NGNIX Troubleshooting

Validating Upstream Parameters

To validate parameters passed to upstream services, the request should be dumped by the service or intercepted by another service temporarily. This will dump the received headers from both http and https communication to the upstream service.

0640 root root docker-compose.yml
http-echo:
  image: mendhak/http-https-echo
location / {
   proxy_pass http://http-echo/;
}

Note

Headers will be dumped directly to the page.

Reference

Debug NGINX configs

There is no existing logging functionality in NGINX to write directly to logs from configuration files. Work around by directly injecting debugging headers in configuration files to dump information to logs. NGINX variables may be used as well.

add_header X-debug-message "some message to write $ssl_client_s_dn" always;

Headers are found in the page response.

../../../_images/debug-headers.png

Reference

If is Evil

If operates as a rewrite and is inherently misunderstood.

Within a location block the only safe operations are:

  • return.

  • rewrite.

All if operations must be explicitly tested for appropriate behavior. Other references for other “evil” examples.

Reference

Reference

Reference

Dump Loaded NGINX Configuration

Dump the currently loaded configuration in config file formatting. Useful to inspect current nginx state.

nginx -T

Reference

NGINX Queries Originate from Wrong Gateway

NGINX express this bug by forwarding/proxying any traffic over the default gateway for the first lexical named network that appears. This results in non-deterministic source IP routing.

Set an appropriate default gateway in the networking config.

Reference

Reference

Forward Traffic via Specific Interfaces

NGINX can forward traffic via specific interfaces for location definitions.

Use IPv4 address in proxy_bind command for specific locations.

location / {
  proxy_bind {NGINX NETWORK IP};
  proxy_pass ...
}

Reference