We run a API web service and have two web sites that access the web service via 
AJAX. The web sites are accessed via HTTPS and, for security reasons, we need 
to have the API web service also accessed by HTTPS.  Due to the need to support 
the IE9 browser, which does not properly support CORS, we are unable to have 
the web applications on our web servers configured to access the API web 
service through a different hostname than the hostnames of the two web sites.  
Consequently, we trick IE9 into thinking the origin host (web site) and 
destination host (API service) are on the same host and proxy requests from the 
web sites to the web service via proxy_pass.  Unfortunately, since the API web 
service must be accessed by HTTPS, nginx has to establish an SSL session with 
the API web service, because we cannot proxy to HTTP.  Our config looks 
something like this — for simplicity I only show one of the web sites nginx 
config.

    server {
       listen       443;
       server_name  app.example.com;     // this is the web application
       server_tokens off;

       ssl                  on;
       ssl_certificate      cert.pem;
       ssl_certificate_key  cert.key;

       ssl_session_timeout  5m;

       ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers   on;

// this URL pattern is interpreted as meaning: forward the request to the web 
service running on another host
        location /svc/api/ {
                 proxy_pass https://svc.example.com/api/;   // this is the web 
service running on another host
                 proxy_set_header Host svc.example.com;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header X-Forwarded-Proto https;
        }

Location / {
// normal web site access here
        }
   …
  }

This works fine.  However, every once in a while (say, every week or so), 
traffic to https://app.example.com/svc/api/xxxx returns gateway 502 errors.  
The API service (located at https://svc.example.com/api) is working fine and is 
accessible directly.  However, through the proxy setup (above), nginx will not 
pass traffic.  Simply restarting nginx gets it working again for another week 
or so, only to have it get into the same state again some random interval later.

Does anyone have any ideas what might be causing nginx to fail to proxy traffic 
when no changes to the configuration have been made and the backend service is 
functioning normally?

Since I anticipate some will want to tell me that proxying to HTTPS is a bad 
idea, please realize we do not have the luxury of talking to the backend 
service (which lives on the Internet and is accessed by multiple parties) via 
HTTP.  Also, yes, I realize that the proxy_set_header stuff probably has no 
useful effect with HTTPS proxying.

Thanks much in advance.  — Eric

_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to