Opened 17 months ago
Last modified 11 months ago
#2657 new defect
Specail redirect in location does not resolve upstream names
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | |
| Keywords: | proxy_pass, upstream, variables | Cc: | |
| uname -a: | Linux c66c82abfcc1 5.15.0-101-generic #111~20.04.1-Ubuntu SMP Mon Mar 11 15:44:43 UTC 2024 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.27.0
built by gcc 12.2.0 (Debian 12.2.0-14) built with OpenSSL 3.0.11 19 Sep 2023 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.27.0/debian/debuild-base/nginx-1.27.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
First things firsts: thank you for such titanic work, holding internet on your shoulders should be not easy.
So here is a self-explaining script reproducing my problem step by step.
I use official nginx image from docker hub.
The setup is simple: two nginxs, one for ingress, second impersonates some app.
(to pass antispam I had to replace http with h_t_t_p)
# common preparation
docker network create nginx_test_network
# setup ingress
tee <<CONF > ingress.conf
server {
listen 81 default;
server_name _;
resolver 127.0.0.53 ipv6=off;
set \$app_upstream "h_t_t_p://nginx-test-app:9090";
location / {
proxy_pass \$app_upstream;
}
}
CONF
docker run \
--detach \
--name nginx-test-ingress \
--network nginx_test_network \
--publish 81:81 \
--rm \
--volume "$(pwd)/ingress.conf":/etc/nginx/conf.d/default.conf \
nginx:1.27
# setup app
tee <<CONF > app.conf
server {
server_name _;
listen 9090;
location / {
#add_header Content-Type text/plain;
#return 200 "Here is an APP";
root /usr/share/nginx/html;
}
}
CONF
docker run \
--detach \
--name nginx-test-app \
--network nginx_test_network \
--rm \
--volume "$(pwd)/app.conf":/etc/nginx/conf.d/default.conf \
nginx:1.27
# setup problem
docker exec -i nginx-test-app mkdir /usr/share/nginx/html/css
# taking power nap
sleep 1
# getting troubles
curl -i "h_t_t_p://nginx-test.localhost:81/css"
# cleaning up
docker stop nginx-test-ingress nginx-test-app
docker network rm nginx_test_network
You should see in the end headers of the response
HTTP/1.1 301 Moved Permanently Server: nginx/1.27.0 Date: Mon, 17 Jun 2024 07:51:08 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Location: h_t_t_p://nginx-test-app:9090/css/
So nginx made special redirect for location without trailling slash and served by proxy_pass, BUT forgot to resolve upstream defined by variable, see Location header.
May be variable is not a good idea at all, I thought, and rewrote it with upstreams
upstream app_upstream {
server nginx-test-app:9090;
}
server {
listen 81 default;
server_name _;
resolver 127.0.0.11 ipv6=off;
location / {
proxy_pass h_t_t_p://app_upstream;
}
}
Upstreams did not help, the problem remains in this test case.
Note:
See TracTickets
for help on using tickets.
