Custom Query (2297 matches)
Results (46 - 48 of 2297)
Ticket | Resolution | Summary | Owner | Reporter |
---|---|---|---|---|
#671 | invalid | X-Forwarded-For problem when using HTTPS | ||
Description |
I m using nginx as reverse proxy for some rails apps (unicorn). Im stuck with how to keep X-Forwared-For pass over nginx when im using HTTPS. It is ok with HTTP, but when i use HTTPS the original X-Forwared-For information is gone. What arrives in my Rails APP? 172.16.6.234 = Desktop IP. 172.16.6.12 = A SQUID proxy. USING HTTP: "HTTP_X_FORWARDED_FOR"=>"172.16.6.234, 172.16.0.12" USING HTTPS: "HTTP_X_FORWARDED_FOR"=>"172.16.0.12" Same directives for 443 and 80 ports, but SSL on. I also tried to use: set_real_ip_from 172.16.0.12; set_real_ip_from 127.0.0.1/8; set_real_ip_from unix:; real_ip_header X-Forwarded-For; real_ip_recursive on; I stil having problems, but with a diferent result: USING HTTP: "HTTP_VIA"=>"1.1 spider06.assembleia.go.gov.br:3128 (squid/2.6.STABLE21)" "HTTP_X_FORWARDED_FOR"=>"172.16.6.234" USING HTTPS: HTTP_X_FORWARDED_FOR and HTTP_VIA are missing. I guess it is a unespected behaivor, so im opening this ticket. Tested on: 0.88, 1.6.2 and 1.7.7. Config file: upstream app_sgp { server unix:/var/www/html/sgp/tmp/sockets/unicorn.sock fail_timeout=0; } server { listen 80 default deferred; server_name 172.16.0.26; root /var/www/html/error/; location ^~ /assets/ { gzip_static on; expires max; add_header Cache-Control public; } try_files $uri/index.html $uri $uri.html; error_page 500 502 503 504 /500.html; client_max_body_size 4G; keepalive_timeout 10; location /sgp/ { proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://app_sgp; } location = /500.html { root /var/www/html/error/; } } server { listen 443; ssl on; server_name 172.16.0.26; ssl_certificate /etc/nginx/ssl/intranet.crt; ssl_certificate_key /etc/nginx/ssl/intranet.key; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location ^~ /assets/ { gzip_static on; expires max; add_header Cache-Control public; } root /var/www/html/error/; try_files $uri/index.html $uri.html $uri; location /sgp/ { proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://app_sgp; } location = /500.html { root /var/www/html/error/; } } |
|||
#447 | invalid | X-Forwarded-For header incorrect sometimes when using nginx as proxy | ||
Description |
Hi, we found out that the nginx sometimes sets wrong IP addresses in "X-Forwarded-For" header. It seems to be some race condition that only triggers once per ~6000 requests in our environment. The correct field in the header should like like this: X-Forwarded-For: 84.236.127.136 but sometimes we see this: X-Forwarded-For: 12.13.14.15, 2.29.89.233 i.e. two IP addresses separated by coma and space. We use nginx as SSL terminator/proxy, the config file is attached. The nginx version is 1.5.6. |
|||
#316 | fixed | X-Accel-Redirect should accept escaped URI | ||
Description |
When using the X-Accel-Redirect, it fails to send some files (returning a 404) because it does not URL-decode the requested path. It does work when the file name need not be URL-decoded. The reason is that X-Accel-Redirect expected to contain non-encoded URI. In particular this makes impossible to (normally) serve resources with '?' in name, as anything after '?' is treated as query string. Correct fix would be to change X-Accel-Redirect to accept escaped URI instead. X-Accel-Redirect value should be unescaped when it got from upstream, somewhere before ngx_http_internal_redirect() call. Probably ngx_http_parse_unsafe_uri() should be changed to unescape uri. The change of ngx_http_parse_unsafe_uri() will also positively affect dav and ssi modules. There are several patches proposed by the community [2][3]. References: [1] http://mailman.nginx.org/pipermail/nginx/2010-September/022383.html [2] http://nginx.2469901.n2.nabble.com/Bug-X-Accel-Redirect-td5510716.html [3] http://forum.nginx.org/read.php?29,221834,221834#msg-221834 |