Nginx reverse proxy 504 gateway timeout only happen in browser access - nginx

I used Nginx as a reverse proxy and when I access the url from the browser (Chrome, Firefox) it will show 504 gateway timeout. But when I use curl or wget to access the url, it works fine. It is really a weird issue, can anyone give me some help?
Following is my configuration: https://pastebin.com/fZHEtRGa
The upstream configuration is:
upstream default-nginx-z-80 {
# Load balance algorithm; empty for round robin, which is the default
least_conn;
keepalive 32;
server 10.1.228.195:80 max_fails=0 fail_timeout=0;
}
The server configuration is
server {
server_name z-ingress.mixhub.cn ;
listen 80;
listen [::]:80;
set $proxy_upstream_name "-";
location / {
port_in_redirect off;
set $proxy_upstream_name "default-nginx-z-80";
set $namespace "default";
set $ingress_name "nginx-z";
set $service_name "";
client_max_body_size "1m";
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
proxy_set_header ssl-client-cert "";
proxy_set_header ssl-client-verify "";
proxy_set_header ssl-client-dn "";
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $the_real_ip;
proxy_set_header X-Forwarded-For $the_real_ip;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Scheme $pass_access_scheme;
# Pass the original X-Forwarded-For
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
# Custom headers to proxied server
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
proxy_buffering off;
proxy_buffer_size "4k";
proxy_buffers 4 "4k";
proxy_request_buffering "on";
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
proxy_pass http://default-nginx-z-80;
}
}

Related

Proxying shiny-server through Django and nginx

I'm running a docker containerized django app with nginx as a reverse proxy and want to include several shiny apps I've inherited. I want django to sit between shiny-server (which serves the apps) and the client (i.e. NOT reverse proxy certain urls directly to shiny-server). However shiny-server seems to be trying to use some kind of websocket and hence while some elements of the ui render properly, the main files (leaflet maps, plots etc) don't. Instead I get a gray overlay. The console displays some cryptic error messages i.e. Connection closed. Info: {"isTrusted":false}. My nginx configuration is as follows:
#Connect to upstream shiny apps server
upstream shiny {
server shiny:80;
}
#Connect upstream django server via uWSGI
upstream django {
server django:8001;
}
#Required for shiny's WebSockets
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name 127.0.0.1;
resolver 127.0.0.11;
#Production settings
#listen 8000;
#server_name 195.134.90.182;
charset utf-8;
client_max_body_size 100M;
#Serve django's media (Not Implemented)
location /media/ {
alias /var/www/media;
}
location /static/ {
alias /var/www/static;
}
location / {
proxy_http_version 1.1; # you need to set this in order to use params below.
proxy_pass http://django;
proxy_set_header X-forwarded-FOR $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# include /usr/src/wastewater_app/uwsgi_params;
proxy_temp_file_write_size 64k;
proxy_connect_timeout 100800s;
proxy_send_timeout 100800;
proxy_read_timeout 100800;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_redirect off;
proxy_request_buffering off;
proxy_buffering off;
keepalive_timeout 650000;
}
#Proxy shiny requests to shiny-server
location ~* /shiny/(.+) {
rewrite ^/shiny/(.*)$ /$1 break;
proxy_pass http://shiny/$1/;
proxy_redirect http://shiny/ $scheme://$host/shiny/;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 100800s;
proxy_send_timeout 100800;
proxy_read_timeout 100800;
keepalive_timeout 650000;
# required for WebSockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location /__sockjs__/{
proxy_pass http://shiny/;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 100800s;
proxy_send_timeout 100800;
proxy_read_timeout 100800;
keepalive_timeout 650000;
}
location /ws {
proxy_pass http://shiny/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 100800s;
proxy_send_timeout 100800;
proxy_read_timeout 100800;
keepalive_timeout 650000;
}
I've also tried disabling sockets via:
#shiny-server.conf
sanitize_errors off;
disable_protocols websocket xdr-streaming xhr-streaming iframe-eventsource iframe- htmlfile;
However the problem persists.I've tried pretty much every solution suggested on the web and several permutations thereof but none have worked for this case. Open to any and all suggestions (please note I'm not familiar with websockets)

Nginx Reverse Proxy - websocket config to make Fortigate CLI interface work properly

I am trying to get my fortigate router's web interface behind my reverse proxy, not to be accessible from the internet, but to use my LetsEncrypt cert on my internal network. This is the config I'm using:
upstream websockets {
server 192.168.1.99:443;
}
server {
listen 443 ssl;
allow 192.168.1.0/24;
deny all;
server_name f60e.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Authorization "";
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Origin "";
proxy_pass_header X-XSRF-TOKEN;
proxy_pass https://192.168.1.99;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 1000m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /websockets/ {
proxy_pass https://websockets;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header Origin "";
}
}
Everything appears to work except for the "Edit in CLI" button. When I attempt to use it, the interface window comes up blank and after a few seconds it says "Connection lost" and I get this error in my browser console
GET https://f60e.walnuthomelab.com/favicon/site.webmanifest net::ERR_CONNECTION_TIMED_OUT
main.js:1
WebSocket connection to 'wss://f60e.walnuthomelab.com/ws/cli/open?cols=66&rows=34' failed:
createWebSocket # main.js:1

NGINX Reverse Proxy (Proxy Manager) to OpenResty (NGINX) API Issues

I am hosting an application (Tandoor) on a LXC container.
On my host I have another container with a NginxProxyManager installed.
The Proxy Manager forwards (and forces SSL) to all incoming connections to the correct container, this works perfectly for all my other applications.
I am really struggling to understand why Tandoor will not work.
My config on the Reverse Proxy:
location /authelia {
internal;
set $upstream_authelia http://10.10.10.4:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $http_host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
location / {
set $upstream_app $forward_scheme://$server:$port;
proxy_pass $upstream_app;
auth_request /authelia;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://auth.named-lab.net/?rd=$target_url;
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header Access-Control-Allow-Origin *;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
set_real_ip_from 192.168.4.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
location /accounts/logout/ {
return 301 https://auth.named-lab.net/logout;
}
My config on the OperResty (Tandoor) server:
server {
server_name tandoor.named-lab.net;
listen 8002;
#access_log /var/log/nginx/access.log;
#error_log /var/log/nginx/error.log;
#add_header Content-Security-Policy "default-src 'self';";
#add_header 'Access-Control-Allow-Origin' '*';
#proxy_set_header 'Content-Security-Policy' 'upgrade-insecure-requests';
#proxy_set_header 'Access-Control-Allow-Origin' '*';
#proxy_set_header Content-Security-Policy "default-src 'self';";
# serve media files
location /static {
alias /var/www/recipes/staticfiles;
}
location /media {
alias /var/www/recipes/mediafiles;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_pass http://unix:/home/recipes/recipes.sock;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header 'Content-Security-Policy' "default-src 'self';";
proxy_set_header 'Content-Security-Policy' 'upgrade-insecure-requests';
}
}
I can see the interface load fine, and the auth system works great too. However as soon as I do anything that involves the API (https://tandoor.named-lab.net/api/*) the data doesn't load.
If I got directly to https://tandoor.named-lab.net//api/ the JSON data shows without issue...

Websockets in NGINX not working with server with internet proxy: Error: No pong received in 3 seconds

I was trying to host flask application in NGINX which uses websockets.
It is working fine with the servers which do not use any proxy servers.
When it is hosted in a server that passes requests to proxy servers, client does not receive any message sent via websocket.
Initially none of the external API calls were working which started working when I added environ variable http_proxy and https_proxy for the service.
But the socket is still not working.
Got error: "no pong received in 3 seconds" in the server when trying to connect to websocket
This is what I get in browser
The following is the nginx configuration.
log_format upstreamlog '$server_name to: $upstream_addr [$request] '
'upstream_response_time $upstream_response_time '
'msec $msec request_time $request_time';
upstream socket_nodes {
ip_hash;
server 127.0.0.1:4000;
server 127.0.0.1:4001;
server 127.0.0.1:4002;
}
server {
listen 80;
listen [::]:80;
access_log /var/log/nginx/access.log upstreamlog;
add_header Strict-Transport-Security max-age=15768000;
location /static/* {
alias /file_path;
}
location / {
include uwsgi_params;
proxy_pass http://socket_nodes;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_buffer_size 16k;
proxy_busy_buffers_size 16k;
}
location /socket.io {
proxy_pass http://socket_nodes/socket.io;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Try changing the socket configuration as below,
location /socket.io {
proxy_pass http://socket_nodes/socket.io;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

How to forward web-socket request to microservice using nginx

I wanted to forward the web-socket request to microservice using nginx.
I am hitting https://some-host/download-zip-service/downloadFile
By this, the calls are landing on download-zip-service and downloadFile API get the call.
in downloadFile I am using the socket to forward the request to microservice
but when I tried to call socket API from download-zip-service
I do something like var socket = io('https://some-host/download-zip-service/');
the calls are directly landing on
wss://some-host/socket.io/?EIO=3&transport=websocket&sid=12345678
instead of https://some-host/download-zip-service/socket.io/?EIO=3&transport=websocket&sid=12345678
as a reason, I explicitly added the root / path for download-zip-service.
Below is my NGINX.conf file
worker_processes 4;
events { worker_connections 1024; }
http {
sendfile on;
upstream download-zip-service {
server xx.xx.xx.xx:9012;
}
server {
listen 8765;
#Changed for implementing WEB Socket
location / {
proxy_pass http://download-zip-service/;
proxy_redirect off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $server_name;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
#new property added
proxy_request_buffering off;
proxy_buffering off;
}
location /download-zip-service/ {
proxy_pass http://download-zip-service/;
proxy_redirect off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $server_name;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
#socket timeout setting added
fastcgi_read_timeout 7200s;
send_timeout 7200s;
proxy_connect_timeout 7200s;
proxy_send_timeout 7200s;
proxy_read_timeout 7200s;
#new property added
proxy_request_buffering off;
proxy_buffering off;
}
}
}
I want to remove the root / path for download-zip-service.
and it should work with /download-zip-service/
Please let me know where I am doing mistake

Resources