Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Verify if nginx is working correctly with Proxy Protocol locally

Environment

I have set up Proxy Protocol support on an AWS classic load balancer as shown here which redirects traffic to backend nginx (configured with ModSecurity) instances.

Everything works great and I can hit my websites from the open internet.

Now, since my nginx configuration is done in AWS User Data, I want to do some checks before the instance starts serving traffic which is achievable through AWS Lifecycle hooks.

Problem

Before enabling proxy protocol I used to check whether my nginx instance is healthy, and ModSecurity is working by checking a 403 response from this command

$ curl -ks "https://localhost/foo?username=1'%20or%20'1'%20=%20'"

After enabling Proxy Protocol, I can't do this anymore as the command fails with below error which is expected as per this link.

# curl -k https://localhost -v
* About to connect() to localhost port 443 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file

# cat /var/logs/nginx/error.log
2017/10/26 07:53:08 [error] 45#45: *5348 broken header: "���4"�U�8ۭ򫂱�u��%d�z��mRN�[e��<�,�
�+̩�    �0��/̨��98k�̪32g�5=�/<
" while reading PROXY protocol, client: 172.17.0.1, server: 0.0.0.0:443

What other options do I have to programmatically check nginx apart from curl? Maybe something in some other language?

like image 898
vikas027 Avatar asked Oct 26 '17 08:10

vikas027


People also ask

How do I test Nginx reverse proxy?

To see Nginx function as a reverse proxy, simply restart the server to load the new configuration. When the server comes online, try to access the backend server through the Nginx reverse proxy. In this example, we can access the Tomcat server running on port 8080 through Nginx.

Does Nginx support proxy protocol?

The PROXY protocol enables NGINX and NGINX Plus to receive client connection information passed through proxy servers and load balancers such as HAproxy and Amazon Elastic Load Balancer (ELB). With the PROXY protocol, NGINX can learn the originating IP address from HTTP, SSL, HTTP/2, SPDY, WebSocket, and TCP.

How do I enable proxy protocol?

To enable proxy protocol, you must create a policy of type ProxyProtocolPolicyType and then enable the policy on the instance port.


1 Answers

You can use the --haproxy-protocol curl option, which adds the extra proxy protocol info to the request.

curl --haproxy-protocol localhost

So:

curl -ks "https://localhost/foo?username=1'%20or%20'1'%20=%20'"
like image 133
tongueroo Avatar answered Oct 31 '22 14:10

tongueroo