5

I've noticed that there's functionality enabled in nginx by default, whereby a url request without a trailing slash for a directory which exists in the filesystem automatically has a slash added through a 301 redirect.

E.g. if the directory css exists within my root, then requesting http://example.com/css will result in a 301 to http://example.com/css/.

However, I have another site where the SSL is offloaded by a load-balancer. In this case, when I request https://example.com/css, nginx issues a 301 redirect to http://example.com/css/, despite the fact that the HTTP_X_FORWARDED_PROTO header is set to https by the load balancer.

Is this an nginx bug? Or a config setting I've missed somewhere?

growse
  • 8,020
  • 13
  • 74
  • 115

2 Answers2

2

Nginx doesn't look for HTTP_X_FORWARDED_PROTO and it's not a bug. It's just lack of such functionality.

You should configure your frontend to adjust the location header in responses, or replace it with another nginx (since nginx itself is a great load-balancer and SSL-terminator).

VBart
  • 8,309
  • 3
  • 25
  • 26
  • The problem in this case is that I don't control the load balancer. Personally, I feel that nginx knowing that the request came in on https and still issuing a redirect to a different protocol is a bug, but I can see how it might be a contentious issue. I'll contact the L/B manager and see what can be done. – growse Nov 16 '12 at 09:18
  • No, nginx doesn't see. This header isn't defined by HTTP RFC, and even more this functionality isn't something that should be by default. See here why: http://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html (this is true for all X-Forwarded-* headers, web server should not blindly trust to any header received from client). – VBart Nov 16 '12 at 12:24
2

Looks like the LB is doing SSL termination and nginx just gets a HTTP request. Nginx doesn't modify any of the HTTP headers it receives. You can do this using rewrite rules which checks whether HTTP_X_FORWARDED_PROTO is set or not and then accordingly rewrites the request. FYI nginx doesn't supported nested or complex "if" statements therefore you'll have to resort to the method described in the link below.

http://rosslawley.co.uk/2010/01/nginx-how-to-multiple-if-statements/

Sameer
  • 4,118
  • 2
  • 17
  • 11