No CORS Workaround - SSL Proxy

Eric Swenson eswenson at intertrust.com
Fri Jun 20 19:32:36 UTC 2014


We run a API web service and have two web sites that access the web service via AJAX. The web sites are accessed via HTTPS and, for security reasons, we need to have the API web service also accessed by HTTPS.  Due to the need to support the IE9 browser, which does not properly support CORS, we are unable to have the web applications on our web servers configured to access the API web service through a different hostname than the hostnames of the two web sites.  Consequently, we trick IE9 into thinking the origin host (web site) and destination host (API service) are on the same host and proxy requests from the web sites to the web service via proxy_pass.  Unfortunately, since the API web service must be accessed by HTTPS, nginx has to establish an SSL session with the API web service, because we cannot proxy to HTTP.  Our config looks something like this — for simplicity I only show one of the web sites nginx config.

    server {
       listen       443;
       server_name  app.example.com;     // this is the web application
       server_tokens off;

       ssl                  on;
       ssl_certificate      cert.pem;
       ssl_certificate_key  cert.key;

       ssl_session_timeout  5m;

       ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers   on;

// this URL pattern is interpreted as meaning: forward the request to the web service running on another host
        location /svc/api/ {
                 proxy_pass https://svc.example.com/api/;   // this is the web service running on another host
                 proxy_set_header Host svc.example.com;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header X-Forwarded-Proto https;
        }

Location / {
// normal web site access here
        }
   …
  }

This works fine.  However, every once in a while (say, every week or so), traffic to https://app.example.com/svc/api/xxxx returns gateway 502 errors.  The API service (located at https://svc.example.com/api) is working fine and is accessible directly.  However, through the proxy setup (above), nginx will not pass traffic.  Simply restarting nginx gets it working again for another week or so, only to have it get into the same state again some random interval later.

Does anyone have any ideas what might be causing nginx to fail to proxy traffic when no changes to the configuration have been made and the backend service is functioning normally?

Since I anticipate some will want to tell me that proxying to HTTPS is a bad idea, please realize we do not have the luxury of talking to the backend service (which lives on the Internet and is accessed by multiple parties) via HTTP.  Also, yes, I realize that the proxy_set_header stuff probably has no useful effect with HTTPS proxying.

Thanks much in advance.  — Eric



More information about the nginx mailing list