Welcome! Log In Create A New Profile

Advanced

Re: No CORS Workaround - SSL Proxy

Maxim Dounin
July 02, 2014 07:28AM
Hello!

On Wed, Jul 02, 2014 at 02:37:17PM +0400, Maxim Dounin wrote:

> Hello!
>
> On Tue, Jul 01, 2014 at 05:58:33PM +0000, Eric Swenson wrote:
>
> > On 6/22/14, 7:32 AM, "Maxim Dounin" <mdounin@mdounin.ru> wrote:
> >
> > >If there is nothing in error logs, and you are getting 502 errors,
> > >then there are two options:
> > >
> > >1. The 502 errors are returned by your backend, not generated by
> > > nginx.
> > >
> > >2. You did something wrong while configuring error logs and/or you
> > > are looking into a wrong log.
> > >
> > >In this particular case, I would suggest the latter.
> >
> > I¹ve verified that my error log are configured fine ‹ I do get errors
> > reported in my configured error log ‹ but nothing at the time that nginx
> > returns 502 errors to the client.
>
> As nginx has lots of options to control error logging (logging
> level based filtering, as well as per-server and per-location
> error logs), it's not enough to check that some errors are logged
> to make sure logging is configured properly.
>
> Simplest way to configure logs properly is to comment out all
> error_log directives, and add error_log at global level, with
> desired logging level. In this case, logging at "error" level
> should be enough, i.e., the following should do the trick:
>
> error_log /path/to/log error;
>
> (At global level, i.e., at the top of your nginx.conf file. And
> don't forget to comment out all other error_log directives.)

Correction: in case of proxy to https, there is one case when the
error is reported at "info" level ("peer closed connection in SSL
handshake"), so "info" level logging is needed to see it.

(This looks like a bug and should be fixed, while talking to
upstream servers proper logging level for SSL handshake errors is
"error".)

> > I¹ve checked the upstream server¹s logs, even when configured with debug
> > logging, and never see any requests making it to the upstream server when
> > nginx returns a 502 to the client.
> >
> > If the issue were with the upstream server, why is it that simply
> > restarting nginx causes everything to proceed normally. I never have to
> > touch the upstream server (which, by the way is serving other requests
> > successfully from other proxies at the same time as the nginx proxy that
> > returns 502s is doing do.
>
> The fact that reastarting nginx fixes things indicates that the
> problem is likely caused by connections already established by
> nginx to the upstream server in question. And restarting nginx
> fixes things by closing these connections.

If the problem is indeed during SSL handshake, it may be caused by
a cached session peer starts to dislike for some reason.
Switching off "proxy_ssl_session_reuse" could help. See also this
answer, which may be related:

http://mailman.nginx.org/pipermail/nginx/2014-July/044329.html

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

No CORS Workaround - SSL Proxy

Eric Swenson June 20, 2014 03:34PM

Re: No CORS Workaround - SSL Proxy

Maxim Dounin June 20, 2014 06:48PM

Re: No CORS Workaround - SSL Proxy

Eric Swenson June 20, 2014 07:30PM

Re: No CORS Workaround - SSL Proxy

Maxim Dounin June 22, 2014 10:34AM

Re: No CORS Workaround - SSL Proxy

Eric Swenson July 01, 2014 02:00PM

Re: No CORS Workaround - SSL Proxy

Maxim Dounin July 02, 2014 06:38AM

Re: No CORS Workaround - SSL Proxy

Maxim Dounin July 02, 2014 07:28AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 169
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready