URL encoding issue

acaron nginx-forum at nginx.us
Wed Feb 16 16:41:14 MSK 2011


Hello!

> Hello!
> 
> Some background: nginx do location matching on
> unescaped URI path.  
> So you have unescaped data in your variables.
> 
> And there are two separate issues here:
> 

[...]

> 2. When doing proxy_pass nginx do escape
> characters which aren't 
> valid in URI, but it doesn't to escape some chars
> which aren't 
> (like "<", ">", <">).  That's why you see space
> escaped, but not 
> <">.
> 

[ ... ]

> 
> Maxim Dounin
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx

I have a simple setup where I use nginx as a frontend to proxy multiple
other applications (Django, Rails, etc.), some through FastCGI, some
through use of the HTTP reverse proxy.  I'm very satisfied of the
software you guys have come up with, especially after having been
tortured by Apache...

I've recently purchased a business license for http://yuml.me/.  I've
installed it using Mongrel and nginx uses the HTTP reverse-proxy to
delegate requests.  The setup "works" in that I can access the different
pages.  However, all UML diagram URLs are broken and return a "502 --
bad gateway" message.

Entries in the nginx log look like (note the URL in **encoded** form): 

xxx.xxx.xxx.xxx - - [16/Feb/2011:07:50:28 -0500] "GET
/diagram/scruffy/class/%5BC\ustomer%5D%2B1-%3E*%5BOrder%5D%2C%20%5BOrder%5D%2B%2B1-items%20%3E*%5BLineItem%\5D%2C%20%5BOrder%5D-0..1%3E%5BPaymentMethod%5D
HTTP/1.1" 502 173 "-" "Mozilla/5\.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/534.13 (KHTML, like Gecko) C\hrome/9.0.597.98
Safari/534.13"

And the mongrel log for the same query looks like (note the URL in
**decoded** form):

Wed Feb 16 07:50:28 -0500 2011: HTTP parse error, malformed request
(127.0.0.1)\: #
Wed Feb 16 07:50:28 -0500 2011: REQUEST DATA: "GET
/diagram/scruffy/class/[Cust\omer]+1->*[Order],%20[Order]++1-items%20>*[LineItem],%20[Order]-0..1>[PaymentMe\thod]
HTTP/1.0\r\nHost: yuml.eaddrinuse.ca\r\nConnection: close\r\nAccept:
appl\ication/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/\*;q=0.5\r\nUser-Agent:
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWeb\Kit/534.13
(KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13\r\nAccept-Encodi\ng:
gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nAccept-Charset:
ISO\-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n"

Here the entire configuration for this virtual host (note the proxy_pass
directive):

server {
    # virtual host name.
  server_name xxx.xxx.xxx;

    # listening on standard port.
  listen 80;

    # don't require 'sudo' to read log file.
  access_log /home/webserver/www/hosts/yuml/access.log;

    # empty, but still provided for isolation.
  root /home/webserver/www/hosts/yuml/root/;

    # yUML: static files + proxied Ruby on Rails application.
  location /stylesheets/ {
    root /home/webserver/www/hosts/yuml/root/;
  }
  location /images/ {
    root /home/webserver/www/hosts/yuml/root/;
  }
  location /javascripts/ {
    root /home/webserver/www/hosts/yuml/root/;
  }
  location / {
    #proxy_set_header X-Real-IP $remote_addr;
    #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect false;
    proxy_pass http://127.0.0.1:9001/;
  }
}

As you can see I'm not using any modification whatsoever on the URL
before passing it to the proxy server.  Yet, nginx passes the request
using a remote URL in decoded URL form (thus, a rightfully invalid URL).
 According to Maxim's post, I understand this should not be the case.

Is there any documentation supporting the official behavior adopted by
nginx in a reverse proxy + special characters in URL situation?  I
believe this is a (major) bug in the HttpProxy module, as it basically
prevents use of nginx in front of any application that uses special
characters in URLs.  Does anyone know how to handle this issue?

I'm using nginx on debian.  "apt-cache show nginx" gives me the
following version number: "Version: 0.6.32-3+lenny3".

André Caron

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,75231,175754#msg-175754




More information about the nginx mailing list