I am getting wrong response from nginx

Hi

I am wondering how does nginx returns wrong content, atleast it seems
so.
I am terminating https addresses to nginx thru my firewall, what does
nat
public ips to nginx to ports 901 and 902 in this case, where nginx is
configured to wait https connections.

So when end user hits eg address: https://a.host.com/, firewall does nat
and sends it to nginx private ip port 901, and https://b.host.com/ goes
to
nginx private ip port 902.

Some config lines:
http {
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_max_body_size 50M;
# DNS resolver
resolver 213.250.93.67;

nginx oma http proxy cache

proxy_cache_path  /usr/share/nginx/cache  levels=1:2 

keys_zone=one:10m
max_size=1G;
proxy_temp_path /usr/share/nginx/tmp;
proxy_cache_key “$scheme$host$request_uri$args”;
proxy_cache_use_stale updating error timeout invalid_header http_500
http_502 http_503 http_504;

---- cache times ----

proxy_cache_valid 200 302 5m;
proxy_cache_valid 301 1h;
proxy_cache_valid any 1m;

proxy_cache one;
proxy_cache_bypass $http_pragma     $http_authorization

$cookie_DomAuthSessId $args;
proxy_no_cache $http_pragma $http_authorization
$cookie_DomAuthSessId $args;

include mime.types;
default_type application/octet-stream;

gzip_http_version 1.1;
gzip_vary on;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_disable “MSIE [1-6].(?!.*SV1)”;
gzip_proxied any;
gzip_types text/css text/plain application/atom+xml
application/x-javascript application/xml text/javascript
application/xml+rss;
gzip on;

server_tokens off;
client_header_timeout 3m;
send_timeout 3m;
client_header_buffer_size 8k;
large_client_header_buffers 4 8k;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
server_names_hash_bucket_size 256; # this seems to be required for
some
vh

log_format main '$remote_addr - $remote_user [$time_local] $request

'“$status” $body_bytes_sent “$http_referer” ’
‘“$http_user_agent” “$http_x_forwarded_for”’;

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 120;
proxy_send_timeout 120;
proxy_read_timeout 120;

proxy_set_header Accept-Encoding “”;
proxy_pass_header Set-Cookie;

---- geoip -----

geo $country {
default no;
include conf.d/geo.data;
}

# catchall
server {
    listen          80 default;
    server_name     _;

    access_log  /var/log/nginx/default-access.log  main;

    server_name_in_redirect  off;

    location / {
        index index.html;
        root  /var/www/default/htdocs;
    }

}

include /etc/nginx/virtual-hosts/*;

}

then here is config file for a.host.com, file:
/etc/nginx/virtual-hosts/a.host.com

server {
listen 81.x.y.x:901;
ssl on;
ssl_certificate /etc/nginx/ssl/a.crt;
ssl_certificate_key /etc/nginx/ssl/a.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

HTTP Strict Transport Security

add_header Strict-Transport-Security max-age=500;

proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;

server_name a.host.com atest.host.com;
access_log /logfiles/a.host.com/a.host.com-access_log combined;
default_type text/html;
root /usr/share/nginx/huolto;

location / {
proxy_cache off;
proxy_cache_valid 200 302 0;
proxy_cache_valid 301 0;
proxy_cache_valid any 0;
proxy_set_header ClientProtocol HTTPS;
proxy_set_header Accept-Encoding “”;
proxy_pass http://1.1.1.131;

  # Huoltoikkuna (manuaalinen)
  include /etc/nginx/maintenance.conf;

}
}

then file: /etc/nginx/virtual-hosts/b.host.com

server {
listen 81.x.y.x:902;
ssl on;
ssl_certificate /etc/nginx/ssl/b.crt;
ssl_certificate_key /etc/nginx/ssl/b.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

proxy_cache_use_stale off;

HTTP Strict Transport Security

add_header Strict-Transport-Security max-age=500;

proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;

server_name b.host.com btest.host.com;
access_log /logfiles/b.host.com/b.host.com-access_log combined;
default_type text/html;
root /usr/share/nginx/huolto;

location / {
proxy_cache off;
proxy_cache_valid 200 302 0;
proxy_cache_valid 301 0;
proxy_cache_valid any 0;
proxy_set_header ClientProtocol HTTPS;
proxy_set_header Accept-Encoding “”;
proxy_pass http://1.1.1.131;

}
}

I have also a wildcard ssl cert, file
/etc/nginx/virtual-hosts/wildcard.host.com:
ssl_certificate /etc/nginx/ssl/wildcard.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
server {
listen 443 default ssl;
ssl on;
server_name my.default.hostname;
access_log
/logfiles/my.default.hostname/my.default.hostname-access_log combined;

    # HTTP Strict Transport Security
    add_header Strict-Transport-Security max-age=500;

location / {

  proxy_cache off;
  proxy_cache_valid 200 302 0;
  proxy_cache_valid 301 0;
  proxy_cache_valid any 0;

  proxy_pass http://1.2.3.4;

  # Huoltoikkuna (manuaalinen)
  include /etc/nginx/maintenance.conf;

}
}

Now when i do go to address https://b.host.com/, i am getting response
from a.host.com.

I am pretty if correct Host header goes to 1.1.1.131 server, it should
return different content, i have tested it manually using curl, eg:
" curl --verbose --header ‘Host: b.host.comhttp://1.1.1.131" from
nginx
machine, i will get correct content, but not thru nginx.
So i am assuming that somehow i am getting wrong content from a.host.com
or does nginx somehow leave Host header off?

Notice that i have same proxy_pass in both a.host.com and in b.host.com,
they resides on same ip and same port (named virtual hosts).
What i am debugged, i can see it goes to b.host.com config block,
atleast
nginx writes to /logfiles/b.host.com/b.host.com-access_log when i do
test
it.

Pekka Panula | Jatkuvat palvelut | Sofor Oy | www.sofor.fi
Takakaarre 3 | PL 51 |FIN-62201 KAUHAVA | tel. +358 6 432 3111 | fax.
+358
6 432 3555
Mob. + 358 50 384 3232 | [email protected]

By default nginx uses the name you wrote in a proxy_pass directive
for the Host header. You probably want to use

proxy_set_header Host $host;

or something similar in the locations above.

[…]

Maxim D.

Hi, look again, i do have a proxy_set_header line in my http block. It
should inherit it to server blocks, afaik?

Pekka Panula | Jatkuvat palvelut | Sofor Oy | www.sofor.fi
Takakaarre 3 | PL 51 |FIN-62201 KAUHAVA | tel. +358 6 432 3111 | fax.
+358
6 432 3555
Mob. + 358 50 384 3232 | [email protected]

Hello!

On Tue, Apr 17, 2012 at 02:43:27PM +0300, [email protected] wrote:

I am wondering how does nginx returns wrong content, atleast it seems so.
I am terminating https addresses to nginx thru my firewall, what does nat
public ips to nginx to ports 901 and 902 in this case, where nginx is
configured to wait https connections.

So when end user hits eg address: https://a.host.com/, firewall does nat
and sends it to nginx private ip port 901, and https://b.host.com/ goes to
nginx private ip port 902.

[…]

server {
listen 81.x.y.x:901;

[…]

server_name a.host.com atest.host.com;

[…]

location / {
proxy_cache off;
proxy_cache_valid 200 302 0;
proxy_cache_valid 301 0;
proxy_cache_valid any 0;
proxy_set_header ClientProtocol HTTPS;
proxy_set_header Accept-Encoding “”;
proxy_pass http://1.1.1.131;

This will result in a request with “Host: 1.1.1.131” to a backend
server, see Module ngx_http_proxy_module.

[…]

server {
listen 81.x.y.x:902;

[…]

server_name b.host.com btest.host.com;

[…]

location / {
proxy_cache off;
proxy_cache_valid 200 302 0;
proxy_cache_valid 301 0;
proxy_cache_valid any 0;
proxy_set_header ClientProtocol HTTPS;
proxy_set_header Accept-Encoding “”;
proxy_pass http://1.1.1.131;

Same here.

[…]

Now when i do go to address https://b.host.com/, i am getting response
from a.host.com.

I am pretty if correct Host header goes to 1.1.1.131 server, it should
return different content, i have tested it manually using curl, eg:
" curl --verbose --header ‘Host: b.host.comhttp://1.1.1.131" from nginx
machine, i will get correct content, but not thru nginx.
So i am assuming that somehow i am getting wrong content from a.host.com
or does nginx somehow leave Host header off?

By default nginx uses the name you wrote in a proxy_pass directive
for the Host header. You probably want to use

proxy_set_header Host $host;

or something similar in the locations above.

[…]

Maxim D.

Hello!

On Tue, Apr 17, 2012 at 03:29:26PM +0300, [email protected] wrote:

Hi, look again, i do have a proxy_set_header line in my http block. It
should inherit it to server blocks, afaik?

No.

Quote from Alphabetical index of directives

These directives are inherited from the previous level if and only
if there are no proxy_set_header directives defined on the current
level.

Maxim D.

Hi, look again, i do have a proxy_set_header line in my http block. It

Maxim D.
Hi, that was my problem! Thx man, you saved my day.
Now my configuration does do what it suppose todo.

Pekka Panula | Jatkuvat palvelut | Sofor Oy | www.sofor.fi
Takakaarre 3 | PL 51 |FIN-62201 KAUHAVA | tel. +358 6 432 3111 | fax.
+358
6 432 3555
Mob. + 358 50 384 3232 | [email protected]