Proxy requests that return a 403 error - issue with sending headers

[Jason Whittington]

add_header is used to add a header to a response.  It’s not entirely clear to me that that’s what you want to do.  But if so, add_header won’t run for non-200 return values by default.  If you want to propagate the header for error conditions add the “always” option:

add_header X-Origin-Forwarded-For $remote_addr always;

But this still feels weird to me so maybe I am missing something. Why would you want to add that header to the response (other than for debugging)?   The equivalent proxy_set_header (line 4 in your example) seems like all you should need to me.

Jason

From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Friscia, Michael
Sent: Thursday, March 15, 2018 3:04 PM
To: nginx at nginx.org
Subject: [IE] Proxy requests that return a 403 error - issue with sending headers

I hope I can explain this well enough to understand what I’m doing wrong.

The problem I am trying to solve is that I am making proxy requests to a site that has IP restrictions. Nginx is making a request to another Proxy URL rewrite server we use which then makes the request to the web application. So what happens without any work is that the second proxy server is making the request with the Nginx server IP address. So we made some changes to headers in Nginx to pass the client IP and then it would forward through the second proxy, make it to the web app and process the IP restriction.

I have a block in my global settings that offers these header additions.

add_header X-Origin-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Server $hostname;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Origin-Forwarded-For $remote_addr;
proxy_set_header Accept-Encoding identity;

It’s really the X-Origin… that I care about. But what seems to be happening is that for any normal request, the client IP address is being passed to the web app but when I make the request for a page that returns the 403 error because of the IP restriction, none of the headers above are being applied to the request. So the web app is never getting passed my custom headers.

My question is if there is some sort of setting I am missing and I ask that making an assumption that the problem is that Nginx is making a request without sending headers, getting the 403 error and then all processing stops and I just get an access denied page.

Any thoughts on how to handle this problem would be appreciated. I’ve tried numerous things and the root of the problem seems to be that Nginx is not making the full request. My next assumption is that this global configuration is to blame by having “error” in the list
proxy_cache_use_stale error timeout updating invalid_header http_500 http_502 http_503 http_504;

Thanks,
-mike

___________________________________________
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932 - office
(203) 931-5381 - mobile
http://web.yale.edu<http://web.yale.edu/>

This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster at equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180315/ae0cde49/attachment-0001.html>