Opened 3 years ago

Closed 3 years ago

#1281 closed defect (duplicate)

Location Header from proxied server is URL decoded before sent to client

Reported by: pprkut@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.11.x
Keywords: proxy Cc:
uname -a: Linux kadabra.m2mobi.com 3.10.0-327.28.2.el7.x86_64 #1 SMP Wed Aug 3 11:11:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.12.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Description

I use nginx as reverse proxy for jenkins. Jenkins job names for us can contain the "/" character, which needs to be URL encoded for requests to work correctly. Passing those encoded URLs from nginx to jenkins via proxy_pass works, however there seems to be a problem with encoded URLs returned from jenkins to nginx, for example in case of a HTTP 302 redirect.

Example:

I request the URL https://jenkins.example.com/blue/organizations/jenkins/group%2Fproject/branches, which returns a 302 redirect.

When talking to jenkins directly, the Location header value in the response is https://jenkins.example.com/blue/organizations/jenkins/group%2Fproject/branches/

When using nginx as reverse proxy, the Location header value in the response is https://jenkins.example.com/blue/organizations/jenkins/group/project/branches/

Change History (1)

comment:1 by Maxim Dounin, 3 years ago

Resolution: duplicate
Status: newclosed

From the description it looks like the problem is as follows:

  • You use proxying with proxy_pass used to change URI, as in (note trailing / in proxy_pass):
    location /foo/ {
         proxy_pass http://127.0.0.1/;
    }
    

When changing URI, nginx re-encodes the changed URI, and this will loose %2F escaping, see #786.

  • Given the above, URI as sent to your backend will look like /blue/organizations/jenkins/group/project/branches/, and this is what your backend uses in the Location header.

To avoid this you should configure nginx to not change the URI, by using no URI component in the proxy_pass directive, for example:

location /foo/ {
    # note: no trailing /
    proxy_pass http://127.0.0.1;
}

Closing this as duplicate of #786.

Note: See TracTickets for help on using tickets.