Opened 3 years ago

Last modified 3 years ago

#1059 new defect

syntax check error when an upstream is used in proxy_pass using both http and https and is defined after

Reported by: nicolas.jombart@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.11.x
Keywords: Cc:
uname -a: Linux TEST_VPNA 2.6.32-573.26.1.el6.x86_64 #1 SMP Wed May 4 00:57:44 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: [root@TEST_VPNA conf.d]# nginx -V nginx version: nginx/1.10.1 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Description

First case, upstream is defined before (alphabetically) its usage in proxy_pass, both in http and https:

[root@TEST_VPNA conf.d]# cat a_1.conf

upstream backend {

server 10.3.1.110:8443;

}

[root@TEST_VPNA conf.d]# cat a_2.conf

server {

listen 443 ssl;
server_name TRUC.domain.com;

location /one {

proxy_pass http://backend;

}
location /two {

proxy_pass https://backend;

}

}

[root@TEST_VPNA conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now if the upstream definition is read after, nginx tries to resolve the upstream name:

[root@TEST_VPNA conf.d]# mv a_1.conf a_3.conf

[root@TEST_VPNA conf.d]# nginx -t
nginx: [emerg] host not found in upstream "backend" in /etc/nginx/conf.d/a_2.conf:9
nginx: configuration file /etc/nginx/nginx.conf test failed

Note that there is no problem if upstream is used only in https (or http):

[root@TEST_VPNA conf.d]# cat a_2.conf

server {

listen 443 ssl;
server_name TRUC.domain.com;

location /one {

proxy_pass https://backend;

}
location /two {

proxy_pass https://backend;

}

}

[root@TEST_VPNA conf.d]# cat a_3.conf

upstream backend {

server 10.3.1.110:8443;

}

[root@TEST_VPNA conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

There is no use case using the same upstream in both http and https but it can prevent nginx to run in case of configuration mistake.

Change History (1)

comment:1 Changed 3 years ago by ru

In 6787:640e1e778de6/nginx:

Upstream: consistently initialize explicit upstreams.

When an upstream{} block follows a proxy_pass reference to it,
such an upstream inherited port and default_port settings from
proxy_pass. This was different from when they came in another
order (see ticket #1059). Explicit upstreams should not have
port and default_port in any case.

This fixes the following case:

server { location / { proxy_pass http://u; } ... }
upstream u { server 127.0.0.1; }
server { location / { proxy_pass https://u; } ... }

but not the following:

server { location / { proxy_pass http://u; } ... }
server { location / { proxy_pass https://u; } ... }
upstream u { server 127.0.0.1; }

Note: See TracTickets for help on using tickets.