nginx reverse proxy proxy_pass weirdness

classic Classic list List threaded Threaded
8 messages Options
xrd
Reply | Threaded
Open this post in threaded view
|

nginx reverse proxy proxy_pass weirdness

xrd
I have a nginx reverse proxy to forward requests to various Apache websites
behind it. This all seems to work fine unless I remove one of the proxy_pass
configurations from nginx. Even though I remove it, nginx still fowards the
requests back to Apache to a seemingly random website this time.

I can't seem to get it to stop doing that. Any idea what's going on?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286492,286492#msg-286492

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: nginx reverse proxy proxy_pass weirdness

Francis Daly
On Wed, Dec 18, 2019 at 04:48:33AM -0500, deeztek wrote:

Hi there,

> I have a nginx reverse proxy to forward requests to various Apache websites
> behind it. This all seems to work fine unless I remove one of the proxy_pass
> configurations from nginx. Even though I remove it, nginx still fowards the
> requests back to Apache to a seemingly random website this time.
>
> I can't seem to get it to stop doing that. Any idea what's going on?

The server{} and location{} that you have configured nginx to use for
this request may not be the server{} and location{} that you want nginx
to use for this request.

If you can show the configuration and the request, and say how you want
nginx to handle the request, maybe it will be clear what changes to the
configuration are needed.

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
xrd
Reply | Threaded
Open this post in threaded view
|

Re: nginx reverse proxy proxy_pass weirdness

xrd
Here's an example config that I use:

server {
        server_name         domain.tld www.domain.tld;
        add_header Strict-Transport-Security "max-age=31536000; preload";
        keepalive_timeout   70;
        #LOGS CONFIG
        access_log /usr/local/nginx/logs/domain.tld/domain.tld_access.log;
        error_log /usr/local/nginx/logs/domain.tld/domain.tld_error.log
warn;
        #SSL CONFIG
        ssl_certificate     /etc/nginx/ssl/domain.tld.pem;
        ssl_certificate_key /etc/nginx/ssl/domain.tld.key;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_dhparam /usr/local/nginx/ssl/dhparam.pem;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        proxy_max_temp_file_size 5120m;
        client_max_body_size 5120m;
        #set_real_ip_from 192.168.xx.xx/24;
        #real_ip_header X-Forwarded-For;
        #real_ip_recursive on;
        #LISTEN CONFIG
        include /usr/local/nginx/conf/listen/domain.tld/*.conf;
        #MODSECURITY CONFIG
        modsecurity on;
        modsecurity_rules_file
/usr/local/nginx/conf/domain.tld_modsecurity.conf;

location / {

  #Set Real IP Headers
  proxy_set_header X-Real-IP  $remote_addr;
  proxy_set_header X-Forwarded-For $remote_addr;
  proxy_set_header Host $host;

  #proxy_set_header X-Real-IP $remote_addr;
  #proxy_set_header Host $host;
  #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_pass <a href="https://webserver02.domain.tld:443;">https://webserver02.domain.tld:443;
}

}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286492,286494#msg-286494

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: nginx reverse proxy proxy_pass weirdness

Francis Daly
On Wed, Dec 18, 2019 at 07:18:32AM -0500, deeztek wrote:

Hi there,

> Here's an example config that I use:

Thanks.

Note that it is possible that the "include" files contain some relevant
config; but we can worry about that if it looks like it is the case.

What request do you make?

What response do you get?

What response do you want to get instead?

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
xrd
Reply | Threaded
Open this post in threaded view
|

Re: nginx reverse proxy proxy_pass weirdness

xrd
Sorry maybe I am confusing you. The config file that I posted, works fine.
What I request actually responds. So, if I were to request www.domain.tld,
the Apache server behind Nginx responds with the correct website for
www.domain.tld. However, if I were to delete the config file for domain.tld
from nginx and I tried to browse to that domain again, nginx would forward
the request to another (seemingly random?) website on Apache behind it.

I would think, deleting a config from Nginx, it would simply stop forwarding
requests for that cofig.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286492,286499#msg-286499

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: nginx reverse proxy proxy_pass weirdness

Francis Daly
On Wed, Dec 18, 2019 at 10:33:44AM -0500, deeztek wrote:

Hi there,

> Sorry maybe I am confusing you. The config file that I posted, works fine.
> What I request actually responds. So, if I were to request www.domain.tld,
> the Apache server behind Nginx responds with the correct website for
> www.domain.tld. However, if I were to delete the config file for domain.tld
> from nginx and I tried to browse to that domain again, nginx would forward
> the request to another (seemingly random?) website on Apache behind it.

Ok, that makes sense to me now, thanks.

You are deleting a full server{} block; not just a single directive
within a server{} block.

http://nginx.org/en/docs/http/request_processing.html has the details
on what nginx is doing.

In short - a request comes in on an ip:port, with a Host header. If
nginx has a listener on that ip:port that handles that Host header,
the matching server{} is used to handle the request. If not, then the
default server for that ip:port handles the request.

You can configure which server is the default_server for this ip:port
on the "listen" line (http://nginx.org/r/listen).

> I would think, deleting a config from Nginx, it would simply stop forwarding
> requests for that cofig.

Historical reasons / backwards compatibility / overall convenience means
that that isn't what happens by default.

You can configure it to happen on your system, if you want it to, by
configuring your default server for this ip:port explicitly, and having
that server drop the connection, or return 404 or 410, or return useful
content advertising your hosting service.


That is part of the answer to "what response do you want to get instead?".

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
xrd
Reply | Threaded
Open this post in threaded view
|

Re: nginx reverse proxy proxy_pass weirdness

xrd
okay that explains it. I appreciate that. So, a default config with the
following:

server {
    listen      80 default_server;
    return      444;
}




Should take care of it?

How would I got about doing a default SSL config since it would complain
about the certificate?

Thanks

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286492,286503#msg-286503

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: nginx reverse proxy proxy_pass weirdness

Francis Daly
On Wed, Dec 18, 2019 at 12:35:22PM -0500, deeztek wrote:

Hi there,

> server {
>     listen      80 default_server;
>     return      444;
> }
>
> Should take care of it?

Yes. (So long as every explicit-or-implicit "listen" directive is
equivalent to "listen 80", which it probably is.)

> How would I got about doing a default SSL config since it would complain
> about the certificate?

Same thing, essentially. What response do you want, for the request?

http://nginx.org/en/docs/http/configuring_https_servers.html

A connection comes to an ip:port.

The TLS handshake from the client includes a SNI name that you have
configured a listener to handle, so your nginx sends the appropriate
certificate; or the handshake does not (because it sends no SNI name, or
it sends a SNI name that you have not configured a listener to handle),
so your nginx sends the certificate associated with the default_server
for that ip:port.

If the client agrees the handshake and sends the request, your nginx
responds the way you configured it to; if the client does not agree the
handshake, they go away without sending the request.

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx