We’re suddenly seeing a number of HTTP 400 errors on new-reg requests to the v1 API.
Request body (pre-JWS): {"resource":"new-reg"}
Response headers (400 Bad Request):
Date: Tue, 24 Sep 2019 13:44:29 GMT
Server: nginx
Connection: close
Content-length: 150
Content-type: text/html
Response body:
<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>
</html>
This was from IPv4 184.94.197.2, but it’s happening on many of our servers (and our clients’ servers).
Please advise? We haven’t changed our implementation. This problem didn’t appear until last night, a few hours after we received notice of the recent CDN change.
HTTP was originally designed to be usable as an interface to
distributed object systems. The request method was envisioned as
applying semantics to a target resource in much the same way as
invoking a defined method on an identified object would apply
semantics. The method token is case-sensitive because it might be
used as a gateway to object-based systems with case-sensitive method
names.
A side-effect of the API CDN switch from Akamai to CloudFlare is that Akamai can no longer rewrite the request methods from lowercase to uppercase. I've not found explicit documentation that Akamai was doing that, but given your report I feel like there's a pretty good chance that it was happening. Our loadbalancer should be properly following these RFCs and rejecting the lowercase methods post, get, head, etc per https://github.com/nginx/nginx/blob/master/src/http/ngx_http_core_module.c#L4329-L4345.