Hi Francis,

Hope you are doing good ? Thanks for your quick responses for my emails
again. I have 02 questions for you today, I will brief it down for your
ease.

*quiz (1.) : * Yes I understand some of my clients requests don't have
user/name password in their requests and that's why it gives 401 in the
access.log file.
But also for me when I browse the site in my internal network
browser http://172.25.234.105/metrics its pop up the user name and
password enter window and directs me successfully to the /metrics page and
I can view contents. But when I tail the /var.log/nginx/error.log file for
a moment and even after I log in by type username and password the error
log gives below error message unless the login is successful.


*tail -f /var.log/nginx/error.log output*
2021/06/01 11:25:26 [crit] 2379013#2379013: *57800 open()
"/var/lib/nginx/proxy/4/79/0000002794" failed (*13: Permission denied*)
while reading upstream, client: 172.20.0.201, server: 172.25.234.105,
request: "GET /metrics HTTP/1.1", upstream: "http://127.0.0.1:9091/metrics",
host: "172.25.234.105"


So my first quiz is why it gives a Permission denied message for my request
through the browser even after I enter credentials and I can view /metrics
page contents.

(note* - in my nginx /etc/nginx/.htpasswd file I have the password as
encrypted but I enter the unencrypted password. I hope that's not an issue
since the login is successful.)


*quiz (2.) : * My second question for you is if I want to redirect the url,
such as when I enter http://172.25.234.105:80 I want it to automatically
redirect it to the page http://172.25.234.105/metrics. How could I
achieve that via nginx ?


Thanks for your effortless help for my questions Mr Francis ( even though I
don't know your real name, lol) ; Appreciate a lot.


Amila
Devops Engineer
RHCSA, CKA, AWS

On Tue, Jun 1, 2021 at 5:30 PM <nginx-request@nginx.org> wrote:

> Send nginx mailing list submissions to
> nginx@nginx.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.nginx.org/mailman/listinfo/nginx
> or, via email, send a message with subject or body 'help' to
> nginx-request@nginx.org
>
> You can reach the person managing the list at
> nginx-owner@nginx.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of nginx digest..."
>
>
> Today's Topics:
>
> 1. Re: Help: Using Nginx Reverse Proxy bypass traffic in to a
> application running in a container (Francis Daly)
> 2. Re: Help: Using Nginx Reverse Proxy bypass traffic in to a
> application running in a container (Francis Daly)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 1 Jun 2021 07:54:26 +0100
> From: Francis Daly <francis@daoine.org>
> To: nginx@nginx.org
> Subject: Re: Help: Using Nginx Reverse Proxy bypass traffic in to a
> application running in a container
> Message-ID: <20210601065426.GH11167@daoine.org>
> Content-Type: text/plain; charset=us-ascii
>
> On Sat, May 29, 2021 at 07:11:38PM +0530, Amila Gunathilaka wrote:
>
> Hi there,
>
> It sounds like you have the main part solved by changing the "health
> check" request to be one that your port-9091 upstream is able to handle,
> which is good.
>
> > >As I understand it, the load balancer is making the request "OPTIONS /"
> > >to nginx, and nginx is responding with a http 405, and you don't want
> > >nginx to do that.
> >
> > >What response do you want nginx to give to the request?
> >
> > Yes you are absolutely right I wanted nginx to stop that 405 response and
> > give the success response 200 or even 401 which I can confirm my proxy
> pass
> > and basic auth is working.
>
> After you decide what response you want nginx to give to the request,
> you can configure nginx to do that.
>
> In this case, if you want nginx to give a 401 if no valid credentials are
> provided, then you want something like auth_basic; if you want nginx to
> give a 200 if no valid credentials are provided, then you must not have
> something like auth_basic.
>
> > Also I think that 405 response is coming *from nginx itself *to the
> > external load balancer because external load balancer directly
> > communicating with the nginx (80) and also my upstream server (9091 port
> > server) is not a webapp it's just a binary file running inside docker
> > container.
>
> >From nginx's point of view, it does not matter what the upstream/back-end
> service is; it matters that it responds correctly to http requests.
>
> When I use a similar configuration to yours, I see the OPTIONS request
> being sent to the upstream and getting a 405 from there.
>
> > Anyway I thought to fix the OPTIONS method fix on the external load
> > balancer itself , and I logged in to my external load balancer configs
> > page and I changed the HTTP health checks using OPTIONS into *GET *
> > method.
> > ANd yeah now 405 error gone. But now I'm getting 401 responses , which
> > should be the correct response since I'm using a basic auth in my
> > nginx.conf file. Below is my nginx.conf FYI
>
> Good stuff.
>
> This says that, for any request starting with /metrics, nginx should
> check for valid credentials or return 401; and then pass the request to
> the upstream and return whatever it returns.
>
> > location /metrics {
> > proxy_pass http://127.0.0.1:9091/metrics;
>
> One small thing: because the end of the "proxy_pass" directive is
> exactly equal to the full "location" value, you could omit it from the
> "proxy_pass"; that is, you could instead use
>
> proxy_pass http://127.0.0.1:9091;
>
> but when what you have works, it works.
>
> Cheers,
>
> f
> --
> Francis Daly francis@daoine.org
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 1 Jun 2021 08:06:33 +0100
> From: Francis Daly <francis@daoine.org>
> To: nginx@nginx.org
> Subject: Re: Help: Using Nginx Reverse Proxy bypass traffic in to a
> application running in a container
> Message-ID: <20210601070633.GI11167@daoine.org>
> Content-Type: text/plain; charset=us-ascii
>
> On Sat, May 29, 2021 at 07:46:40PM +0530, Amila Gunathilaka wrote:
>
> Hi there,
>
> > My concern is why nginx still gives 401 responses *unless *my nginx.conf
> > has a basic authentication user name and password file in the
> > location /etc/nginx/.htpasswd.
> >
> > It says still not authenticate my external client POST requests yet ?
> Any
> > thoughts?
>
> I'm not sure I understand your question.
>
> "auth_basic" says "for each each request to nginx, if the user/password in
> the request does not match something in the file, nginx should return 401"
>
> If you want nginx to do authentication checks, you want auth_basic and
> auth_basic_user_file, If you do not want nginx to do authentication checks,
> you do not want auth_basic.
>
> http://nginx.org/r/auth_basic
>
> (You can use "auth_basic off;" if you want one location{} not to use
> auth_basic that would be inherited from a surrounding context.)
>
> If that does not tell you what you want, could you explain again, please?
>
> Thanks,
>
> f
> --
> Francis Daly francis@daoine.org
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> ------------------------------
>
> End of nginx Digest, Vol 140, Issue 1
> *************************************
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx