We run a API web service and have two web sites that access the web service via
AJAX. The web sites are accessed via HTTPS and, for security reasons, we need
to have the API web service also accessed by HTTPS. Due to the need to support
the IE9 browser, which does not properly support CORS, we are unable to have
the web applications on our web servers configured to access the API web
service through a different hostname than the hostnames of the two web sites.
Consequently, we trick IE9 into thinking the origin host (web site) and
destination host (API service) are on the same host and proxy requests from the
web sites to the web service via proxy_pass. Unfortunately, since the API web
service must be accessed by HTTPS, nginx has to establish an SSL session with
the API web service, because we cannot proxy to HTTP. Our config looks
something like this — for simplicity I only show one of the web sites nginx
config.
server {
listen 443;
server_name app.example.com; // this is the web application
server_tokens off;
ssl on;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
// this URL pattern is interpreted as meaning: forward the request to the web
service running on another host
location /svc/api/ {
proxy_pass https://svc.example.com/api/; // this is the web
service running on another host
proxy_set_header Host svc.example.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
Location / {
// normal web site access here
}
…
}
This works fine. However, every once in a while (say, every week or so),
traffic to https://app.example.com/svc/api/xxxx returns gateway 502 errors.
The API service (located at https://svc.example.com/api) is working fine and is
accessible directly. However, through the proxy setup (above), nginx will not
pass traffic. Simply restarting nginx gets it working again for another week
or so, only to have it get into the same state again some random interval later.
Does anyone have any ideas what might be causing nginx to fail to proxy traffic
when no changes to the configuration have been made and the backend service is
functioning normally?
Since I anticipate some will want to tell me that proxying to HTTPS is a bad
idea, please realize we do not have the luxury of talking to the backend
service (which lives on the Internet and is accessed by multiple parties) via
HTTP. Also, yes, I realize that the proxy_set_header stuff probably has no
useful effect with HTTPS proxying.
Thanks much in advance. — Eric
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx