How to stop nginx resolving the target path?

pmg7670

1/15/24, 11:34 AM

My use case requires nginx to rewrite the target url, converting the last segment of the request uri to the target service port which is accessed by a wireguard vpn. This next config version works fine. That is, my backend hosted app is published ok, but the auth_request directive is ignored =>

  location /publish {
    auth_request /auth;

    rewrite ^/publish/([0-9]+) http://10.11.2.3:$1;
    proxy_http_version 1.1;
  }

I've proven the auth service is working fine. I'm stuck trying to resolve the target url which requires a port but no path.

  location ~ ^/publish/([0-9]+)$ {
    auth_request /auth;

    proxy_pass http://10.11.2.3:$1/;
    proxy_http_version 1.1;
  }

This config fails because my backend service rejects the trailing slash. Error log =>

(111: Connection refused) while connecting to upstream, client: xx.xx.xx.xx, server: api.myservice.com, request: "GET /publish/5500 HTTP/1.1", upstream: "http://10.11.2.3:5500/"

If change the above config to proxy_pass http://10.11.2.3:$1; then, as expected, the full uri path is appended. Error detail => upsteam: http://10.11.2.3:5500/publish/5500

I've also tried combining rewrite with break followed by proxy_pass =>

  location /publish/ {
    auth_request /auth;

    rewrite ^/publish/([0-9]+)$ $1 break;
    proxy_pass http://10.11.2.3:$1;
    proxy_http_version 1.1;
  }

This almost works except that the numeric uri is appended because I can't apply a trailing slash on the proxy_pass url. Error log =>

(111: Connection refused) while connecting to upstream, client: xx.xx.xx.xx, server: api.myservice.com, request: "GET /publish/5500 HTTP/1.1", upstream: "http://10.11.2.3:55005500"

Any ideas? proxy_redirect?

118

0 + 5

nginx

Maxim Dounin

1/16/24, 1:50 AM

In HTTP, an empty path is equivalent to `/`, so what you are trying to configure looks strange. Further, all your configurations snippets fail due to a connection failure, note `(111: Connection refused) while connecting to upstream`, and not due to an incorrect path being used. First of all, you may want to clarify what you are trying to do. Do you want nginx to return a redirect, as in your first config snippet? Or do you want to configure proxying, as in other snippets?

pmg7670

1/16/24, 8:02 AM

@MaximDounin - the first snippet shows that I can publish my backend app using the rewrite method, but the auth_request is ignored. My backend creates a containerized web app on demand and so the port is dynamically assigned. Since it is a service I need to authenticate my user by JWT validation. I need a proxy_pass solution because apparently that's the only way auth_redirect will work.

pmg7670

1/16/24, 8:16 AM

@MaximDounin Could I define a nested location which would inherit the regex result $1? The location is easily matched exactly without regex, so then I won't have to deal with the URI problem. Eg ```location = /pub/ { auth_request /auth; proxy_pass http://10.11.2.3:$1; }``` Typo correction above => apparently that's the only way auth_request will work.

Maxim Dounin

1/16/24, 7:52 PM

the first snippet returns a redirect, exposing the returned URL directly to the client. This doesn't check `auth_request`, since rewrites happen when [selecting a location](https://nginx.org/en/docs/http/ngx_http_rewrite_module.html), before any access checks. If you want nginx to return a redirect after checking authentication, you can do so by any content module - proxying to a backend which will return a redirect is a valid way to do this, but you need a backend to return a redirect. Note though that clients will access returned URL without any checks on nginx side.

pmg7670

1/16/24, 11:31 PM

@MaximDounin Think my best option is to run the container service behind nginx on the backend. This means I have a double reverse proxy setup. The first handles auth by JWT valiation and is my VPN proxy. The second runs on my VPN backend server and handles the port rewrite for accessing local containerized apps without any insecurity.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to stop nginx resolving the target path?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.