upstream server temporarily disabled while connecting to upstream - nginx

I have 2 Harbor servers running below nginx server (acting as load balancer and reverse proxy), namely harbor.
load balance nginx config:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
upstream harbor {
ip_hash;
server 10.57.18.120;
server 10.57.18.236;
}
server{
listen 80;
location / {
proxy_pass http://harbor;
}
}
}
nginx config in harbor:
worker_processes auto;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
tcp_nodelay on;
# this is necessary for us to be able to disable request buffering in all cases
proxy_http_version 1.1;
upstream registry {
server registry:5000;
}
upstream ui {
server ui:80;
}
server {
listen 80;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
location / {
proxy_pass http://ui/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
# proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /v1/ {
return 404;
}
location /v2/ {
proxy_pass http://registry/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
# proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
location /service/ {
proxy_pass http://ui/service/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
# proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
}
}
When both upstream servers are up, everything is ok, but if one upstream is down, nginx can't route requests to the server. Here are the logs:
2016/11/17 09:05:28 [error] 6#6: *1 connect() failed (113: No route to host) while connecting to upstream, client: 10.57.2.138, server: , request: "GET / HTTP/1.1", upstream: "http://10.57.18.236:80/", host: "10.57.18.236:2000"
2016/11/17 09:05:28 [warn] 6#6: *1 upstream server temporarily disabled while connecting to upstream, client: 10.57.2.138, server: , request: "GET / HTTP/1.1", upstream: "http://10.57.18.236:80/", host: "10.57.18.236:2000"
2016/11/17 09:05:28 [error] 6#6: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 10.57.2.138, server: , request: "GET / HTTP/1.1", upstream: "http://10.57.18.120:80/", host: "10.57.18.236:2000"
2016/11/17 09:05:28 [warn] 6#6: *1 upstream server temporarily disabled while connecting to upstream, client: 10.57.2.138, server: , request: "GET / HTTP/1.1", upstream: "http://10.57.18.120:80/", host: "10.57.18.236:2000"
10.57.2.138 - - [17/Nov/2016:09:05:28 +0000] "GET / HTTP/1.1" 502 575 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" "-"
2016/11/17 09:05:28 [error] 6#6: *1 no live upstreams while connecting to upstream, client: 10.57.2.138, server: , request: "GET /favicon.ico HTTP/1.1", upstream: "http://apps/favicon.ico", host: "10.57.18.236:2000", referrer: "http://10.57.18.236:2000/"
10.57.2.138 - - [17/Nov/2016:09:05:28 +0000] "GET /favicon.ico HTTP/1.1" 502 575 "http://10.57.18.236:2000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36" "-"
2016/11/17 09:05:34 [error] 6#6: *7 no live upstreams while connecting to upstream, client: 10.57.2.138, server: , request: "GET / HTTP/1.1", upstream: "http://apps/", host: "10.57.18.236:2000"
10.57.2.138 - - [17/Nov/2016:09:05:34 +0000] "GET / HTTP/1.1" 502 173 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17" "-"
It shows "upstream server temporarily disabled while connecting to upstream" and "no live upstreams while connecting to upstream", when upstream1 is down, but upstream2 is still up.
But I still get the "502 Bad Gateway" if I use domainUrl. At this time, visiting upstream2 (via IP) in browser works fine.
I tried to add "proxy_next_upstream" in http, in server, in the location / block, same problem.

Related

nginx redirection issue: proxy_pass directive does not seem to properly work

My nginx file:
upstream app-back {
server app-back.subdomain.domain.cloud;
}
server {
listen 3000;
server_name app-front.subdomain.domain.cloud;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
location /api {
proxy_pass https://app-back/api;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
When I call GET https://app-front.subdomain.domain.cloud/api/w3id/login, I get this in the logs of app-front :
user-container 2022/11/03 16:10:11 [warn] 8#8: *6 upstream server temporarily disabled while connecting to upstream, client: 127.0.0.1, server: app-front.subdomain.domain.cloud, request: "GET /api/w3id/login HTTP/1.1", upstream: "https://[2606:4xxxxxxxxxxxxxxx2:417d]:80/api/w3id/login", host: "app-front.subdomain.domain.cloud", referrer: "https://app-front.subdomain.domain.cloud/login"
user-container 2022/11/03 16:10:11 [error] 8#8: *6 open() "/usr/share/nginx/html/50x.html" failed (2: No such file or directory), client: 127.0.0.1, server: app-front.subdomain.domain.cloud, request: "GET /api/w3id/login HTTP/1.1", upstream: "https://[2455:47xxxxxxxxxxxxxxxx72:417d]:80/api/w3id/login", host: "app-front.subdomain.domain.cloud", referrer: "https://app-front.subdomain.domain.cloud/login"
user-container 127.0.0.1 - - [03/Nov/2022:16:10:11 +0000] "GET /api/w3id/login HTTP/1.1" 404 555 "https://app-front.subdomain.domain.cloud/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" "172.10.135.0, 127.0.0.6, 127.0.0.6"
I don't understand why redirection does not work.
Basically, what I expect is https://app-front/api --> https://app-back/api

Disable IPv6 in upstream servers for NginX during proxy_pass

Currently have Nginx running on the same machine as the rest of my servers, none of which are running IPv6. Relatively frequently, I get hangups when loading content while testing and I find error messages in the error.log file.
My current config:
http {
include mime.types;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
resolver 1.1.1.1 ipv6=off;
#keepalive_timeout 0;
keepalive_timeout 60s;
upstream master_process {
localhost:40088;
}
upstream http_worker {
hash $remote_addr consistent;
localhost:40089;
localhost:40090;
localhost:40091;
localhost:40092;
}
#http server
server {
listen 88;
location / {
lingering_close on;
lingering_time 15s;
lingering_timeout 2s;
proxy_pass http://http_worker;
proxy_http_version 1.1;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
}
location ~ ^/(Main|Monitor|Chart|chartfeed|getchartdata()|Live|Log$) {
proxy_pass http://master_process;
proxy_http_version 1.1;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
}
location ~.*.(gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|txt|js|css|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|htm)$ {
proxy_pass http://master_process;
gzip_static on;
expires 7d;
}
}
}
The errors I am currently receiving:
2022/01/28 11:42:27 [error] 23732#17404: *1 connect() failed (10061: No connection could be made because the target machine actively refused it) while connecting to upstream, client: 127.0.0.1, server: , request: "GET /Main?_SID=1*479985359 HTTP/1.1", upstream: "http://[::1]:40088/Main?_SID=1*479985359", host: "localhost:88", referrer: "http://localhost:88/login()"
2022/01/28 11:42:52 [error] 23732#17404: *1 connect() failed (10061: No connection could be made because the target machine actively refused it) while connecting to upstream, client: 127.0.0.1, server: , request: "GET /Main?_SID=1*479985359 HTTP/1.1", upstream: "http://[::1]:40088/Main?_SID=1*479985359", host: "localhost:88", referrer: "http://localhost:88/login()"
Note that I have specified a resolver in the http section so that it can be made global. I have also tried moving that resolver into the server and location sections to no avail.
I have also tried adding {server {listen 88 default_server; listen [::]:88 ipv6only=on; ...}...} which also didn't solve this issue as others have suggested after a quick search online.
Any help would be greatly appreciated!

How to forward request from one NGINX to another but keeping the domain of the first NGINX

I have a sub-domain (foo.domain.com) that is maintained by my organization and in which I don't have control.
The organization configured that domain to point to a Route 53 service and from there I created a policy that sends the request to an ALB which then finally sends it to an EC2 running NGINX.
NGINX will be responsible for URL rewrites to many other services I have running in different EC2 instances.
What I want is, for example:
request is sent to foo.domain.com/service1
goes to Route53 then to an ALB and then to the EC2 running NGINX
in NGIX, I have the following config
...
location = /service1/
{
proxy_redirect off;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_pass https://public_ip_of_service1_ec2_instance$request_uri;
}
This request goes to the EC2 instance running service1, which is another NGINX proxy running a node.js application (npm build kinda thing)
The NGINX service1 conf file is:
server {
listen 443 ssl;
listen [::]:443 ssl;
include snippets/self-signed.conf;
server_name public_ip_of_service1_ec2_instance;
root /app; #this is where the static files are hosted
location ~* \.html?$ {
expires -1;
add_header Pragma "no-cache";
add_header Cache-Control "no-store, must-revalidate";
}
location / {
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
index index.html;
try_files $uri $uri/ /index.html;
# kill cache
# expires -1;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
If I hit the NGINX URL of service1, it works just fine, but the problem is when I call the NGINX proxy from step 3.
When I hit the URL foo.domain.com/service1 on the browser, I see this:
Basically, it says that foo.domain.com/js/chunk....js can't be found. This is correct since this file is being served in the EC2 that is running that node.js application (that is, it can be found at http://public_ip_of_service1_ec2_instance/js/chunk....js)
What is the configuration that I am missing in order to be able to keep the domain foo.domain.com/service1 for my users at all times and never to see the public_ip_of_service1_ec2_instance
Thank you
EDIT 1
The issue reported here seems to be exactly like mine: https://serverfault.com/questions/805836/reverse-proxy-application-and-its-static-files-with-nginx
I followed the suggestion there and as well as #anemyte suggestion but it is not working.
It seems like Proxy1 is trying to serve the static files that are hosted in Proxy2 as you can see here:
proxy | 2021/01/04 10:16:22 [error] 29#29: *4 open() "/etc/nginx/html/js/app.53272292.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/app.53272292.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [04/Jan/2021:10:16:22 +0000] "GET /css/app.0988b263.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | ( - - ) 172.19.0.1 - - [04/Jan/2021:10:16:22 +0000] "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/04 10:16:22 [error] 29#29: *4 open() "/etc/nginx/html/css/app.0988b263.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/app.0988b263.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/04 10:16:22 [error] 29#29: *6 open() "/etc/nginx/html/css/chunk-vendors.e78a06e5.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/04 10:16:23 [error] 29#29: *6 open() "/etc/nginx/html/js/chunk-vendors.7b27d7ff.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [04/Jan/2021:10:16:23 +0000] "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/04 10:16:23 [error] 29#29: *6 open() "/etc/nginx/html/js/app.53272292.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/app.53272292.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [04/Jan/2021:10:16:23 +0000] "GET /js/app.53272292.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
My proxy 1 conf file looks like this now:
worker_processes 1;
events { worker_connections 1024; }
http {
log_format main '( $proxy_host $upstream_addr ) $remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
rewrite_log on;
access_log /var/log/nginx/access.log main;
server {
listen 80;
server_name apacbsa.com;
location /auspost/ {
# proxy_redirect off;
# proxy_read_timeout 1m;
# proxy_connect_timeout 1m;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# proxy_buffering off;
#proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-Host $server_name;
proxy_pass https://192.168.1.113/;
}
}
}
EDIT2
Still no luck. This is what I am seeing in NGINX1 logs:
proxy | ( 192.168.1.113 192.168.1.113:443 ) 172.19.0.1 - - [05/Jan/2021:00:00:37 +0000] "GET /auspost/ HTTP/1.1" 200 2111 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:37 +0000] "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/05 00:00:37 [error] 21#21: *9 open() "/etc/nginx/html/css/chunk-vendors.e78a06e5.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:37 +0000] "GET /js/app.54337cb4.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:37 +0000] "GET /css/app.0988b263.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/05 00:00:37 [error] 21#21: *12 open() "/etc/nginx/html/js/app.54337cb4.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/app.54337cb4.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/05 00:00:37 [error] 21#21: *11 open() "/etc/nginx/html/css/app.0988b263.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/app.0988b263.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/05 00:00:37 [error] 21#21: *13 open() "/etc/nginx/html/js/chunk-vendors.7b27d7ff.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:37 +0000] "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:38 +0000] "GET /css/app.0988b263.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:38 +0000] "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/05 00:00:38 [error] 21#21: *12 open() "/etc/nginx/html/css/app.0988b263.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/app.0988b263.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/05 00:00:38 [error] 21#21: *11 open() "/etc/nginx/html/css/chunk-vendors.e78a06e5.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:39 +0000] "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/05 00:00:39 [error] 21#21: *13 open() "/etc/nginx/html/js/chunk-vendors.7b27d7ff.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/05 00:00:39 [error] 21#21: *11 open() "/etc/nginx/html/js/app.54337cb4.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/app.54337cb4.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:39 +0000] "GET /js/app.54337cb4.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
And this is what I see in the NGINX2 (serving static files) logs (just 1 line):
frontend | 172.21.0.1 - - [05/Jan/2021:11:04:17 +1100] "GET / HTTP/1.0" 200 2111 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "172.19.0.1"
This is the full nginx conf file for NGINX2:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 10m;
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
fastcgi_send_timeout 600s;
fastcgi_read_timeout 600s;
resolver_timeout 600s;
# for DDOS protection - 3 requests per second
limit_req_zone $binary_remote_addr zone=one:10m rate=3r/s;
# limiting the number of connections one client can make
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
listen 80;
listen [::]:80;
server_name apacbsa.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
include snippets/self-signed.conf;
server_name apacbsa.com;
root /app;
location ~* \.html?$ {
expires -1;
add_header Pragma "no-cache";
add_header Cache-Control "no-store, must-revalidate";
}
location /auspost/ {
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
index index.html;
try_files $uri $uri/ /index.html;
# kill cache
# expires -1;
}
location /api {
# limiting the number of api calls
limit_req zone=one burst=2 nodelay;
# only one connection per client to the api
limit_conn addr 1;
proxy_pass https://backend:5001/api;
proxy_redirect off;
proxy_connect_timeout 1m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}
Everything is running in docker containers, but that shouldn't be the problem I don't think.
So I issue the request from my browser in my Mac laptop and in that laptop I am running the NGINX1 proxy. That then forwards to my Windows machine running NGINX2 static files.
When you declare a location like that:
location = /service1/
It means that you want exact URL match. So it will only work for foo.domain.com/service1/ while foo.domain.com/service1/something won't match this location. Looking at the URL of your request (/js/chunk) this isn't what you want, so remove = from the location:
location /service1/
Next is the server_name. Your first proxy passes Host header which NGINX uses to determine which vhost configuration to use. The Host header value should be foo.domain.com but your server_name on the second NGINX is public_ip_of_service1_ec2_instance. It doesn't matter if the vhost is a default one but I don't see that in your configuration.
You can add foo.domain.com after public_ip_of_service1_ec2_instance or just replace one with the other. What's best in this case you should decide yourself and if you wish to learn more about server names I recommend you reading these great articles: How nginx processes a request and Server names
UPD: About missing static files.
You need to change base URL or base path of your service1 application from / to /service1/. This is not related to NGINX, unless your application is made of just static files.
Why did that happen? Well you've told first NGINX that you want all requests with URL starting with /service1/ to be forwarded to service1. When a client hits service1, the page refers some static, /js/chunk-vendors.7b27d7ff.js for example. Client's browser makes an additional request to the first NGINX asking to provide /js/chunk-vendors.7b27d7ff.js. Since the URL does not begin with /service1/ NGINX does not forward the request to /service1/ and it uses another piece of config for this request (/ most likely).
If you change all absolute URLs at service1 to begin with /service1/ the problem should go. A dangerous alternative to that would be removing first slash from absolute links. This way URLs will be relative to current location and not website root. Think twice before going second option.
I have done some testing lately and here's what I found out:
In your nginx proxy config, remove the line:
proxy_set_header Host $http_host;
Which will result in your final configuration nginx file to be:
location = /
{
proxy_redirect off;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_pass https://public_ip_of_service1_ec2_instance;
}
You could configure something like this in the first nginx server
server {
listen 80;
listen [::]:80;
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name domain1;
if ($request_method ~* OPTIONS|GET|HEAD) {
return 301 https://domain2$request_uri;
}
location ~* api {
proxy_pass https://domain2$request_uri;
}
}

Docker + Nginx: Getting proxy_pass to work

I'm having a problem trying to get Nginx to proxy a path to another server that is also running in Docker.
To illustrate, I'm using Nexus server as an example.
This is my first attempt...
docker-compose.yml:-
version: '2'
services:
nexus:
image: "sonatype/nexus3"
ports:
- "8081:8081"
volumes:
- ./nexus:/nexus-data
nginx:
image: "nginx"
ports:
- "80:80"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
nginx.conf:-
worker_processes 4;
events { worker_connections 1024; }
http {
server {
listen 80;
location /nexus/ {
proxy_pass http://localhost:8081/;
}
}
}
When I hit http://localhost/nexus/, I get 502 Bad Gateway with the following log:-
nginx_1 | 2017/05/29 02:20:50 [error] 7#7: *4 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.1, server: , request: "GET /nexus/ HTTP/1.1", upstream: "http://[::1]:8081/", host: "localhost"
nginx_1 | 2017/05/29 02:20:50 [error] 7#7: *4 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.1, server: , request: "GET /nexus/ HTTP/1.1", upstream: "http://127.0.0.1:8081/", host: "localhost"
nginx_1 | 172.18.0.1 - - [29/May/2017:02:20:50 +0000] "GET /nexus/ HTTP/1.1" 502 575 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
In my second attempt...,
docker-compose.yml - I added links to Nginx configuration:-
version: '2'
services:
nexus:
image: "sonatype/nexus3"
ports:
- "8081:8081"
volumes:
- ./nexus:/nexus-data
nginx:
image: "nginx"
ports:
- "80:80"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
links:
- nexus:nexus
nginx.conf... Instead of using http://localhost:8081/, I use http://nexus:8081/:-
worker_processes 4;
events { worker_connections 1024; }
http {
server {
listen 80;
location /nexus/ {
proxy_pass http://nexus:8081/;
}
}
}
Now, when I hit http://localhost/nexus/, it gets proxied properly but the web content is partially rendered. When inspecting the HTML source code of that page, the javascript, stylesheet and image links are pointing to http://nexus:8081/[path]... hence, 404.
What should I change to get this to work properly?
Thank you very much.
The following additional options are what I have used
http {
server {
listen 80;
location /{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
server_name_in_redirect on;
proxy_pass http://nexus:8081;
}
location /nexus/ {
proxy_pass http://nexus:8081/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
server_name_in_redirect on;
}
}
}
My solution is to include the redirect for the '/' path in the nginx config. The Nexus app will be making requests to '/' for it resources which will not work.
However, this is not ideal and will not work with an Nginx configuration serving multiple apps.
The docs
cover this configuration and indicate that you need to configure Nexus to serve on /nexus. This would enable you to configure Nginx as follows (from docs) minus the hack above.
location /nexus {
proxy_pass http://localhost:8081/nexus;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
I would recommend using that configuration.

Nginx custom error_page 413

I have rails app on unicorn and nginx in front of it.
# nginx.conf
upstream backend {
server unix:/home/deployer/apps/example.ru/shared/tmp/sockets/unicorn.sock.0 fail_timeout=0;
server unix:/home/deployer/apps/example.ru/shared/tmp/sockets/unicorn.sock.1 fail_timeout=0;
}
log_format default_log '$host $remote_addr [$time_local] "$request" $status $request_length "$http_referer" "$http_user_agent" $request_time';
server {
listen 80;
server_name example.ru www.example.ru dev.example.ru;
access_log /var/log/nginx/example.ru-access.log default_log;
# recursive_error_pages on;
location ~ ^/assets/ {
root /home/deployer/apps/example.ru/current/public;
gzip_static on;
expires 1y;
add_header Cache-Control public;
add_header ETag "";
break;
}
location / {
auth_basic "You shall not pass!";
auth_basic_user_file /home/deployer/.htsandbox;
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_pass http://backend;
proxy_redirect off;
}
# Error pages
error_page 413 /413;
if (-f /home/deployer/apps/example.ru/shared/public/system/maintenance.html) {
return 503;
}
error_page 503 #maintenance;
location #maintenance {
if (-f $request_filename) {
break;
}
root /home/deployer/apps/example.ru/shared/public/system;
rewrite ^(.*)$ /maintenance.html break;
}
error_page 502 #bad_gateway;
location #bad_gateway {
if (-f $request_filename) {
break;
}
root /home/deployer/apps/example.ru/shared/public/system;
rewrite ^(.*)$ /bad_gateway.html break;
}
}
When 413 error is raised by nginx, I want pass it to unicorn error page /413. But have 502 Bad Gateway nginx error page.
#log
2013/12/12 12:56:10 [error] 16853#0: *55 client intended to send too large body: 4099547 bytes, client: 128.72.7.207, server: example.ru, request: "POST /users/tester/avatar HTTP/1.1", host: "dev.example.ru", referrer: "http://dev.example.ru/users/tester/avatar"
2013/12/12 12:56:41 [error] 16853#0: *55 upstream prematurely closed connection while reading response header from upstream, client: 128.72.7.207, server: example.ru, request: "POST /users/tester/avatar HTTP/1.1", upstream: "http://unix:/home/deployer/apps/example.ru/shared/tmp/sockets/unicorn.sock.0:/413", host: "dev.example.ru", referrer: "http://dev.example.ru/users/tester/avatar"
2013/12/12 12:57:12 [error] 16853#0: *55 upstream prematurely closed connection while reading response header from upstream, client: 128.72.7.207, server: example.ru, request: "POST /users/tester/avatar HTTP/1.1", upstream: "http://unix:/home/deployer/apps/example.ru/shared/tmp/sockets/unicorn.sock.1:/413", host: "dev.example.ru", referrer: "http://dev.example.ru/users/tester/avatar"
Probably nginx already closed connect, when unicorn try loaded error page
See more

Resources