam.ple is configured on my Cloudflare account redirecting every request to https://url.example.com
  • So, a call to https://exam.ple/docs is being redirected on Cloudflare to https://url.example.com/docs
• The https://url.example.com points to the shlink container using SWAG+NGINX
• shlink redirects to the final URL
• Using openswoole runtime, it aways worked :D

[acelaya]

Can you also share the request and response headers? Nginx can return 400s when configured as reverse proxy and sending too big headers.

Also, please check nginx logs, as the reason for the error will be most likely there. Perhaps openswoole accepts a bigger request by defaault and roadrunner is rejecting it.

[gabriel-lando]

Of course.

I did a cleanup in the nginx logs. After trying to access a URL, this was the content of the access.log file:

10.0.0.1 - - [30/May/2023:01:16:42 -0300] "GET /docs HTTP/2.0" 400 15 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.57"
10.0.0.1 - - [30/May/2023:01:16:42 -0300] "GET /favicon.ico HTTP/2.0" 400 15 "https://url.example.com/docs" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.57"

The error.log keeps empty (no error log was generated).

Regarding the request and response headers, these are all headers:

And these are the headers for a working request (using docker tag 3.6.0-openswoole):

[acelaya]

Can you try to put together a reproducible scenario via docker compose, with nginx as reverse proxy and Shlink 3.6 with roadrunner?

Also, sharing your nginx config would be helpful.

[gabriel-lando]

I will create a new environment to try to reproduce the issue at the end of the day :) while, follow my nginx config:

## Version 2021/05/18
# make sure that your dns has a cname set for <container_name> and that your <container_name> container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name url.*;

    set $upstream_app shlink;
    set $upstream_port 8080;
    set $upstream_proto http;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;

        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

[gabriel-lando]

Hi, I could reproduce the issue in a new (fresh) environment.
Follow all the config files used:

VM Configuration:

• OS: Ubuntu Server 22.04 up-to-date
• Docker version 24.0.2, build cb74dfc
• Docker Compose version v2.18.1
• Hardware:
  • 2 GB RAM
  • 2 vCPU

Obs: the VM that I had the initial issue is running Alpine Linux with a better hardware configuration.

Docker-Compose YAML:

version: "3"

services:
  shlink:
    image: shlinkio/shlink:stable
    pull_policy: always
    container_name: shlink
    restart: unless-stopped
    tty: true
    stdin_open: true
    depends_on:
      - mysql
    external_links:
      - mysql:mysql
    environment:
      IS_HTTPS_ENABLED: "true"
      DEFAULT_DOMAIN: ${SHLINK_DOMAIN}
      DB_DRIVER: ${SHLINK_DB_DRIVER}
      DB_NAME: ${SHLINK_DB_NAME}
      DB_USER: ${SHLINK_DB_USER}
      DB_PASSWORD: ${SHLINK_DB_PASSWORD}
      DB_HOST: ${SHLINK_DB_HOST}
      GEOLITE_LICENSE_KEY: ${SHLINK_GEOLITE_KEY}
      DEFAULT_INVALID_SHORT_URL_REDIRECT: ${SHLINK_INVALID_REDIRECT}
      DEFAULT_REGULAR_404_REDIRECT: ${SHLINK_404_REDIRECT}
      DEFAULT_BASE_URL_REDIRECT: ${SHLINK_URL_REDIRECT}
    networks:
      - swag-network

  swag:
    image: "ghcr.io/linuxserver/swag:latest"
    pull_policy: always
    container_name: swag
    restart: unless-stopped
    tty: true
    stdin_open: true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ${SWAG_PATH}:/config
    environment:
      PUID: 1000
      PGID: 1000
      TZ: "America/Sao_Paulo"
      URL: ${SWAG_DOMAIN}
      EXTRA_DOMAINS: ${SWAG_EXTRA_DOMAINS}
      VALIDATION: "dns"
      DNSPLUGIN: "cloudflare"
      EMAIL: ${SWAG_EMAIL}
      STAGING: "false"
    cap_add:
      - NET_ADMIN
    networks:
      - swag-network

  mysql:
    image: mysql:latest
    pull_policy: always
    container_name: mysql
    restart: unless-stopped
    tty: true
    stdin_open: true
    environment:
      MYSQL_DATABASE: ${MYSQL_DATABASE}
      MYSQL_ROOT_PASSWORD: ${MYSQL_PASSWORD}
    volumes:
      - ${MYSQL_PATH}:/var/lib/mysql
    networks:
      - swag-network

networks:
  swag-network:
    name: swag

.env file with the environment variables:

# Swag variables
SWAG_PATH="/data/swag"
SWAG_DOMAIN="example.com"
SWAG_EXTRA_DOMAINS="*.example.com"
SWAG_EMAIL="[email protected]"

# MySQL variables
MYSQL_PATH="/data/mysql"
MYSQL_DATABASE="shlink"
MYSQL_PASSWORD="example-password"

# Shlink variables
SHLINK_DOMAIN="exam.ple"
SHLINK_DB_DRIVER="mysql"
SHLINK_DB_NAME="shlink"
SHLINK_DB_USER="root"
SHLINK_DB_PASSWORD="example-password"
SHLINK_DB_HOST="mysql"
SHLINK_GEOLITE_KEY="example-key"
SHLINK_INVALID_REDIRECT="https://app.shlink.io/"
SHLINK_404_REDIRECT="https://app.shlink.io/"
SHLINK_URL_REDIRECT="https://app.shlink.io/"

NGINX configuration file (url.subdomain.conf):

## Version 2021/05/18
# make sure that your dns has a cname set for <container_name> and that your <container_name> container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name url.*;

    set $upstream_app shlink;
    set $upstream_port 8080;
    set $upstream_proto http;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Other configurations I did:

• I turned off the main instance of the shlink (running in another VM)
• I configured my pihole instance to point the CNAME Record url.example.com to the VM name, so I didn't have to change it in my domain settings (I usually use a Cloudflare tunnel to allow external access).
• I added my Cloudflare API Key to the swag config file in /data/swag/dns-conf/cloudflare.ini.

To test, I tried to open https://url.example.com in my browser, it should forward me to the https://app.shlink.io/ webpage, but I received the 400 Bad Request instead.

Obs: it's important to mention that I used my real domain during this test.

[acelaya]

I think the issue is somewhere in swags configuration.

I put together a simple example using plain nginx as reverse proxy, over HTTP, and everything works just fine.

version: "3"

services:
  shlink:
    image: shlinkio/shlink:3.6.0
    container_name: shlink
    restart: unless-stopped
    tty: true
    stdin_open: true
    depends_on:
      - mysql
    links:
      - mysql
    environment:
      IS_HTTPS_ENABLED: "true"
      DEFAULT_DOMAIN: ${SHLINK_DOMAIN}
      DB_DRIVER: ${SHLINK_DB_DRIVER}
      DB_NAME: ${SHLINK_DB_NAME}
      DB_USER: ${SHLINK_DB_USER}
      DB_PASSWORD: ${SHLINK_DB_PASSWORD}
      DB_HOST: ${SHLINK_DB_HOST}
      GEOLITE_LICENSE_KEY: ${SHLINK_GEOLITE_KEY}
      DEFAULT_INVALID_SHORT_URL_REDIRECT: ${SHLINK_INVALID_REDIRECT}
      DEFAULT_REGULAR_404_REDIRECT: ${SHLINK_404_REDIRECT}
      DEFAULT_BASE_URL_REDIRECT: ${SHLINK_URL_REDIRECT}

  swag:
    image: "nginx:1.25"
    container_name: swag
    restart: unless-stopped
    tty: true
    stdin_open: true
    ports:
      - "8888:80"
    volumes:
      - ./nginx.conf:/etc/nginx/conf.d/default.conf
    cap_add:
      - NET_ADMIN
    links:
      - shlink

  mysql:
    image: mysql:latest
    container_name: mysql
    restart: unless-stopped
    tty: true
    stdin_open: true
    environment:
      MYSQL_DATABASE: ${MYSQL_DATABASE}
      MYSQL_ROOT_PASSWORD: ${MYSQL_PASSWORD}

# MySQL variables
MYSQL_PATH="/data/mysql"
MYSQL_DATABASE="shlink"
MYSQL_PASSWORD="example-password"

# Shlink variables
SHLINK_DOMAIN="exam.ple"
SHLINK_DB_DRIVER="mysql"
SHLINK_DB_NAME="shlink"
SHLINK_DB_USER="root"
SHLINK_DB_PASSWORD="example-password"
SHLINK_DB_HOST="mysql"
SHLINK_GEOLITE_KEY="example-key"
SHLINK_INVALID_REDIRECT="https://app.shlink.io/"
SHLINK_404_REDIRECT="https://app.shlink.io/"
SHLINK_URL_REDIRECT="https://app.shlink.io/"

server {
    listen 80 default_server;

    client_max_body_size 0;

    location / {
        proxy_pass http://shlink:8080;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

What I find very weird is that you are not getting any error logged in your nginx when it is returning a 400 response, because nginx always logs errors with INFO level.

Make sure there's nothing else preventing nginx logs, as that's the only way to find the root cause.

[gabriel-lando]

Thanks, I created an issue in the swag repository to see if they know anything (linuxserver/docker-swag#379)

[cwldev]

I generally have the same issue, but no real time right now to mess with this.

Running shlinksrv:3.5.2 on Docker fine, all works ok.
Update to shlink:stable and nginx swag drops a "bad request"

NGINX access.log:
72.140.225.251 - - [08/Jun/2023:23:03:18 -0400] "GET /favicon.ico HTTP/2.0" 400 15 "https://go.domain1.com/link" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"

Nothing of use in error.log

Messed with a bunch of NGINX changes, but nothing really lead me anywhere. My NGINX config:

#

server {
  listen 80;
  listen [::]:80;
  server_name go.domain1.com;
  #return 301 https://$host$request_uri;
  rewrite ^/(.*)$ https://go.domain1.com$request_uri permanent;
}

server {
  listen 80;
  listen [::]:80;
  server_name go.domain2.com;
  #return 301 https://$host$request_uri;
  rewrite ^/(.*)$ https://go.domain2.com$request_uri permanent;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;


    server_name go.domain1.com go.domain2.com;
    charset utf-8;
    
    include /config/nginx/ssl.conf;

   # client_max_body_size 0;

    location / {

        include /config/nginx/proxy.conf;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
 
        proxy_pass http://10.0.0.233:8080/;
       
    }
add_header Strict-Transport-Security "max-age=0; includeSubDomains";
}

I'll see another day. I sense the new version has some sort of new web server and nginx needs to adjust somehow to this.

[acelaya]

The only idea that comes to my mind is trying with docker tag 3.5.4-roadrunner

That version has roadrunner native logs enabled, while v3.6 has them disabled because it introduces a way to log requests consistently between openswoole and roadrunner.

If for any reason, roadrunner is rejecting the request from nginx, causing this 400, maybe we see something different in those logs, that is not present in 3.6, because the request is rejected before triggering any Shlink code.

[cwldev]

That's great.. thanks I'll try tag 3.5.4-roadrunner

I didn't have the time, but I wanted to see what I could gat from the console of my swag container via some curl statements. Maybe the shlink server would respond directly.. I think the server responds to API requests.. just didn't have those details ready.

The only other thing in the mix is a .conf file in swag/nginx that needs an obscure update.

[gabriel-lando]

@acelaya I'm trying right now with 3.5.4-roadrunner to see if I can find anything, but it's not logging any error.

Here we have the end of the docker logs for this image:

{"level":"debug","ts":1686323308.781989,"logger":"jobs","msg":"driver ready","pipeline":"shlink","driver":"memory","start":1686323308.7818823,"elapsed":0.000105801}
{"level":"debug","ts":1686323308.7823586,"logger":"memory","msg":"pipeline was started","driver":"memory","pipeline":"shlink","start":"2023-06-09 15:08:28.782354635 +0000 UTC m=+0.022823098","elapsed":"5.563µs"}
{"level":"debug","ts":1686323308.78278,"logger":"rpc","msg":"plugin was started","address":"tcp://127.0.0.1:6001","list of the plugins with RPC methods:":["app","jobs","informer","resetter"]}
[INFO] RoadRunner server started; version: 2.12.3, buildtime: 2023-02-16T13:08:41+0000
2023-06-09T15:08:28.850Z        DEBUG   server          worker is allocated     {"pid": 31, "internal_event_name": "EventWorkerConstruct"}
2023-06-09T15:08:28.853Z        DEBUG   server          worker is allocated     {"pid": 30, "internal_event_name": "EventWorkerConstruct"}
2023-06-09T15:08:28.919Z        DEBUG   server          worker is allocated     {"pid": 37, "internal_event_name": "EventWorkerConstruct"}
2023-06-09T15:08:28.922Z        DEBUG   server          worker is allocated     {"pid": 36, "internal_event_name": "EventWorkerConstruct"}

If I try to access any URL, it give me a 400 Bad Request, but no log is generated.

[gabriel-lando]

Hi @acelaya I tried to comment out line by line of the /config/nginx/proxy.conf file to find what was causing the issue.
I discovered that the issue is caused by the line proxy_set_header Host $host;.
It sets a header in the request with the $host value (I don't know what's the value of this variable :D ), but it seems that the shlink isn't accepting it

[acelaya]

I also set that when trying with vanila nginx, and it works #1796 (comment)

In fact, that header is important for multi-domain to work properly, so it's needed.

My only guess is that something invalid is being set in $host by swag. Perhaps an empty string, or who knows.

[gabriel-lando]

Hmm that's interesting :D I noticed that I was already setting this Host header in my nginx config file (#1796 (comment))

I removed from my config file and readded in the /config/nginx/proxy.conf and it worked. Maybe swag is setting it twice in case I put the proxy_set_header 2 times.

[gabriel-lando]

Okay, I got it :) When I followed the documentation to put shlink behind a reverse proxy, I copied everything to my swag-nginx file. But swag set all headers for me. When I copied the doc, I duplicated a lot of headers. I don't know what causes the issue, because before it was working :D but after removing all proxy_set_header from my config file, everything worked.