Our server has a nginx reverse-proxy on port 80 forwarding the requests to apache on port 8081. It is working well, except for a while we have some requests that are automatically redirected to the website homepage.
For example if we try to access http://www.website.com/product1
We get redirected to http://www.website.com
Apache access log shows "GET / HTTP/1.0"
Nginx access log shows "GET / HTTP/1.0"
How is it possible that the requested URI "/product1" becomes "/" in nginx access log ?
Related
I am running application under nginx with configuration:
upstream myup {
server localhost:8833
server localhost:8844
}
server {
listen 80;
server_name: localhost;
location / {
proxy_pass http://myup.com
}
}
This configuration works for me, but when I am watching IP using app in logs, I see the following:
127.0.0.1/ - - - [11/JAN] "GET /info HTTP/1.0" 200
0.0.0.0.0.0.0.1 - - - [11/JAN] "GET /image.css HTTP/1.0" 200
127.0.0.1/ - - - [11/JAN] "GET /script.js HTTP/1.0" 200
0.0.0.0.0.0.0.1 - - - [11/JAN] "GET /logo.svg HTTP/1.0" 200
every second request changes IP between (127.0.0.1, 0.0.0.0.0.0.0.1)
Logs from Nginx there always have IP: 127.0.0.1
Logs from my app without Nginx always have IP: 0.0.0.0.0.0.0.1
How do I manage to work continuously with the same IP as my application depends on it?
I am struggling on this problem for 2-3 days now. My problem is : I get "SSL_do_handshake() failed" when doing proxy_pass from one reverse proxy to another.
I have a setup that looks like that :
gcp VM 1 containers :
- nginx reverse proxy 1
- acme companion for ssl
- frontend website (local nginx)
gcp VM 2 containers :
- nginx reverse proxy 2
- acme companion for ssl
- backend nodejs
DNS server is done by cloudflare :
- frontend.website.com : "gcp VM 1" IP adress
- backend.nodejs.com : "gcp VM 2" IP adress
To avoid CORS error, "frontend.website.com" make requests to "frontend.website.com/api".
"nginx reverse proxy 1" has this configuration to redirect to backend :
location /api {
proxy_pass https://backend.nodejs.com/api;
}
The error I get in the "nginx reverse proxy 1" logs :
nginx.1 | 2021/10/22 11:10:53 [error] 283#283: *11287 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 2a01:e0a:4d0:4960:dc2e:8d3a:ba04:10a2, server: frontend.website.com, request: "POST /api HTTP/2.0", upstream: "https://172.67.155.25:443/api", host: "frontend.website.com", referrer: "https://frontend.website.com/"
nginx.1 | 2021/10/22 11:10:53 [warn] 283#283: *11287 upstream server temporarily disabled while SSL handshaking to upstream, client: 2a01:e0a:4d0:4960:dc2e:8d3a:ba04:10a2, server: frontend.website.com, request: "POST /api HTTP/2.0", upstream: "https://172.67.155.25:443/api", host: "frontend.website.com", referrer: "https://frontend.website.com/"
nginx.1 | 2021/10/22 11:10:53 [error] 283#283: *11287 no live upstreams while connecting to upstream, client: 2a01:e0a:4d0:4960:dc2e:8d3a:ba04:10a2, server: frontend.website.com, request: "POST /api HTTP/2.0", upstream: "https://backend.nodejs.com/api", host: "frontend.website.com", referrer: "https://frontend.website.com/"
Note : IP in error log 172.67.155.25:443 is not gcp VM 1 or 2 IP, I assume it's a Cloudflare IP?
Things that I already tried :
check SSL certs, they are okay on both sides.
proxy_pass to http instead of https, its raises other problems.
I already tried proxy_ssl_server_name on; (taken from here). Cloudflare returned a 403 forbidden with :
DNS points to prohibited IP
What happened?
You've requested a page on a website (frontend.website.com) that is on the Cloudflare network. Unfortunately, it is resolving to an IP address that is creating a conflict within Cloudflare's system.
What can I do?
If you are the owner of this website:
you should login to Cloudflare and change the DNS A records for frontend.website.com to resolve to a different IP address.
The thing is the DNS A records for frontend.website.com is good (other app are using it without problem)
I feel like there shoud be ssl handshake to "backend.nodejs.com/api" but according to the error log, it tries to do it to the cloudflare IP address instead (here 172.67.155.25:443 but different each time)
Am I missing something here ? What can the problem be ?
If you need any additionnal info do not hesitate to ask for it.
I am trying to setup a python flask application on a server following this guide: https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-gunicorn-and-nginx-on-ubuntu-18-04. I have this working running on my local machine by following the guide. However when I am trying to implement on the actual server with the same config I am running into an issue on proxying requests back to the gunicorn server. I am able to serve static content from Nginx with no problem. When I make a web service call from the static content back to Nginx, it should be proxied back to the gunicorn server.
For example when I try to make the call 'http://example.com/rest/webService', I would expect Nginx to pass anything starting with /rest/ back to gunicorn. The error below is all I can see in the error logs about what is happening:
2019/01/18 12:48:18 [error] 2930#2930: *18 open() "/var/www/html/rest/webService" failed (2: No such file or directory), client: ip_address, server: example.com, request: "GET /rest/webService HTTP/1.1", host: "example.com", referrer: "http://example.com/"
Here is the setup for python_app:
server {
listen 80;
server_name example.com www.example.com;
root /var/www/html;
index index.html;
location ^/rest/(.*)$ {
include proxy_params;
proxy_pass http://unix:/home/username/python_app/python_app.sock;
} }
The only change to my nginx.conf file was to change 'include /etc/nginx/sites-enabled/*' to 'include /etc/nginx/sites-enabled/python_app'.
Please let me know if you have any ideas at all on what I may be missing! Thanks!
Not a solution, but some questions....
If you run
sudo systemctl status myproject
Do you see affirmation that gunicorn is running, and what socket it is bound to?
And does
sudo nginx -t
come back saying no diagnostic?
The regex in the location block for nginx -- I don't see anything similar to that in the guide, I see that you're trying to capture everything after "rest/", but looking at the nginx documents, I think you'd have to have $1 to reference the captured part of the URL. Can you try without the "^/rest/(.*)$" and see whether nginx finds anything?
Is the group that owns your directory a group that nginx is part of (a lot of setups are www-data)
I'm using two type of load balancers: HTTP LB for front-end and Network load balancer as an internal LB. I noticed GCP's Network load balancer (L4 load balancer) changes HTTP version from 1.1 to 1.0. Is this my understanding correct? How to change the Network LB's behavior. I don't think changing the version is good.
My Environment
User --> HTTP LB --> Server A --> Network LB --> Server B
Server A's log
1xx.xxx.xxx.xxx - - [15/May/2017:15:04:41 +0900] "GET /items HTTP/1.1" 200 260 "-" "-"
Server B's log
1xx.xxx.xxx.xxx - - [15/May/2017:15:04:41 +0900] "GET /items HTTP/1.0" 200 260 "-" "-"
Update 1
It might be not GCP LB's behavior. I doubted nginx proxy setting.
I put the following setting into nginx conf. But still it does not work.
proxy_http_version 1.1;
Problem solved. The cause was our nginx setting.
We use nginx proxy. The proxy's default setting is HTTP 1.1.
We put the following line. Then fixed it.
proxy_http_version 1.1;
[SHORT VERSION] I understand when NGINX looks at a config file, it does DNS lookups on the hostnames in it, and then stores the results (IP addresses the hostnames should resolve to) somewhere and uses them until the next time it looks at a config file (which, to my understanding, is not until the next restart by default). Is there a way to see this hostnames-to-ips mapping that my currently-running NGINX service has? I am aware there are ways to configure my NGINX to account for changes in IPs for a hostname. I wish to see what my NGINX currently thinks it should resolve my hostname to.
[Elaborated] I'm using the DNS name of an AWS ELB (classic) as the hostname for a proxy_pass. And since both the public and private IPs of an AWS ELB can change (without notice), whatever IP(s) NGINX has mapped for that hostname at the start of its service will become outdated upon such change. I believe the IP-change just happened for me, as my NGINX service is forwarding traffic to a cluster different than what is specified in its config. Restarting the NGINX service fixes the problem. But, again, I'm looking to SEE where NGINX currently thinks it should send the traffic to, not how to fix it or prevent it (plenty of resources online for working with dynamic upstreams, which I evidently should have consumed prior to deploying my NGINX services...).
Thank you in advance!
All you need is the resolver option.
http://nginx.org/en/docs/http/ngx_http_core_module.html#resolver
With this option nginx will lookup DNS changes without restarting. But only for proxy_pass directive. This wont work, if you are using upstream. DNS resolve of upstream servers supported only in Nginx PLUS version.
If you want to know IP of upstream server, there is few ways:
- in PLUS version you can use status module or upstream_conf module, but PLUS version is not free
- some 3rd party status modules
- write this IP to log with each request, just add $upstream_addr variable to your custom access log. $upstream_addr contains IP address of backend server used in current request. Example of config:
log_format upstreamlog '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent $upstream_addr';
server {
...
access_log /tmp/test_access_log upstreamlog;
resolver ip.of.local.resolver;
location / {
set $pass dns_name.of.backend;
proxy_pass http://$pass;
}
}
Note: always use variable for proxy_pass - only in this case resolver will be used. Example of log:
127.0.0.1 - - [10/Jan/2017:02:12:15 +0300] "GET / HTTP/1.1" 200 503 213.180.193.3:80
127.0.0.1 - - [10/Jan/2017:02:12:25 +0300] "GET / HTTP/1.1" 200 503 213.180.193.3:80
.... IP address changed, nginx wasn't restarted ...
127.0.0.1 - - [10/Jan/2017:02:13:55 +0300] "GET / HTTP/1.1" 200 503 93.158.134.3:80
127.0.0.1 - - [10/Jan/2017:02:13:59 +0300] "GET / HTTP/1.1" 200 503 93.158.134.3:80