No CORS Workaround - SSL Proxy
Eric Swenson
eswenson at intertrust.com
Fri Jun 20 19:32:36 UTC 2014
We run a API web service and have two web sites that access the web service via AJAX. The web sites are accessed via HTTPS and, for security reasons, we need to have the API web service also accessed by HTTPS. Due to the need to support the IE9 browser, which does not properly support CORS, we are unable to have the web applications on our web servers configured to access the API web service through a different hostname than the hostnames of the two web sites. Consequently, we trick IE9 into thinking the origin host (web site) and destination host (API service) are on the same host and proxy requests from the web sites to the web service via proxy_pass. Unfortunately, since the API web service must be accessed by HTTPS, nginx has to establish an SSL session with the API web service, because we cannot proxy to HTTP. Our config looks something like this — for simplicity I only show one of the web sites nginx config.
server {
listen 443;
server_name app.example.com; // this is the web application
server_tokens off;
ssl on;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
// this URL pattern is interpreted as meaning: forward the request to the web service running on another host
location /svc/api/ {
proxy_pass https://svc.example.com/api/; // this is the web service running on another host
proxy_set_header Host svc.example.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
Location / {
// normal web site access here
}
…
}
This works fine. However, every once in a while (say, every week or so), traffic to https://app.example.com/svc/api/xxxx returns gateway 502 errors. The API service (located at https://svc.example.com/api) is working fine and is accessible directly. However, through the proxy setup (above), nginx will not pass traffic. Simply restarting nginx gets it working again for another week or so, only to have it get into the same state again some random interval later.
Does anyone have any ideas what might be causing nginx to fail to proxy traffic when no changes to the configuration have been made and the backend service is functioning normally?
Since I anticipate some will want to tell me that proxying to HTTPS is a bad idea, please realize we do not have the luxury of talking to the backend service (which lives on the Internet and is accessed by multiple parties) via HTTP. Also, yes, I realize that the proxy_set_header stuff probably has no useful effect with HTTPS proxying.
Thanks much in advance. — Eric
More information about the nginx
mailing list