Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#1586 closed defect (invalid)

App not get query behind nginx proxy - (curl: (47) Maximum (50) redirects followed)

Reported by: Alexandr Minzak Owned by:
Priority: major Milestone:
Component: other Version: 1.14.x
Keywords: Cc:
uname -a: Linux monero 3.16.0-6-amd64 #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.0
built by gcc 4.9.2 (Debian 4.9.2-10+deb8u1)
built with OpenSSL 1.0.1t 3 May 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

I have app, listen on 18083 port, and curl works with him:

root@monero:/mnt/monero/logs# curl -u monerowalletrpc:pass --digest -X POST http://127.0.0.1:18083/json_rpc -d '{"jsonrpc":"2.0","id":"0","method":"get_languages"}' -H 'Content-Type: application/json' 
{
  "id": "0",
  "jsonrpc": "2.0",
  "result": {
    "languages": ["Deutsch","English","Español","Français","Italiano","Nederlands","Português","русский язык","日本語","简体中文 (中国)","Esperanto","Lojban"]
  }
}

I have nginx.config:

server {
        listen 8500 default_server;
        ssl on;
        ssl_certificate /etc/ssl/private/letsencrypt-domain.pem;
        ssl_certificate_key /etc/ssl/private/letsencrypt-domain.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        server_name monero.domain;
        error_log   /var/log/nginx/monero.error.log  warn;
        access_log  /var/log/nginx/monero.access.log ;
        proxy_http_version         1.1;
        proxy_connect_timeout      360;
        proxy_read_timeout         360;
        proxy_pass_header          Date;
        proxy_pass_header          Server;
        proxy_pass_header          Authorization;
        proxy_set_header           Accept-Encoding "";
        proxy_set_header           Host $host;
        proxy_set_header           X-Real-IP $remote_addr;
        proxy_set_header           X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass_request_headers on;
        proxy_buffering            off;
        proxy_set_header           Connection "Keep-Alive";
        location / {
              proxy_pass http://127.0.0.1:18083;
        }
}

And curl for 8500 ports are not work!

root@monero:/mnt/monero/logs# curl -u monerowalletrpc:pass --digest -X POST https://monero.domain:8500/json_rpc -d '{"jsonrpc":"2.0","id":"0","method":"get_languages"}' -H 'Content-Type: application/json'
curl: (47) Maximum (50) redirects followed

P.S. no iptables, no ufw, no other blocker.
I also try use 127.0.0.0:8500 - same bad result! (

What is wrong?

Also Full detail here - https://github.com/monero-project/monero/issues/4084

Change History (5)

comment:1 by Alexandr Minzak, 2 years ago

Without ssl - same bad result (
Without default_server - same bad result (
Without any other vhost - same bad result (

comment:2 by Alexandr Minzak, 2 years ago

In log file i see:

178.128.XX.XX - - [29/Jun/2018:19:35:13 +0000] "POST /json_rpc HTTP/1.1" 400 264 "-" "curl/7.38.0"
178.128.XX.XX - - [29/Jun/2018:19:35:23 +0000] "POST /json_rpc HTTP/1.1" 401 98 "-" "curl/7.38.0"
178.128.XX.XX - - [29/Jun/2018:19:35:23 +0000] "POST /json_rpc HTTP/1.1" 401 98 "-" "curl/7.38.0"
... many same rows here ..
178.128.XX.XX - - [29/Jun/2018:19:35:23 +0000] "POST /json_rpc HTTP/1.1" 401 98 "-" "curl/7.38.0"
178.128.XX.XX - - [29/Jun/2018:19:35:23 +0000] "POST /json_rpc HTTP/1.1" 401 98 "-" "curl/7.38.0"

comment:3 by Alexandr Minzak, 2 years ago

If i use curl -v i found one differend:

< WWW-authenticate:Digest qop="auth",algorithm=MD5,realm="monero-rpc",nonce="Z9mB73VddoLs/vx0GpXwyg==",stale=false

stale=false in one case and stale=true in other.
Is it important?

comment:4 by Maxim Dounin, 2 years ago

Resolution: invalid
Status: newclosed

For some reason your backend reject requests with the error 401 Unauthorized. You have to investigate your backend to find out why it does this. Either way, this doesn't looks like a bug in nginx, so closing this.

My best guess is that your backend requires authenticated requests to be on the same connection where previous 401 response was returned. This needs to be fixed in the backend as this explicitly contradicts the stateless nature of HTTP. For tests, you may try configuring keepalive connections to backend servers to see if it works with keepalive enabled.

comment:5 by Alexandr Minzak, 2 years ago

@mdounin Thanks! It very help to me!

Note: See TracTickets for help on using tickets.