Exposing external JSON API in an Nginx custom path?

Moorage moorage at protonmail.ch
Sun Nov 11 15:55:06 UTC 2018 

I have a vhost running on nginx/1.15.6,

	https://example.com

I have a standalone API service (fwiw, Gentics Mesh) running at

	http://mesh.example.com

It exposes its UI, per its own config as

	apiUrl: '/api/v1/',

Browsing to the direct link, Mesh responds as expected, correctly rendering/displaying its UI Login Form.  With curl,

	curl -i http://mesh.example.com:8080
		HTTP/1.1 302 Found
		Location: /mesh-ui/
		Content-Length: 0

I want to expose that UI at an Nginx site custom path.

	https://example.com/mesh

For now, both run on the same machine/IP,

	host example.com
		10.1.2.3
	host mesh.example.com
		10.1.2.3

In Nginx vhost config, I've tried to set up a proxy as

	upstream meshproxy {
		server 10.1.2.3:8080;
	}

	server {
		listen 10.1.2.3:443 ssl http2;
		server_name example.com;

		...
		location ~ /mesh/ {
			proxy_set_header Accept 'application/json';
			proxy_set_header Content-Type 'application/json';
			proxy_set_header Connection "upgrade";
			proxy_set_header Host $http_host;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-NginX-Proxy true;
			proxy_set_header X-Real-IP $remote_addr;

			proxy_buffering off;
			proxy_connect_timeout 5;
			proxy_http_version 1.1;
			proxy_intercept_errors on;
			proxy_read_timeout 240;

			proxy_pass http://meshproxy;
			proxy_redirect off;
		}
		...
	}

With that config, browser access to

	https://example.com/mesh

doesn't display the intended Mesh UI.  Instead, it displays a response of

	{
	  "message" : "Not Found",
	  "internalMessage" : "The rest endpoint or resource for given path {/mesh/} could not be found. Please verify that your Accept header is set correctly. I got {application/json}. It must accept {application/json}"
	}

Testing GET with curl, at that link, currently returns 403,

	curl --include --http2 --ipv4 --ssl --tlsv1.2 --key-type PEM --cert-type PEM --key /ssl/client.key.pem --cert /ssl/client.crt.pem --cacert /ssl/CA.crt.pem -X GET https://example.com/mesh/

		HTTP/2 403
			date: Sat, 10 Nov 2018 14:58:24 GMT
			content-type: text/html; charset=utf-8
			content-length: 146
			vary: Accept-Encoding
			secure: Server
			x-content-type-options: nosniff

			<html>
			<head><title>403 Forbidden</title></head>
			<body>
			<center><h1>403 Forbidden</h1></center>
			<hr><center>nginx</center>
			</body>
			</html>

I have no idea yet why it's 'Forbidden'.

I'm guessing the problem is something in my Nginx config?

What config needs change/addition to get that API UI 'exposed' correctly in the Nginx custom path?

More information about the nginx mailing list