Opened 3 years ago
Last modified 3 years ago
#2458 closed defect
Unexpected intermittent behavior of map directive(s) — at Initial Version
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.23.x |
| Keywords: | map ssl_server_name alias | Cc: | |
| uname -a: | Linux 0e0657b7cd93 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64 Linux | ||
| nginx -V: |
nginx version: nginx/1.23.3
built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r4) built with OpenSSL 3.0.7 1 Nov 2022 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fomit-frame-pointer -g' --with-ld-opt=-Wl,--as-needed,-O1,--sort-common |
||
Description
I have a single Https server configured, it uses one certificate for all the domains.
What I want it to do is this:
app.com/static/* -> Serve from filesystem
app.com -> Proxy to app server
staging.app.com/static/* -> Serve from filesystem (different folder)
staging.app.com -> Proxy to staging app server
Config:
# Use docker DNS to resolve other services
resolver 127.0.0.11 valid=30s;
# Choose upstream based on server name
map $ssl_server_name $targetBackend {
# volatile; # doesnt fix it
myapp.com http://production:81/;
staging.myapp.com http://staging:81/;
}
# Choose static dir based on ssl server
map $ssl_server_name $staticPath {
# volatile; # doesnt fix it
myapp.com /var/www/staging-static/;
staging.myapp.com /var/www/production-static/;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name myapp.com;
server_name staging.myapp.com;
ssl_certificate /etc/letsencrypt/live/x/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/x/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/conf.d/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# If path is sub-path of /static, serve from some dir
location /static/ {
alias $staticPath;
}
# Forward everything else to app servers
location / {
proxy_pass $targetBackend;
}
}
In my test setup, I have the upstream servers send a retrun page that identifies them: "Hello, I am X". And the two static folders also have a simple index.html identifying them.
It only sometimes behaves as expected. Some weirdness I often get are those:
Open staging.app.com/static/ -> Get staging static
Open app.com/static/ -> Get staging static again ??
Or:
Open staging.app.com/static/ -> Get staging static
Open app.com/static/ -> Get production static
Open app.com/static/ -> Get staging static ???
I have tried adding volatile to the maps but it did not fix the issue.
