Nginx Docker – Setting Up Reverse Proxy with Authentication Header

dockerdocker-swarmnginxreverse-proxy

I'm trying to configure nginx to run as a reverse proxy for two applications: a web frontend (IIS) and a .NET Core backend (Kestrel), all running in a docker swarm. I'm rewriting all calls to /api to the backend and all other calls to the frontend.

In my current setup, everything works fine until I log in to the application. This uses an IdentityServer OAuth/OpenID authentication service, causing an Authorization-header to be added to the request for all calls with a Bearer token. As soon as this header is present, the nginx server returns timeouts from the upstream servers. This happens on both servers, and if I disable passing of the auth header nginx works fine and proxies the request. For the frontend this is not an issue as it does not require the header, but the backend obviously no longer works. The odd thing is if I cut off the header at some point (it is a fairly long string) the request works, but obviously my backend service returns a 500 because it is no longer a valid token.

I've been scratching my head trying to figure out what is wrong and I've tried any number of configuration options. It very much seems like the request is stopped at nginx as neither servers behind the proxy even receive the request when it fails. Logging at the nginx level turns out nothing but 'upstream timed out (110: Operation timed out) while reading response header from upstream'-errors and even increasing that timeout does not do anything, which makes sense as the exact same request without the Authorization header does work.

Best Answer

The problem is apparently due to the fact that we are running a hybrid swarm with windows and linux nodes. There is a bug related to the network drivers that, oddly enough, few people seem to run into. When the request gets too big the request isn't routed properly inside the docker network. This causes nginx to send out the request and wait for a reply that will never come as the request never makes it to the upstream server...

Related Solutions

NGINX Reverse Proxy – URL Rewrite

Any redirect to localhost doesn't make sense from a remote system (e.g. client's Web browser). So the rewrite flags permanent (301) or redirect (302) are not usable in your case.

Please try following setup using a transparent rewrite rule:

location  /foo {
  rewrite /foo/(.*) /$1  break;
  proxy_pass         http://localhost:3200;
  proxy_redirect     off;
  proxy_set_header   Host $host;
}

Use curl -i to test your rewrites. A very subtle change to the rule can cause nginx to perform a redirect.

Nginx reverse proxy – try upstream A, then B, then A again

Key points:

Don't bother with upstream blocks for failover, if pinging one server will bring another one up - there's no way to tell nginx (at least, not the FOSS version) that the first server is up again. nginx will try the servers in order on the first request, but not follow-up requests, despite any backup, weight or fail_timeout settings.
You must enable recursive_error_pages when implementing failover using error_page and named locations.
Enable proxy_intercept_errors to handle error codes sent from the upstream server.
The = syntax (e.g. error_page 502 = @handle_502;) is required to correctly handle error codes in the named location. If = is not used, nginx will use the error code from the previous block.

Here is a summary:

server {
    listen ...;
    server_name $DOMAINS;

    recursive_error_pages on;

    # First, try "Upstream A"
    location / {
        error_page 418 = @backend;
        return 418;
    }

    # Define "Upstream A"
    location @backend {
        proxy_pass http://$IP:81;
        proxy_set_header  X-Real-IP     $remote_addr;
        # Add your proxy_* options here
    }

    # On error, go to "Upstream B"
    error_page 502 @handle_502;

    # Fallback static error page, in case "Upstream B" fails
    root /home/nginx/www;
    location = /_static_error.html {
        internal;
    }

    # Define "Upstream B"
    location @handle_502 { # What to do when the backend server is not up
        proxy_pass ...;
        # Add your proxy_* options here
        proxy_intercept_errors on;          # Look at the error codes returned from "Upstream B"
        error_page 502 /_static_error.html; # Fallback to error page if "Upstream B" is down
        error_page 451 = @backend;          # Try "Upstream A" again
    }
}

Original answer / research log follow:

Here's a ~~better~~ workaround I found, which is an improvement since it doesn't require a client redirect:

upstream aba {
    server $BACKEND-IP;
    server 127.0.0.1:82 backup;
    server $BACKEND-IP  backup;
}

...

location / {
    proxy_pass http://aba;
    proxy_next_upstream error http_502;
}

Then, just get the control server to return 502 on "success" and hope that code is never returned by backends.

Update: nginx keeps marking the first entry in the upstream block as down, so it does not try the servers in order on successive requests. I've tried adding weight=1000000000 fail_timeout=1 to the first entry with no effect. So far I have not found any solution which does not involve a client redirect.

Edit: One more thing I wish I knew - to get the error status from the error_page handler, use this syntax: error_page 502 = @handle_502; - that equals sign will cause nginx to get the error status from the handler.

Edit: And I got it working! In addition to the error_page fix above, all that was needed was enabling recursive_error_pages!

Best Answer

Related Solutions

NGINX Reverse Proxy – URL Rewrite

Nginx reverse proxy – try upstream A, then B, then A again

Related Topic