0

I have the following configuration:

server {

    listen: 8080;
 
    location / {
        proxy_pass           https://somehost.abc.xyz;
        proxy_redirect       off;
        proxy_set_header     Host somehost.abc.xyz;
        proxy_set_header     X-Real-IP somehost.abc.xyz;
        proxy_set_header     X-Forwarded-For somehost.abc.xyz;
        proxy_set_header     X-Forwarded-Host somehost.abc.xyz;
        proxy_set_header     HELLO pizza;
    }

}

Whenever I hit the proxy, let's say I go to http://localhost:8080/home, I get 503 service unavailable (not from the nginx service, from the app I'm trying to go to https://somehost.abc.xyz/home).

But if I just go to https://somehost.abc.xyz/home or do a redirect return 301 https://somehost.abc.xyz/home; it's all good and I get to the app. Although this doesn't help me, because I want to get there through the proxy so I can add a request header to every request that goes through.

Any ideas what could possibly cause this and how to solve it?

maxschlepzig
  • 895
  • 7
  • 16
kevin
  • 13
  • 1
  • 7
  • Check your application's logs. – Michael Hampton Jul 15 '21 at 17:01
  • @MichaelHampton somehost.abc.xyz is not my application, i should have stated it in the question – kevin Jul 15 '21 at 17:05
  • 1
    You will have to contact whoever runs that application for assistance. – Michael Hampton Jul 15 '21 at 17:07
  • @MichaelHampton i did, he said he doesn't know why this is happening, any ideas what could cause this? – kevin Jul 15 '21 at 17:09
  • 1
    If he doesn't know, then nobody else has any hope. I think he is just trying to get rid of you. He is certainly _capable_ of knowing why it doesn't work. If he did not investigate, then he probably doesn't want you to do what you are trying to do. – Michael Hampton Jul 15 '21 at 17:10
  • @MichaelHampton he just doesn't really care to help, because not his problem i guess – kevin Jul 15 '21 at 17:13
  • 1
    You will have to work that out with him somehow. – Michael Hampton Jul 15 '21 at 17:16
  • Do you know what headers like X-Forwarded-For and X-Real-IP are used for? – Gerard H. Pille Jul 15 '21 at 17:47
  • @MichaelHampton i talked with the guy, he said he will show me the logs on sunday, hopefully i will understand more the problem and i will have more to share about the problem. – kevin Jul 15 '21 at 18:18
  • @GerardH.Pille X-headers are holds info about the request's origin, like x-forwarded-for is for identifying the ip of the client (user) who connected through the proxy. x-real-ip holds the ip of the user. – kevin Jul 15 '21 at 18:27
  • If you know that, then why put the application host name in them? – Gerard H. Pille Jul 15 '21 at 18:33
  • @GerardH.Pille because i don't see any reason why we care about those headers value, or am i wrong and i should care about them? – kevin Jul 15 '21 at 19:20
  • If you want to communicate, you don't talk nonsense. – Gerard H. Pille Jul 15 '21 at 20:34
  • IMHO if the destination is not in your hands this question will be planty offtopic due the fact that it can be also a malware or spoofing try and this should definitely not bw supported – djdomi Apr 21 '22 at 17:05

2 Answers2

1

Try to use backend port on proxy_pass address, and is it header "HELLO" is valid to backend app?

server {
            listen: 8080;
     
            location / {
                proxy_pass          https://somehost.abc.xyz:443;
                proxy_redirect      off;
                proxy_set_header    Host                somehost.abc.xyz;
                proxy_set_header    X-Real-IP           $remote_addr;
                proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header    X-Forwarded-Host    your.host.address;
                proxy_set_header    HELLO               pizza;
    
                
                proxy_ssl_server_name   on;
                proxy_ssl_name      somehost.abc.xyz;
                # Optional
                proxy_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
                proxy_ssl_ciphers   'Required SSL Ciphers';
                proxy_ssl_trusted_certificate   "/path/to/your/ca-cetificates.crt";
            }
        }

EDIT: using SSL Backend you should define proxy_ssl_name if you don't have backend ssl certs

Imran Nababan
  • 11
  • 3
  • as stated, the user tries to rpoxy someone else server. adding a oort to a default request on a default port is not required and can lead in some situations to a totally different goal – djdomi Apr 19 '22 at 17:44
  • i see.. the problem is he/she tries to reverse proxy on SSL protocol, should use proxy_ssl_protocols and ciphers, also proxy_ssl_name – Imran Nababan Apr 20 '22 at 18:49
0

I have had a similar problem and I've found that the following statement caused the 503s:

 proxy_set_header     Host $host;  # same for $http_host;

Since it wasn't necessary for our use case, I was able to just remove it and by that, got rid of the 503s and got nginx to finally make the requests to the upstream server.

I have since also learned that it seems to be the use of the $host variable, not the statement itself that caused the issue for us, which means my answer might not really be to the point.

Setting a fixed value (in this case inside a server block) doesn't create the problem.

I don't have an explanation though, I'm hoping that someone else might by able to shed some light on this. This used to work in nginx 1.14 and I also believe in 1.16, but no longer in either 1.18 and up.

kwisatz
  • 1
  • 1