I am getting wrong response from nginx

Pekka.Panula at sofor.fi Pekka.Panula at sofor.fi
Tue Apr 17 11:43:27 UTC 2012


Hi

I am wondering how does nginx returns wrong content, atleast it seems so. 
I am terminating https addresses to nginx thru my firewall, what does nat 
public ips to nginx to ports 901 and 902 in this case, where nginx is 
configured to wait https connections. 

So when end user hits eg address: https://a.host.com/, firewall does nat 
and sends it to nginx private ip port 901, and https://b.host.com/ goes to 
nginx private ip port 902. 

Some config lines:
http {
    proxy_buffer_size           128k;
    proxy_buffers             4 256k;
    proxy_busy_buffers_size     256k;
    client_max_body_size 50M;
    # DNS resolver
    resolver 213.250.93.67;

   # nginx oma http proxy cache
    proxy_cache_path  /usr/share/nginx/cache  levels=1:2 keys_zone=one:10m 
max_size=1G;
    proxy_temp_path   /usr/share/nginx/tmp;
    proxy_cache_key   "$scheme$host$request_uri$args";
    proxy_cache_use_stale updating error timeout invalid_header http_500 
http_502 http_503 http_504;

   # ---- cache times ---- 
    proxy_cache_valid 200 302 5m;
    proxy_cache_valid 301 1h;
    proxy_cache_valid any 1m;

    proxy_cache one;
    proxy_cache_bypass $http_pragma     $http_authorization 
$cookie_DomAuthSessId   $args;
    proxy_no_cache     $http_pragma     $http_authorization 
$cookie_DomAuthSessId   $args;

   include       mime.types;
   default_type  application/octet-stream;

   gzip_http_version 1.1;
   gzip_vary          on;
   gzip_min_length  1100;
   gzip_buffers     16 8k;
   gzip_disable "MSIE [1-6]\.(?!.*SV1)";
   gzip_proxied     any;
   gzip_types       text/css text/plain application/atom+xml 
application/x-javascript application/xml text/javascript 
application/xml+rss;
   gzip on;

   server_tokens                 off;
   client_header_timeout          3m;
   send_timeout                   3m;
   client_header_buffer_size      8k;
   large_client_header_buffers 4  8k;
   output_buffers              1 32k;
   postpone_output              1460;
   sendfile                       on;
   tcp_nopush                     on;
   tcp_nodelay                    on;
   keepalive_timeout           75 20;
   server_names_hash_bucket_size 256; # this seems to be required for some 
vh

   log_format  main  '$remote_addr - $remote_user [$time_local] $request '
                     '"$status" $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';

   proxy_redirect        off;
   proxy_set_header      Host             $host;
   proxy_set_header      X-Real-IP        $remote_addr;
   proxy_set_header      X-Forwarded-For  $proxy_add_x_forwarded_for;
   proxy_connect_timeout 120;
   proxy_send_timeout    120;
   proxy_read_timeout    120;

   proxy_set_header      Accept-Encoding   "";
   proxy_pass_header     Set-Cookie;

  # ---- geoip ----- #
   geo $country {
      default no;
      include conf.d/geo.data;
   }

    # catchall
    server {
        listen          80 default;
        server_name     _;

        access_log  /var/log/nginx/default-access.log  main;

        server_name_in_redirect  off;

        location / {
            index index.html;
            root  /var/www/default/htdocs;
        }
   }

   include /etc/nginx/virtual-hosts/*;

}

then here is config file for a.host.com, file: 
/etc/nginx/virtual-hosts/a.host.com

server {
   listen               81.x.y.x:901;
   ssl                  on;
   ssl_certificate      /etc/nginx/ssl/a.crt;
   ssl_certificate_key  /etc/nginx/ssl/a.key;
   ssl_session_timeout  5m;
   ssl_protocols        SSLv3 TLSv1;
   ssl_ciphers          RC4:HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers   on;

   # HTTP Strict Transport Security
   add_header Strict-Transport-Security max-age=500;

   proxy_connect_timeout 300;
   proxy_send_timeout    300;
   proxy_read_timeout    300;

   server_name  a.host.com atest.host.com;
   access_log   /logfiles/a.host.com/a.host.com-access_log combined;
   default_type text/html;
   root         /usr/share/nginx/huolto;

   location / {
      proxy_cache off;
      proxy_cache_valid 200 302 0;
      proxy_cache_valid 301 0;
      proxy_cache_valid any 0;
      proxy_set_header ClientProtocol HTTPS;
      proxy_set_header  Accept-Encoding  "";
      proxy_pass http://1.1.1.131;

      # Huoltoikkuna (manuaalinen)
      include /etc/nginx/maintenance.conf;
   }
}

then file: /etc/nginx/virtual-hosts/b.host.com

server {
   listen               81.x.y.x:902;
   ssl                  on;
   ssl_certificate      /etc/nginx/ssl/b.crt;
   ssl_certificate_key  /etc/nginx/ssl/b.key;
   ssl_session_timeout  5m;
   ssl_protocols        SSLv3 TLSv1;
   ssl_ciphers          RC4:HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers   on;

   proxy_cache_use_stale off;

   # HTTP Strict Transport Security
   add_header Strict-Transport-Security max-age=500;

   proxy_connect_timeout 300;
   proxy_send_timeout    300;
   proxy_read_timeout    300;

   server_name  b.host.com btest.host.com;
   access_log   /logfiles/b.host.com/b.host.com-access_log combined;
   default_type text/html;
   root         /usr/share/nginx/huolto;

   location / {
      proxy_cache off;
      proxy_cache_valid 200 302 0;
      proxy_cache_valid 301 0;
      proxy_cache_valid any 0;
      proxy_set_header ClientProtocol HTTPS;
      proxy_set_header  Accept-Encoding  "";
      proxy_pass http://1.1.1.131;

   }
}

I have also a wildcard ssl cert, file 
/etc/nginx/virtual-hosts/wildcard.host.com:
ssl_certificate             /etc/nginx/ssl/wildcard.crt;
ssl_certificate_key         /etc/nginx/ssl/wildcard.key;
ssl_session_timeout         5m;
ssl_protocols                   SSLv3 TLSv1;
ssl_ciphers                     RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers   on;
ssl_session_cache           shared:SSL:20m;
server {
        listen       443 default ssl;
        ssl          on;
        server_name  my.default.hostname;
        access_log 
/logfiles/my.default.hostname/my.default.hostname-access_log combined;

        # HTTP Strict Transport Security
        add_header Strict-Transport-Security max-age=500;
 
   location / {

      proxy_cache off;
      proxy_cache_valid 200 302 0;
      proxy_cache_valid 301 0;
      proxy_cache_valid any 0;

      proxy_pass http://1.2.3.4;

      # Huoltoikkuna (manuaalinen)
      include /etc/nginx/maintenance.conf;
   }
}


Now when i do go to address https://b.host.com/, i am getting response 
from a.host.com.

 I am pretty if correct Host header goes to 1.1.1.131 server, it should 
return different content, i have tested it manually using curl, eg:
" curl --verbose --header 'Host: b.host.com' http://1.1.1.131" from nginx 
machine, i will get correct content, but not thru nginx. 
So i am assuming that somehow i am getting wrong content from a.host.com 
or does nginx somehow leave Host header off? 

Notice that i have same proxy_pass in both a.host.com and in b.host.com, 
they resides on same ip and same port (named virtual hosts).
What i am debugged, i can see it goes to b.host.com config block, atleast 
nginx writes to /logfiles/b.host.com/b.host.com-access_log when i do test 
it.

Pekka Panula | Jatkuvat palvelut | Sofor Oy | www.sofor.fi
Takakaarre 3 | PL 51 |FIN-62201 KAUHAVA | tel. +358 6 432 3111 | fax. +358 
6 432 3555 
Mob. + 358 50 384 3232 | pekka.panula at sofor.fi


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20120417/069885df/attachment-0001.html>


More information about the nginx mailing list