I am getting wrong response from nginx
Pekka.Panula at sofor.fi
Pekka.Panula at sofor.fi
Tue Apr 17 11:43:27 UTC 2012
Hi
I am wondering how does nginx returns wrong content, atleast it seems so.
I am terminating https addresses to nginx thru my firewall, what does nat
public ips to nginx to ports 901 and 902 in this case, where nginx is
configured to wait https connections.
So when end user hits eg address: https://a.host.com/, firewall does nat
and sends it to nginx private ip port 901, and https://b.host.com/ goes to
nginx private ip port 902.
Some config lines:
http {
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_max_body_size 50M;
# DNS resolver
resolver 213.250.93.67;
# nginx oma http proxy cache
proxy_cache_path /usr/share/nginx/cache levels=1:2 keys_zone=one:10m
max_size=1G;
proxy_temp_path /usr/share/nginx/tmp;
proxy_cache_key "$scheme$host$request_uri$args";
proxy_cache_use_stale updating error timeout invalid_header http_500
http_502 http_503 http_504;
# ---- cache times ----
proxy_cache_valid 200 302 5m;
proxy_cache_valid 301 1h;
proxy_cache_valid any 1m;
proxy_cache one;
proxy_cache_bypass $http_pragma $http_authorization
$cookie_DomAuthSessId $args;
proxy_no_cache $http_pragma $http_authorization
$cookie_DomAuthSessId $args;
include mime.types;
default_type application/octet-stream;
gzip_http_version 1.1;
gzip_vary on;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_proxied any;
gzip_types text/css text/plain application/atom+xml
application/x-javascript application/xml text/javascript
application/xml+rss;
gzip on;
server_tokens off;
client_header_timeout 3m;
send_timeout 3m;
client_header_buffer_size 8k;
large_client_header_buffers 4 8k;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
server_names_hash_bucket_size 256; # this seems to be required for some
vh
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 120;
proxy_send_timeout 120;
proxy_read_timeout 120;
proxy_set_header Accept-Encoding "";
proxy_pass_header Set-Cookie;
# ---- geoip ----- #
geo $country {
default no;
include conf.d/geo.data;
}
# catchall
server {
listen 80 default;
server_name _;
access_log /var/log/nginx/default-access.log main;
server_name_in_redirect off;
location / {
index index.html;
root /var/www/default/htdocs;
}
}
include /etc/nginx/virtual-hosts/*;
}
then here is config file for a.host.com, file:
/etc/nginx/virtual-hosts/a.host.com
server {
listen 81.x.y.x:901;
ssl on;
ssl_certificate /etc/nginx/ssl/a.crt;
ssl_certificate_key /etc/nginx/ssl/a.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# HTTP Strict Transport Security
add_header Strict-Transport-Security max-age=500;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
server_name a.host.com atest.host.com;
access_log /logfiles/a.host.com/a.host.com-access_log combined;
default_type text/html;
root /usr/share/nginx/huolto;
location / {
proxy_cache off;
proxy_cache_valid 200 302 0;
proxy_cache_valid 301 0;
proxy_cache_valid any 0;
proxy_set_header ClientProtocol HTTPS;
proxy_set_header Accept-Encoding "";
proxy_pass http://1.1.1.131;
# Huoltoikkuna (manuaalinen)
include /etc/nginx/maintenance.conf;
}
}
then file: /etc/nginx/virtual-hosts/b.host.com
server {
listen 81.x.y.x:902;
ssl on;
ssl_certificate /etc/nginx/ssl/b.crt;
ssl_certificate_key /etc/nginx/ssl/b.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
proxy_cache_use_stale off;
# HTTP Strict Transport Security
add_header Strict-Transport-Security max-age=500;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
server_name b.host.com btest.host.com;
access_log /logfiles/b.host.com/b.host.com-access_log combined;
default_type text/html;
root /usr/share/nginx/huolto;
location / {
proxy_cache off;
proxy_cache_valid 200 302 0;
proxy_cache_valid 301 0;
proxy_cache_valid any 0;
proxy_set_header ClientProtocol HTTPS;
proxy_set_header Accept-Encoding "";
proxy_pass http://1.1.1.131;
}
}
I have also a wildcard ssl cert, file
/etc/nginx/virtual-hosts/wildcard.host.com:
ssl_certificate /etc/nginx/ssl/wildcard.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
server {
listen 443 default ssl;
ssl on;
server_name my.default.hostname;
access_log
/logfiles/my.default.hostname/my.default.hostname-access_log combined;
# HTTP Strict Transport Security
add_header Strict-Transport-Security max-age=500;
location / {
proxy_cache off;
proxy_cache_valid 200 302 0;
proxy_cache_valid 301 0;
proxy_cache_valid any 0;
proxy_pass http://1.2.3.4;
# Huoltoikkuna (manuaalinen)
include /etc/nginx/maintenance.conf;
}
}
Now when i do go to address https://b.host.com/, i am getting response
from a.host.com.
I am pretty if correct Host header goes to 1.1.1.131 server, it should
return different content, i have tested it manually using curl, eg:
" curl --verbose --header 'Host: b.host.com' http://1.1.1.131" from nginx
machine, i will get correct content, but not thru nginx.
So i am assuming that somehow i am getting wrong content from a.host.com
or does nginx somehow leave Host header off?
Notice that i have same proxy_pass in both a.host.com and in b.host.com,
they resides on same ip and same port (named virtual hosts).
What i am debugged, i can see it goes to b.host.com config block, atleast
nginx writes to /logfiles/b.host.com/b.host.com-access_log when i do test
it.
Pekka Panula | Jatkuvat palvelut | Sofor Oy | www.sofor.fi
Takakaarre 3 | PL 51 |FIN-62201 KAUHAVA | tel. +358 6 432 3111 | fax. +358
6 432 3555
Mob. + 358 50 384 3232 | pekka.panula at sofor.fi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20120417/069885df/attachment-0001.html>
More information about the nginx
mailing list