Opened 7 years ago
Last modified 3 years ago
#1383 accepted defect
Error if using proxy_pass with variable and limit_except
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.12.x |
| Keywords: | Cc: | ||
| uname -a: | Linux test 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u3 (2017-08-15) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.12.1
built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.1t 3 May 2016 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
Hi nginx guys,
i use a nginx in front of a varnish server.
I purge my varnish via purge method.
Nginx uses the following VHost config:
server {
listen *:80 default_server;
location / {
limit_except GET POST {
allow 127.0.0.1/32;
deny all;
}
set $upstream http://127.0.0.1:8080;
if ($http_user_agent = 'mobile') {
set $upstream http://127.0.0.1:8080;
}
proxy_pass $upstream;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
Suggested: From not localhost i only can request GET/HEAD/POST, localhost can do everything.
From remote it works as expected:
root@test:~# curl -X PURGE -I EXTIP HTTP/1.1 403 Forbidden Server: nginx Date: Mon, 18 Sep 2017 10:39:23 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Vary: Accept-Encoding
But from localhost:
root@test:~# curl -X PURGE -I http://127.0.0.1 HTTP/1.1 500 Internal Server Error Server: nginx Date: Mon, 18 Sep 2017 10:39:06 GMT Content-Type: text/html Content-Length: 186 Connection: close
Nginx error log tells me:
==> /var/log/nginx/error.log <== 2017/09/18 12:39:06 [error] 2483#2483: *2 invalid URL prefix in "", client: 127.0.0.1, server: , request: "PURGE / HTTP/1.1", host: "127.0.0.1"
Without using Variables in VHost:
server {
listen *:80 default_server;
location / {
limit_except GET POST {
allow 127.0.0.1/32;
deny all;
}
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
Works as expected:
root@test:~# curl -X PURGE -I http://127.0.0.1 HTTP/1.1 200 OK Server: nginx Date: Mon, 18 Sep 2017 10:45:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding
Other tests with a variable proxy_pass e.g. using the get method instead of purge also fails with same error.
Please take a look why nginx fails when combining limit_except with proxypass and variables.
Thanks
Note:
See TracTickets
for help on using tickets.
The problem that rewrite module directives (
set,if) are not inherited into thelimit_exceptblock, and not executed there. As such, the$upstreamvariable is not set, andproxy_passcomplains. This behaviour is basically identical to a nestedlocationblock.An obvious workaround would be to use
mapinstead, for example:map $http_user_agent $upstream { default http://127.0.0.1:8080; mobile http://127.0.0.1:8080; } server { listen *:80 default_server; location / { limit_except GET POST { allow 127.0.0.1/32; deny all; } proxy_pass $upstream; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } }It doesn't looks possible to fix this without disallowing all the configuration directives inside an
ifin location first. See also #633, #86.