Proxy requests that return a 403 error - issue with sending headers

Friscia, Michael michael.friscia at yale.edu
Fri Mar 16 11:20:31 UTC 2018


First of all, your response caused me to review everything and I was able to solve it with you kicking me in the right direction.

Yes, both the 403 and 200 requests are from the same location block.

Yes, I’m well aware of the header inheritance but made a fatal mistake. I thought this only applied to add_header and not proxy_set_header so an old test configuration was getting in the way.

That said, it still does not explain why I was seeing the correct headers on 200 requests and not 403. My configuration design is that I have a conf file with global settings which is where these headers are set. But inside the location block I had
proxy_set_header Host $host;

The reason this is not in the global config has to do with some rewrite rules used so I don’t want that in every server{} block. My fix took all the headers from the global config and pasted them just below that line and then everything works.

So regardless that it is working now, why is it that on a 200 response the inheritance rule did not apply and when the response was 403 it did? I’m just going to change the way my configurations are setup but it seems like there’s a potential bug unless I’m just missing something really obvious when it comes to 4xx responses.

Thanks again for pushing me into the right direction,
-mike

___________________________________________
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932 - office
(203) 931-5381 - mobile
http://web.yale.edu <http://web.yale.edu/>
 

On 3/16/18, 4:24 AM, "nginx on behalf of Francis Daly" <nginx-bounces at nginx.org on behalf of francis at daoine.org> wrote:

    On Thu, Mar 15, 2018 at 08:04:13PM +0000, Friscia, Michael wrote:
    
    Hi there,
    
    > I have a block in my global settings that offers these header additions.
    
    > proxy_set_header X-Origin-Forwarded-For $remote_addr;
    
    > But what seems to be happening is that for any normal request, the client IP address is being passed to the web app but when I make the request for a page that returns the 403 error because of the IP restriction, none of the headers above are being applied to the request. So the web app is never getting passed my custom headers.
    
    If I'm reading this right, you report that one request from the client
    to nginx is proxy_pass'ed to another server with the "proxy_set_header
    X-Origin-Forwarded-For" having the desired value; while another request
    from the client to nginx is proxy_pass'ed to the other server without the
    "proxy_set_header X-Origin-Forwarded-For" having the desired value.
    
    If that is the case: are the two requests to nginx handled in the same
    location{} in nginx?
    
    Are you aware of directive inheritance in nginx? Briefly, it is either
    "none" or "replacement", and never "addition".
    
    > My question is if there is some sort of setting I am missing and I ask that making an assumption that the problem is that Nginx is making a request without sending headers, getting the 403 error and then all processing stops and I just get an access denied page.
    
    tcpdump or the equivalent, (or nginx logs, or next-server logs), can show
    what actual headers and values are sent from nginx to the next server.
    
    The server returning the 403 should have logs saying why it is returning
    403.
    
    With that information, you should be able to remove most guesswork.
    
    > Any thoughts on how to handle this problem would be appreciated.
    
    If it's not clear from the above steps, show your nginx config, and give
    one example request that does do what you want it to and one that does
    not do what you want it to.
    
    	f
    -- 
    Francis Daly        francis at daoine.org
    _______________________________________________
    nginx mailing list
    nginx at nginx.org
    https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=DwICAg&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=uNhxRAXKtcHgaF6JCJGEe8vpEdqxA7Cfh4cadBz_AP0&s=pESnOYNbk_E7ebVdyD0F714EEyjSd92-0YLVTvAFuM8&e=
    



More information about the nginx mailing list