Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
206 Partial Content requests raise/crash ERR_HTTP_TRAILER_INVALID
See original GitHub issueWhen piping audio files from S3 through Meteor-Files with interceptDownload() and serve() the server crashed on some files with ERR_HTTP_TRAILER_INVALID from https://github.com/nodejs/node/blob/d01a06a916efd30844e1e0a38e79dc0054fc4451/lib/_http_outgoing.js#L458-L460 (tested on node 12.6.1).
I think the reason for this is that on Status code 206 both Content-Range and Transfer-Encoding are set, and if I am not mistaken they conflict. If I understand the specs correctly those are not allowed to be used together:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Range_requests#Comparison_to_chunked_Transfer-Encoding
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Trailer
case '206':
headers.Pragma = 'private';
headers.Trailer = 'expires';
headers['Transfer-Encoding'] = 'chunked';
break;
https://github.com/VeliovGroup/Meteor-Files/blob/master/server.js#L242-L246
if (!http.response.headersSent) {
http.response.setHeader('Content-Range', `bytes ${reqRange.start}-${reqRange.end}/${vRef.size}`);
}
https://github.com/VeliovGroup/Meteor-Files/blob/master/server.js#L1840
My knowledge of HTTP headers is limited, hopefully, this gives you some clues @dr-dimitru .
My current workaround is to pass my own responseHeaders() without the case 206 part.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:10 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Wow really great work @menelike
@dr-dimitru @jankapunkt
I am finally able to reproduce this with https://github.com/VeliovGroup/Meteor-Files/tree/master/demo-simplest-streaming. Run that project, grab the mp3 URL, and run the following (
--http1.0is important here!):curl http://localhost:3001/cdn/storage/Sounds/foo/original/foo.mp3 -i -H "Range: bytes=0-500" -v --http1.0 > /dev/null=> 💥while
curl http://localhost:3001/cdn/storage/Sounds/foo/original/foo.mp3 -i -H "Range: bytes=0-500" -v --http1.1 > /dev/nulldoes not fail.This should mean that we can DOS attack Meteor-Files Servers now 🚨. Though I could not crash https://files.veliov.com/ as it enforces HTTP1.1 which modern web proxies should always do nowadays 😅
I think that https://github.com/VeliovGroup/Meteor-Files/blob/master/server.js#L242-L246 needs to cover https://github.com/VeliovGroup/Meteor-Files/blob/master/server.js#L1840 as well and set one of those headers, depending on the request e.g. if range requested or not, or if it is an HTTP1 or HTTP1.1 request.