Nginx Too Many Redirects when using variable in proxy pass, works fine when passing value in directl-CodePudding

Nginx config is causing too many redirects when using a variable in proxy pass. This is an attempt to use NGINX to reverse proxy to resources in a private subnet. The reverse proxy works fine when using the DNS record directly in proxy pass, yet when passing in a variable it causes too many redirects.

NGINX Config: Which DOES NOT WORK

server {
    listen 443 ssl;

    access_log /var/log/nginx/reverse-access.log;
    error_log /var/log/nginx/reverse-error.log;

    server_name $host;
    rewrite ^/$ https://$host/_dashboards redirect;

    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    set $domain_endpoint "${elasticsearch_endpoint}";
    set $cognito_endpoint "${cognito_host}";

    location /_dashboards {
        # Forward requests to Dashboards
        proxy_pass https://$domain_endpoint/_dashboards;

        # Handle redirects to Cognito
        proxy_redirect https://$cognito_endpoint https://$host;

        # Update cookie domain and path
        proxy_cookie_domain $domain_endpoint $host;
        proxy_cookie_path / /_dashboards/;

        # Response buffer settings
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
    }

    location ~ \/(log|sign|fav|forgot|change|saml|oauth2) {
        # Forward requests to Cognito
        proxy_pass https://$cognito_endpoint;
    

        # Handle redirects to Dashboards
        proxy_redirect https://$domain_endpoint https://$host;

        # Update cookie domain
        proxy_cookie_domain $cognito_endpoint $host;
    }
}

The only difference for a working config. Is the proxy_pass under the first location /_dashboards is given the DNS record directly like so

location /_dashboards {
    # Forward requests to Dashboards
    proxy_pass https://vpc-aws-blah-blah-blah.com/_dashboards;

When viewing network traffic in the browser. The request appear to be the same. It makes an initial POST request to a login endpoint with a redirect_uri in the url parameters.

The difference is that after the intial POST the working version makes one GET request, while the non-working version makes repeated GET request

CodePudding user response：

From the documentation:

If the proxy_pass directive is specified with a URI, then when a request is passed to the server, the part of a normalized request URI matching the location is replaced by a URI specified in the directive

You have /_dashboards in both the location and proxy_pass, therefore the replacement changes nothing. So you can remove the optional URI part from the proxy_pass statement.

Also, in the same document:

When variables are used in proxy_pass ..., if URI is specified in the directive, it is passed to the server as is, replacing the original request URI.

So, when you started using variables, if the original request was /_dashboards/foo, the upstream server would only ever receive /_dashboards.

The simplest solution was to remove /_dashboards from the proxy_pass statement.