<font size=2 face="sans-serif">Hi</font>
<br>
<br><font size=2 face="sans-serif">I am wondering how does nginx returns
wrong content, atleast it seems so. </font>
<br><font size=2 face="sans-serif">I am terminating https addresses to
nginx thru my firewall, what does nat public ips to nginx to ports 901
and 902 in this case, where nginx is configured to wait https connections.
</font>
<br>
<br><font size=2 face="sans-serif">So when end user hits eg address: </font><a href=https://a.host.com/><font size=2 face="sans-serif">https://a.host.com/</font></a><font size=2 face="sans-serif">,
firewall does nat and sends it to nginx private ip port 901, and </font><a href=https://b.host.com/><font size=2 face="sans-serif">https://b.host.com/</font></a><font size=2 face="sans-serif">
goes to nginx private ip port 902. </font>
<br>
<br><font size=2 face="sans-serif">Some config lines:</font>
<br><tt><font size=2>http {</font></tt>
<br><tt><font size=2> proxy_buffer_size
128k;</font></tt>
<br><tt><font size=2> proxy_buffers
4 256k;</font></tt>
<br><tt><font size=2> proxy_busy_buffers_size
256k;</font></tt>
<br><tt><font size=2> client_max_body_size 50M;</font></tt>
<br><tt><font size=2> # DNS resolver</font></tt>
<br><tt><font size=2> resolver 213.250.93.67;</font></tt>
<br>
<br><tt><font size=2> # nginx oma http proxy cache</font></tt>
<br><tt><font size=2> proxy_cache_path /usr/share/nginx/cache
levels=1:2 keys_zone=one:10m max_size=1G;</font></tt>
<br><tt><font size=2> proxy_temp_path /usr/share/nginx/tmp;</font></tt>
<br><tt><font size=2> proxy_cache_key "$scheme$host$request_uri$args";</font></tt>
<br><tt><font size=2> proxy_cache_use_stale updating error
timeout invalid_header http_500 http_502 http_503 http_504;</font></tt>
<br>
<br><tt><font size=2> # ---- cache times ---- </font></tt>
<br><tt><font size=2> proxy_cache_valid 200 302 5m;</font></tt>
<br><tt><font size=2> proxy_cache_valid 301 1h;</font></tt>
<br><tt><font size=2> proxy_cache_valid any 1m;</font></tt>
<br>
<br><tt><font size=2> proxy_cache one;</font></tt>
<br><tt><font size=2> proxy_cache_bypass $http_pragma
$http_authorization $cookie_DomAuthSessId $args;</font></tt>
<br><tt><font size=2> proxy_no_cache $http_pragma
$http_authorization $cookie_DomAuthSessId $args;</font></tt>
<br>
<br><tt><font size=2> include mime.types;</font></tt>
<br><tt><font size=2> default_type application/octet-stream;</font></tt>
<br>
<br><tt><font size=2> gzip_http_version 1.1;</font></tt>
<br><tt><font size=2> gzip_vary
on;</font></tt>
<br><tt><font size=2> gzip_min_length 1100;</font></tt>
<br><tt><font size=2> gzip_buffers 16 8k;</font></tt>
<br><tt><font size=2> gzip_disable "MSIE [1-6]\.(?!.*SV1)";</font></tt>
<br><tt><font size=2> gzip_proxied any;</font></tt>
<br><tt><font size=2> gzip_types text/css
text/plain application/atom+xml application/x-javascript application/xml
text/javascript application/xml+rss;</font></tt>
<br><tt><font size=2> gzip on;</font></tt>
<br>
<br><tt><font size=2> server_tokens
off;</font></tt>
<br><tt><font size=2> client_header_timeout
3m;</font></tt>
<br><tt><font size=2> send_timeout
3m;</font></tt>
<br><tt><font size=2> client_header_buffer_size
8k;</font></tt>
<br><tt><font size=2> large_client_header_buffers 4 8k;</font></tt>
<br><tt><font size=2> output_buffers
1 32k;</font></tt>
<br><tt><font size=2> postpone_output
1460;</font></tt>
<br><tt><font size=2> sendfile
on;</font></tt>
<br><tt><font size=2> tcp_nopush
on;</font></tt>
<br><tt><font size=2> tcp_nodelay
on;</font></tt>
<br><tt><font size=2> keepalive_timeout
75 20;</font></tt>
<br><tt><font size=2> server_names_hash_bucket_size 256; #
this seems to be required for some vh</font></tt>
<br>
<br><tt><font size=2> log_format main '$remote_addr
- $remote_user [$time_local] $request '</font></tt>
<br><tt><font size=2>
'"$status" $body_bytes_sent "$http_referer"
'</font></tt>
<br><tt><font size=2>
'"$http_user_agent" "$http_x_forwarded_for"';</font></tt>
<br>
<br><tt><font size=2> proxy_redirect off;</font></tt>
<br><tt><font size=2> proxy_set_header Host
$host;</font></tt>
<br><tt><font size=2> proxy_set_header X-Real-IP
$remote_addr;</font></tt>
<br><tt><font size=2> proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;</font></tt>
<br><tt><font size=2> proxy_connect_timeout 120;</font></tt>
<br><tt><font size=2> proxy_send_timeout 120;</font></tt>
<br><tt><font size=2> proxy_read_timeout 120;</font></tt>
<br>
<br><tt><font size=2> proxy_set_header Accept-Encoding
"";</font></tt>
<br><tt><font size=2> proxy_pass_header Set-Cookie;</font></tt>
<br>
<br><tt><font size=2> # ---- geoip ----- #</font></tt>
<br><tt><font size=2> geo $country {</font></tt>
<br><tt><font size=2> default no;</font></tt>
<br><tt><font size=2> include conf.d/geo.data;</font></tt>
<br><tt><font size=2> }</font></tt>
<br>
<br><tt><font size=2> # catchall</font></tt>
<br><tt><font size=2> server {</font></tt>
<br><tt><font size=2> listen
80 default;</font></tt>
<br><tt><font size=2> server_name
_;</font></tt>
<br>
<br><tt><font size=2> access_log /var/log/nginx/default-access.log
main;</font></tt>
<br>
<br><tt><font size=2> server_name_in_redirect
off;</font></tt>
<br>
<br><tt><font size=2> location / {</font></tt>
<br><tt><font size=2> index index.html;</font></tt>
<br><tt><font size=2> root /var/www/default/htdocs;</font></tt>
<br><tt><font size=2> }</font></tt>
<br><tt><font size=2> }</font></tt>
<br>
<br><tt><font size=2> include /etc/nginx/virtual-hosts/*;</font></tt>
<br>
<br><tt><font size=2>}</font></tt>
<br>
<br><font size=2 face="sans-serif">then here is config file for a.host.com,
file: /etc/nginx/virtual-hosts/a.host.com</font>
<br>
<br><tt><font size=2>server {</font></tt>
<br><tt><font size=2> listen
81.x.y.x:901;</font></tt>
<br><tt><font size=2> ssl
on;</font></tt>
<br><tt><font size=2> ssl_certificate /etc/nginx/ssl/a.crt;</font></tt>
<br><tt><font size=2> ssl_certificate_key /etc/nginx/ssl/a.key;</font></tt>
<br><tt><font size=2> ssl_session_timeout 5m;</font></tt>
<br><tt><font size=2> ssl_protocols SSLv3
TLSv1;</font></tt>
<br><tt><font size=2> ssl_ciphers
RC4:HIGH:!aNULL:!MD5;</font></tt>
<br><tt><font size=2> ssl_prefer_server_ciphers on;</font></tt>
<br>
<br><tt><font size=2> # HTTP Strict Transport Security</font></tt>
<br><tt><font size=2> add_header Strict-Transport-Security
max-age=500;</font></tt>
<br>
<br><tt><font size=2> proxy_connect_timeout 300;</font></tt>
<br><tt><font size=2> proxy_send_timeout 300;</font></tt>
<br><tt><font size=2> proxy_read_timeout 300;</font></tt>
<br>
<br><tt><font size=2> server_name a.host.com atest.host.com;</font></tt>
<br><tt><font size=2> access_log /logfiles/a.host.com/a.host.com-access_log
combined;</font></tt>
<br><tt><font size=2> default_type text/html;</font></tt>
<br><tt><font size=2> root /usr/share/nginx/huolto;</font></tt>
<br>
<br><tt><font size=2> location / {</font></tt>
<br><tt><font size=2> proxy_cache off;</font></tt>
<br><tt><font size=2> proxy_cache_valid 200 302 0;</font></tt>
<br><tt><font size=2> proxy_cache_valid 301 0;</font></tt>
<br><tt><font size=2> proxy_cache_valid any 0;</font></tt>
<br><tt><font size=2> proxy_set_header ClientProtocol
HTTPS;</font></tt>
<br><tt><font size=2> proxy_set_header Accept-Encoding
"";</font></tt>
<br><tt><font size=2> proxy_pass </font></tt><a href=http://1.1.1.131/><tt><font size=2>http://1.1.1.131</font></tt></a><tt><font size=2>;</font></tt>
<br>
<br><tt><font size=2> # Huoltoikkuna (manuaalinen)</font></tt>
<br><tt><font size=2> include /etc/nginx/maintenance.conf;</font></tt>
<br><tt><font size=2> }</font></tt>
<br><tt><font size=2>}</font></tt>
<br>
<br><font size=2 face="sans-serif">then file: /etc/nginx/virtual-hosts/b.host.com</font>
<br>
<br><tt><font size=2>server {</font></tt>
<br><tt><font size=2> listen
81.x.y.x:902;</font></tt>
<br><tt><font size=2> ssl
on;</font></tt>
<br><tt><font size=2> ssl_certificate /etc/nginx/ssl/b.crt;</font></tt>
<br><tt><font size=2> ssl_certificate_key /etc/nginx/ssl/b.key;</font></tt>
<br><tt><font size=2> ssl_session_timeout 5m;</font></tt>
<br><tt><font size=2> ssl_protocols SSLv3
TLSv1;</font></tt>
<br><tt><font size=2> ssl_ciphers
RC4:HIGH:!aNULL:!MD5;</font></tt>
<br><tt><font size=2> ssl_prefer_server_ciphers on;</font></tt>
<br>
<br><tt><font size=2> proxy_cache_use_stale off;</font></tt>
<br>
<br><tt><font size=2> # HTTP Strict Transport Security</font></tt>
<br><tt><font size=2> add_header Strict-Transport-Security
max-age=500;</font></tt>
<br>
<br><tt><font size=2> proxy_connect_timeout 300;</font></tt>
<br><tt><font size=2> proxy_send_timeout 300;</font></tt>
<br><tt><font size=2> proxy_read_timeout 300;</font></tt>
<br>
<br><tt><font size=2> server_name b.host.com btest.host.com;</font></tt>
<br><tt><font size=2> access_log /logfiles/b.host.com/b.host.com-access_log
combined;</font></tt>
<br><tt><font size=2> default_type text/html;</font></tt>
<br><tt><font size=2> root /usr/share/nginx/huolto;</font></tt>
<br>
<br><tt><font size=2> location / {</font></tt>
<br><tt><font size=2> proxy_cache off;</font></tt>
<br><tt><font size=2> proxy_cache_valid 200 302 0;</font></tt>
<br><tt><font size=2> proxy_cache_valid 301 0;</font></tt>
<br><tt><font size=2> proxy_cache_valid any 0;</font></tt>
<br><tt><font size=2> proxy_set_header ClientProtocol
HTTPS;</font></tt>
<br><tt><font size=2> proxy_set_header Accept-Encoding
"";</font></tt>
<br><tt><font size=2> proxy_pass </font></tt><a href=http://1.1.1.131/><tt><font size=2>http://1.1.1.131</font></tt></a><tt><font size=2>;</font></tt>
<br>
<br><tt><font size=2> }</font></tt>
<br><tt><font size=2>}</font></tt>
<br>
<br><font size=2 face="sans-serif">I have also a wildcard ssl cert, file
/etc/nginx/virtual-hosts/wildcard.host.com:</font>
<br><tt><font size=2>ssl_certificate
/etc/nginx/ssl/wildcard.crt;</font></tt>
<br><tt><font size=2>ssl_certificate_key /etc/nginx/ssl/wildcard.key;</font></tt>
<br><tt><font size=2>ssl_session_timeout 5m;</font></tt>
<br><tt><font size=2>ssl_protocols
SSLv3 TLSv1;</font></tt>
<br><tt><font size=2>ssl_ciphers
RC4:HIGH:!aNULL:!MD5;</font></tt>
<br><tt><font size=2>ssl_prefer_server_ciphers on;</font></tt>
<br><tt><font size=2>ssl_session_cache
shared:SSL:20m;</font></tt>
<br><tt><font size=2>server {</font></tt>
<br><tt><font size=2> listen
443 default ssl;</font></tt>
<br><tt><font size=2> ssl
on;</font></tt>
<br><tt><font size=2> server_name my.default.hostname;</font></tt>
<br><tt><font size=2> access_log /logfiles/my.default.hostname/my.default.hostname-access_log
combined;</font></tt>
<br>
<br><tt><font size=2> # HTTP Strict Transport
Security</font></tt>
<br><tt><font size=2> add_header Strict-Transport-Security
max-age=500;</font></tt>
<br><tt><font size=2> </font></tt>
<br><tt><font size=2> location / {</font></tt>
<br>
<br><tt><font size=2> proxy_cache off;</font></tt>
<br><tt><font size=2> proxy_cache_valid 200 302 0;</font></tt>
<br><tt><font size=2> proxy_cache_valid 301 0;</font></tt>
<br><tt><font size=2> proxy_cache_valid any 0;</font></tt>
<br>
<br><tt><font size=2> proxy_pass </font></tt><a href=http://1.2.3.4/><tt><font size=2>http://1.2.3.4</font></tt></a><tt><font size=2>;</font></tt>
<br>
<br><tt><font size=2> # Huoltoikkuna (manuaalinen)</font></tt>
<br><tt><font size=2> include /etc/nginx/maintenance.conf;</font></tt>
<br><tt><font size=2> }</font></tt>
<br><tt><font size=2>}</font></tt>
<br>
<br>
<br><font size=2 face="sans-serif">Now when i do go to address </font><a href=https://b.host.com/><font size=2 face="sans-serif">https://b.host.com/</font></a><font size=2 face="sans-serif">,
i am getting response from a.host.com.</font>
<br>
<br><font size=2 face="sans-serif"> I am pretty if correct Host header
goes to 1.1.1.131 server, it should return different content, i have tested
it manually using curl, eg:</font>
<br><font size=2 face="sans-serif">" curl --verbose --header 'Host:
b.host.com' </font><a href=http://1.1.1.131/><font size=2 face="sans-serif">http://1.1.1.131</font></a><font size=2 face="sans-serif">"
from nginx machine, i will get correct content, but not thru nginx. </font>
<br><font size=2 face="sans-serif">So i am assuming that somehow i am getting
wrong content from a.host.com or does nginx somehow leave Host header off?
</font>
<br>
<br><font size=2 face="sans-serif">Notice that i have same proxy_pass in
both a.host.com and in b.host.com, they resides on same ip and same port
(named virtual hosts).</font>
<br><font size=2 face="sans-serif">What i am debugged, i can see it goes
to b.host.com config block, atleast nginx writes to </font><tt><font size=2>/logfiles/b.host.com/b.host.com-access_log</font></tt><font size=2 face="sans-serif">
when i do test it.</font>
<br>
<br>
<hr><font size=2 color=#2222c0 face="sans-serif">Pekka Panula |</font><font size=1 color=#2222c0 face="sans-serif">
Jatkuvat palvelut | Sofor Oy | </font><a href=http://www.sofor.fi/><font size=1 color=#2222c0 face="Verdana"><u>www.sofor.fi</u></font></a>
<br><font size=1 color=#2222c0 face="Verdana">Takakaarre 3 | PL 51 |FIN-62201
KAUHAVA | tel. +358 6 432 3111 | fax. +358 6 432 3555 </font>
<br><font size=1 color=#2222c0 face="Verdana">Mob. + 358 50 384 3232 |
pekka.panula@sofor.fi</font>
<br>
<br><font size=2 face="sans-serif"><br>
</font>