What does this error message mean, and how do I fix it?
My website has been down since yesterday when all I did was push a new version into production. I hadn’t touched any of the config settings, and my certificates are all valid.
Dockerfile:
ARG RUBY_VERSION=3.3.4
FROM ruby:$RUBY_VERSION-slim as base
# Rack app lives here
WORKDIR /app
# Update gems and bundler
RUN gem update --system --no-document && \
gem install -N bundler
# Throw-away build stage to reduce size of final image
FROM base as build
# Install packages needed to build gems
RUN apt-get update -qq && \
apt-get install --no-install-recommends -y build-essential
# Install application gems
COPY Gemfile* .
RUN bundle install
# Final stage for app image
FROM base
# Run and own the application files as a non-root user for security
RUN useradd ruby --home /app --shell /bin/bash
USER ruby:ruby
# Copy built artifacts: gems, application
COPY --from=build /usr/local/bundle /usr/local/bundle
COPY --from=build --chown=ruby:ruby /app /app
# Copy application code
COPY --chown=ruby:ruby . .
# Start the server
EXPOSE 8080
CMD ["bundle", "exec", "rackup", "--host", "0.0.0.0", "--port", "8080"]
That’s likely a client sending an HTTP request with incorrect Host header.
When the proxy is doing http → https redirect it needs to parse the Host header to extract the original authority. If the authority (Host) can’t be parsed, e.g. has some some characters that are not supposed to be there, the proxy will reply with “400 Bad Request” and drop this message into logs.
Thank you @pavel. The proxy certainly didn’t have problems doing the http → https redirect prior to the last deployment. Like I mentioned before, none of my configuration settings were changed between the last deployment and the one before.
Any tips on fixing the issue?
Here’s the output of curl inspecting the Host header:
That’s 403 Forbidden, not 400 Bad Request.
I’ve just tried to send a GET request to some random path on https://fullstackplus.tech/ and I see in the logs that your app replies with 403 Forbidden:
The error is caused by the addition of explicit Host Authorization handling in Sinatra 4.1.0. It is implemented as a Rack middleware, bundled with rack-protection, but not exposed as a default nor opt-in protection: