Welcome! Log In Create A New Profile

Advanced

No CORS Workaround - SSL Proxy

Eric Swenson
June 20, 2014 03:34PM
We run a API web service and have two web sites that access the web service via AJAX. The web sites are accessed via HTTPS and, for security reasons, we need to have the API web service also accessed by HTTPS. Due to the need to support the IE9 browser, which does not properly support CORS, we are unable to have the web applications on our web servers configured to access the API web service through a different hostname than the hostnames of the two web sites. Consequently, we trick IE9 into thinking the origin host (web site) and destination host (API service) are on the same host and proxy requests from the web sites to the web service via proxy_pass. Unfortunately, since the API web service must be accessed by HTTPS, nginx has to establish an SSL session with the API web service, because we cannot proxy to HTTP. Our config looks something like this — for simplicity I only show one of the web sites nginx config.

server {
listen 443;
server_name app.example.com; // this is the web application
server_tokens off;

ssl on;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

// this URL pattern is interpreted as meaning: forward the request to the web service running on another host
location /svc/api/ {
proxy_pass https://svc.example.com/api/; // this is the web service running on another host
proxy_set_header Host svc.example.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}

Location / {
// normal web site access here
}

}

This works fine. However, every once in a while (say, every week or so), traffic to https://app.example.com/svc/api/xxxx returns gateway 502 errors. The API service (located at https://svc.example.com/api) is working fine and is accessible directly. However, through the proxy setup (above), nginx will not pass traffic. Simply restarting nginx gets it working again for another week or so, only to have it get into the same state again some random interval later.

Does anyone have any ideas what might be causing nginx to fail to proxy traffic when no changes to the configuration have been made and the backend service is functioning normally?

Since I anticipate some will want to tell me that proxying to HTTPS is a bad idea, please realize we do not have the luxury of talking to the backend service (which lives on the Internet and is accessed by multiple parties) via HTTP. Also, yes, I realize that the proxy_set_header stuff probably has no useful effect with HTTPS proxying.

Thanks much in advance. — Eric

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

No CORS Workaround - SSL Proxy

Eric Swenson June 20, 2014 03:34PM

Re: No CORS Workaround - SSL Proxy

Maxim Dounin June 20, 2014 06:48PM

Re: No CORS Workaround - SSL Proxy

Eric Swenson June 20, 2014 07:30PM

Re: No CORS Workaround - SSL Proxy

Maxim Dounin June 22, 2014 10:34AM

Re: No CORS Workaround - SSL Proxy

Eric Swenson July 01, 2014 02:00PM

Re: No CORS Workaround - SSL Proxy

Maxim Dounin July 02, 2014 06:38AM

Re: No CORS Workaround - SSL Proxy

Maxim Dounin July 02, 2014 07:28AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 85
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready