SPDY: nginx/1.6.2: proxy_pass does not work when https is used

addis_a · December 15, 2014, 9:05pm

Hi,

I’ve got a problem when tried to proxy spdy traffic to host via https
protocol.

My config is simple like that:

location /https/test {

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_pass https://www.something.com/test;

}

When request is performed through HTTP protocol, everything works fine
without any problem.

However, when incoming request is done through SPDY, there is no
response
from remote peer in about 10 seconds and connection is closed after that
by
client.

As a short term solution, I’ve found the following workaround in order
to
resolve the problem:

location /https/test {

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_pass http://localhost/internal/https/test;

}

location /internal/https/test {

proxy_set_header X-Real-IP $remote_addr;

proxy_pass https://www.something.com/test;

}

However, in a long term, it would be great to have this problem fixed in
nginx and avoid any workaround in config files.

BR/ Yury

Yury_Kirpichev · December 16, 2014, 1:18am

On Tuesday 16 December 2014 00:05:03 Yury Kirpichev wrote:

proxy_set_header X-Real-IP $remote_addr;
However, when incoming request is done through SPDY, there is no response
from remote peer in about 10 seconds and connection is closed after that by
client.
[…]

I can’t reproduce the problem with your simple config.
It just works in both cases with or w/o SPDY.

Could you please provide more information like “nginx -V” output
and debug log: A debugging log

wbr, Valentin V. Bartenev

Yury_Kirpichev · December 16, 2014, 2:18am

On 2014-12-15, 4:18 PM, Valentin V. Bartenev wrote:

without any problem.
and debug log: A debugging log

wbr, Valentin V. Bartenev

nginx mailing list
[email protected]
nginx Info Page
Can you provide logs please? can you see that the connection is being
processed by https and packets sent to the remote host? is your local
system setup with proper dns (if you are using a hostname)… firewall,
anything in your hostdeny?

Yury_Kirpichev · December 16, 2014, 9:49am

Hi,

Here is full config, I tried to make it as small as possible.

worker_processes 12;

events {
worker_connections 8192;
use epoll;
}

http {
server {
listen [::]:6121 spdy;
listen [::]:80;

    client_body_buffer_size 100k;
    client_max_body_size 100k;

    server_name *.maps.dev.yandex.net;

    location /https/test {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_pass https://www.google.com/test;
    }
}

}

Also, I’ve found that if I comment out line with worker_processes then
problem will disappear.

Here is output from /usr/sbin/nginx -V
nginx version: nginx/1.6.2
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx
–conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-client-body-temp-path=/var/lib/nginx/body
–http-fastcgi-temp-path=/var/lib/nginx/fastcgi
–http-log-path=/var/log/nginx/access.log
–http-proxy-temp-path=/var/lib/nginx/proxy
–http-scgi-temp-path=/var/lib/nginx/scgi
–http-uwsgi-temp-path=/var/lib/nginx/uwsgi
–lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid
–with-debug
–with-http_addition_module --with-http_flv_module
–with-http_dav_module
–with-http_geoip_module --with-http_gzip_static_module
–with-http_gunzip_module --with-http_image_filter_module
–with-http_perl_module --with-http_realip_module
–with-http_stub_status_module --with-http_ssl_module
–with-http_spdy_module --with-http_sub_module --with-http_xslt_module
–with-ipv6 --with-sha1=/usr/include/openssl
–with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-echo
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-headers-more
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-development-kit
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-lua
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-upstream-fair
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-flv-filter
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-ip-tos-filter
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-addtag-exe
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-speedtest
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-eblob
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-request-id
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-favicon
–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-auth-sign

Unfortunately, I can not collect debug logs right now.
However, I did captured tcpdump on server with nginx and was able to see
that nginx established SSL connection with google.com, however, after
that
it got stuck somewhere (can provide logs if you need it)

BR/ Yury

2014-12-16 3:18 GMT+03:00 Valentin V. Bartenev [email protected]:

Yury_Kirpichev · December 16, 2014, 11:10am

On Tuesday 16 December 2014 11:48:37 Yury Kirpichev wrote:

    listen [::]:80;
    }
}

}

I’ve tested exactly with this config and see no problem:

% ./spdycat --spdy3-1 --no-tls ‘http://[::1]:6121/https/test’ -v
[ 0.000] Handshake complete
[ 0.000] send SYN_STREAM frame <version=3, flags=1, length=222>
(stream_id=1, assoc_stream_id=0, pri=3)
:host: [::1]:6121
:method: GET
:path: /https/test
:scheme: http
:version: HTTP/1.1
accept: /
accept-encoding: gzip, deflate
user-agent: spdylay/1.2.3
[ 0.001] recv SETTINGS frame <version=3, flags=1, length=20>
(niv=2)
[4(0):100]
[7(0):2147483647]
[ 0.001] recv WINDOW_UPDATE frame <version=3, flags=0, length=8>
(stream_id=0, delta_window_size=2147418111)
[ 0.459] recv SYN_REPLY frame <version=3, flags=0, length=212>
(stream_id=1)
:status: 404 Not Found
:version: HTTP/1.1
content-length: 1429
content-type: text/html; charset=UTF-8
date: Tue, 16 Dec 2014 09:59:46 GMT
server: nginx/1.6.2

Error 404 (Not Found)!!1 *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/errors/logo_sm_2.png) no-repeat}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/errors/logo_sm_2_hr.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/errors/logo_sm_2_hr.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/errors/logo_sm_2_hr.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:55px;width:150px}

404. That’s an error.

The requested URL /test was not found on this server. That’s all we know. [ 0.459] recv DATA frame (stream_id=1, flags=1, length=1429) [ 0.459] send GOAWAY frame (last_good_stream_id=0)

–http-fastcgi-temp-path=/var/lib/nginx/fastcgi
–with-http_spdy_module --with-http_sub_module --with-http_xslt_module

–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-speedtest

–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-eblob

–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-request-id

–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-favicon

–add-module=/home/buildfarm/teamcity/projects/nginx-stable/debian/modules/nginx-auth-sign

The problem can be in one of these 3-rd party modules.
You should try without them first.

wbr, Valentin V. Bartenev