Help: Using Nginx Reverse Proxy bypass traffic in to a application running in a container

Fri May 28 08:00:00 UTC 2021

On Tue, May 25, 2021 at 09:47:47PM +0530, Amila Gunathilaka wrote:

Hi there,

> I'm sorry for taking time to reply to this,  you were so keen about my
> problem. Thank you.

No worries at all -- the mailing list is not an immediate-response medium.

> Actually my problem was when sending *response *to the load balancer from
> the nginx ( not the request, it should be corrected as the *response *in my
> previous email).
> Such as my external load balancer is always doing a health check for my
> nginx port (80) , below is the *response *message in the
>  /var/log/nginx/access.log  against the health check request coming from
> the external-loadbalancer.

As I understand it, the load balancer is making the request "OPTIONS /"
to nginx, and nginx is responding with a http 405, and you don't want
nginx to do that.

What response do you want nginx to give to the request?

Your config make it look like nginx is told to proxy_pass the OPTIONS
request to your port 9091 server, so I presume that your port 9091 server
is responding 405 to the OPTIONS request and nginx is passing the response
from the 9091-upstream to the load-balancer client.

Your port 9091 logs or traffic analysis should show that that is the case.

If is the case, you *could* fix it by telling your 9091-upstream to respond
how you want it to to the "OPTIONS /" request (using its config); or
you could configure nginx to intercept the request and handle it itself,
without proxy_pass'ing it

The first case would mean that the "health check" is actually testing
the full nginx-to-upstream chain; the second would have it only testing
that nginx is responding.

If you decide that you want nginx to handle this request itself, and to
respond with a http 204, you could add something like

  if ($request_method = "OPTIONS") { return 204; }

inside the "location /" block.

(Strictly: that would tell nginx to handle all "OPTIONS /anything"
requests, not just "OPTIONS /".)

You would not need the error_page directives that you show.

You could instead add a new "location = /" block, and do the OPTIONS
check there; but you would probably also have to duplicate the three
other lines from the "location /" block -- sometimes people prefer
"tidy-looking" configuration over "correctness and probable machine
efficiency". Pick which you like; if you do not measure a difference,
there is not a difference that you care about.

That is, you want either one location:

> server {
>     listen       80;
>     server_name  172.25.234.105;

>     location / {

	if ($request_method = "OPTIONS") { return 204; }

>         proxy_pass http://127.0.0.1:9091;
>         auth_basic "PROMETHEUS PUSHGATEWAY Login Area";
>         auth_basic_user_file /etc/nginx/.htpasswd;
>     }
> }

or two locations:

	location = / {
		if ($request_method = "OPTIONS") { return 204; }
		proxy_pass http://127.0.0.1:9091;
		auth_basic "PROMETHEUS PUSHGATEWAY Login Area";
		auth_basic_user_file /etc/nginx/.htpasswd;
	}

	location / {
		proxy_pass http://127.0.0.1:9091;
		auth_basic "PROMETHEUS PUSHGATEWAY Login Area";
		auth_basic_user_file /etc/nginx/.htpasswd;
	}

(and, if you use the two, you could potentially move the "auth_basic"
and "auth_basic_user_file" outside the "location", to be directly within
"server"; that does depend on what else is in your config file.)

If you want something else in the response to the OPTIONS request,
you can change the "return" response code, or "add_header" and the like.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org