Hello!
On Tue, Jun 02, 2020 at 12:10:45PM -0700, PGNet Dev wrote:
> On 6/2/20 8:27 AM, Francis Daly wrote:
> > That suggests that if you choose to use "proxy_ssl_server_name on;",
> > then you almost certainly do not want to add your own "proxy_set_header
> > Host" value.
> >
> > The nginx code probably should not try to check for (and reject) that
> > combination of directives-and-values; but might it be worth adding a
> > note to http://nginx.org/r/proxy_ssl_server_name to say that that other
> > directive is probably a bad idea, especially if you get a http 421 response
> > from your upstream?
>
> trying to simplify/repeat, i've
>
> vhost config,
>
> upstream test-upstream {
> server test.example.com:11111;
> }
>
> server {
> listen 10.10.10.1:443 ssl http2;
> server_name example.com;
>
> ...
> location /app1 {
>
> proxy_ssl_verify on;
> proxy_ssl_verify_depth 2;
> proxy_ssl_certificate "/etc/ssl/nginx/test.client.crt";
> proxy_ssl_certificate_key "/etc/ssl/nginx/test.client.key";
> proxy_ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";
>
> proxy_pass https://test-upstream/;
> proxy_ssl_server_name on;
> proxy_ssl_name test.example.com;
>
> }
> }
>
> and, upstream config
>
> server {
> listen 127.0.0.1:11111 ssl http2;
> server_name test.example.com;
>
> root /srv/www/test;
> index index.php;
> expires -1;
>
> ssl_certificate "/etc/ssl/nginx/test.server.crt";
> ssl_certificate_key "/etc/ssl/nginx/test.server.key";
> ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";
>
> ssl_verify_client off;
> ssl_verify_depth 2;
> ssl_client_certificate "/etc/ssl/nginx/ca_int.crt";
>
> location ~ \.php {
> try_files $uri =404;
> fastcgi_pass phpfpm;
> fastcgi_index index.php;
> fastcgi_param PATH_INFO $fastcgi_script_name;
> include includes/fastcgi/fastcgi_params;
> }
>
> error_log /var/log/nginx/test.error.log info;
> }
>
> on access to
>
> https://example.com/app1
>
> still get
>
> 421 Misdirected Request
>
> in log
>
> ==> /var/log/nginx/test.error.log <==
> 2020/06/02 11:52:13 [info] 8713#8713: *18 client attempted to request the server name different from the one that was negotiated while reading client request headers, client: 127.0.0.1, server: test.example.com, request: "GET / HTTP/1.0", host: "test-upstream"
>
> Is that
>
> host: "test-upstream"
>
> to be expected? it's an upstream name, not an actual host.
Yes, it is expected. Quoting http://nginx.org/r/proxy_set_header:
: By default, only two fields are redefined:
:
: proxy_set_header Host $proxy_host;
: proxy_set_header Connection close;
That is, the name you've written in the proxy_pass directive is
the actual hostname, and it will be used in the Host header when
creating requests to upstream server. And it is also used in the
proxy_ssl_name, so it will be used during SSL handshake for SNI
and certificate verification.
It's not just "an upstream name". If you want it to be only an
upstream name, you'll have to redefine at least proxy_ssl_name and
"proxy_set_header Host". (Well, not really, since $proxy_host is
also used at least in the proxy_cache_key, but this is probably
not that important.)
Alternatively, you may want to use the real name, and define an
upstream{} block with that name. This way you won't need to
redefine anything.
> Still unable to wrap my head around where this mis-match is
> coming from ... I have a nagging suspicion I'm missing something
> *really* obvious :-/
The mis-match comes from trying to redefine the name in some parts
of the configuration but not others. Hope the above explanation
helps.
--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
