nginx is redirecting to wrong server context

2023-11-15 Thread Raman Meenakshisundaram via nginx 
Hi
I am trying to download a docker image through nginx, and found that it is 
always redirecting to the first server configured in the nginx.conf file.

I am doing a podman pull "podman pull --tls-verify=false 
mcr.itt.aws.orpd.com.au/devcontainers/python:dev-3.9-buster" but it is wrongly 
going to docker-alice.itt.aws.oprd.com.au

We have setup route53 record in AWS already.

Below is the nginx.conf file content:


For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
#worker_processes auto;
worker_processes 4;
worker_rlimit_nofile 4096;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 4096;
}

http {

  proxy_send_timeout 120;
  proxy_read_timeout 300;
  proxy_connect_timeout 300;
  proxy_bufferingoff;
  proxy_request_buffering off;
  # allow large uploads of files
  client_max_body_size 1G;
  keepalive_timeout  5 5;
  tcp_nodelayon;

  map $upstream_http_docker_distribution_api_version 
$docker_distribution_api_version {
'' 'registry/2.0';
  }

server {
   listen 443 ssl;
   listen 80;
   server_name docker-alice.itt.aws.oprd.com.au;

ssl_certificate /etc/nginx/ssl/selfsigned_wildcard_san_cert.crt;
ssl_certificate_key /etc/nginx/ssl/privatekey_selfsigned_wildcard_san.pem;

   # Docker /v2 and /v1 (for search) requests
   resolver 10.78.128.2:53 valid=300s ipv6=off;
   resolver_timeout 10s;

   location /v2 {
 proxy_set_header Host $host:$server_port;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto "https";
 set $backend "nexus.itt.aws.oprd.com.au";
 proxy_pass https://$backend/repository/proxy-to-nonprod-hosted$request_uri;
#proxy_pass 
https://nexus.itt.aws.oprd.com.au/repository/proxy-to-nonprod-hosted/$request_uri;
   }
   location /v1 {
 proxy_set_header Host $host:$server_port;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto "https";
 set $backend "nexus.itt.aws.orpd.com.au";
 proxy_pass https://$backend/repository/proxy-to-nonprod-hosted$request_uri;
#proxy_pass 
https://nexus.itt.aws.oprd.com.au/repository/proxy-to-nonprod-hosted/$request_uri;
   }
   location / {
 proxy_set_header Host $host:$server_port;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto "https";
 set $backend "nexus.itt.aws.oprd.com.au";
 proxy_pass https://$backend/;
#proxy_pass https://nexus.itt.aws.oprd.com.au/;
   }
}
server {
   listen 443 ssl;
   listen 80;
   server_name mcr.itt.aws.oprd.com.au;

ssl_certificate /etc/nginx/ssl/selfsigned_wildcard_san_cert.crt;
ssl_certificate_key /etc/nginx/ssl/privatekey_selfsigned_wildcard_san.pem;

   # Docker /v2 and /v1 (for search) requests
   resolver 10.78.128.2:53 valid=300s ipv6=off;
   resolver_timeout 10s;

   location /v2 {
 proxy_set_header Host $host:$server_port;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto "https";
 set $backend "nexus.itt.aws.oprd.com.au";
 proxy_pass https://$backend/repository/mcr-proxy$request_uri;
   }
   location /v1 {
 proxy_set_header Host $host:$server_port;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto "https";
 set $backend "nexus.itt.aws.orpd.com.au";
 proxy_pass https://$backend/repository/mcr-proxy$request_uri;
   }
   location / {
 proxy_set_header Host $host:$server_port;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto "https";
 set $backend "nexus.itt.aws.oprd.com.au";
proxy_pass https://$backend/;
#proxy_pass https://nexus.itt.aws.oprd.com.au/;
   }
}
}

***
We acknowledge the traditional custodians of the land on which we meet, work
and live. We pay our respects to the ancestors and Elders, past and present.

The information in this email and any attachments may contain confidential, 
privileged
or copyright material belonging to us, related entities or third parties. If 
you are not
the intended recipient you are prohibited from disclosing this information. If 
you
have received this email in error, please co

Re: nginx is redirecting to wrong server context

2023-11-15 Thread Jeremy Cocks via nginx 
Hello

> and found that it is always redirecting to the first server configured in
the nginx.conf file.

This is expected behaviour when you have not defined a default_server or
you are not sending the appropriate host header in your request (you are
not confirming how things are set in the http client you are using).

The default behaviour is defined here:
https://nginx.org/en/docs/http/request_processing.html
> In this configuration nginx tests only the request’s header field “Host”
to determine which server the request should be routed to. If its value
does not match any server name, or the request does not contain this header
field at all, then nginx will route the request to the default server for
this port. In the configuration above, the default server is the first
one — which is nginx’s standard default behaviour. It can also be set
explicitly which server should be default, with the default_server parameter
in the listen
 directive.



I am assuming you want the default to be:
mcr.itt.aws.oprd.com.au


thus change the listen parameters on its server block:

server {

   listen 443 ssl default_server;

   listen 80 default_server;

   server_name mcr.itt.aws.oprd.com.au;

…



}

Cheers
J

On Wed, 15 Nov 2023 at 23:44, Raman Meenakshisundaram via nginx <
nginx@nginx.org> wrote:

> Hi
>
> I am trying to download a docker image through nginx, and found that it is
> always redirecting to the first server configured in the nginx.conf file.
>
>
>
> I am doing a podman pull "podman pull --tls-verify=false
> mcr.itt.aws.orpd.com.au/devcontainers/python:dev-3.9-buster" but it is
> wrongly going to docker-alice.itt.aws.oprd.com.au
>
>
>
> We have setup route53 record in AWS already.
>
>
>
> Below is the nginx.conf file content:
>
>
> 
>
>
>
> For more information on configuration, see:
>
> #   * Official English Documentation: http://nginx.org/en/docs/
>
> #   * Official Russian Documentation: http://nginx.org/ru/docs/
>
>
>
> user nginx;
>
> #worker_processes auto;
>
> worker_processes 4;
>
> worker_rlimit_nofile 4096;
>
> error_log /var/log/nginx/error.log;
>
> pid /run/nginx.pid;
>
>
>
> # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
>
> include /usr/share/nginx/modules/*.conf;
>
>
>
> events {
>
> worker_connections 4096;
>
> }
>
>
>
> http {
>
>
>
>   proxy_send_timeout 120;
>
>   proxy_read_timeout 300;
>
>   proxy_connect_timeout 300;
>
>   proxy_bufferingoff;
>
>   proxy_request_buffering off;
>
>   # allow large uploads of files
>
>   client_max_body_size 1G;
>
>   keepalive_timeout  5 5;
>
>   tcp_nodelayon;
>
>
>
>   map $upstream_http_docker_distribution_api_version
> $docker_distribution_api_version {
>
> '' 'registry/2.0';
>
>   }
>
>
>
> server {
>
>listen 443 ssl;
>
>listen 80;
>
>server_name docker-alice.itt.aws.oprd.com.au;
>
>
>
> ssl_certificate /etc/nginx/ssl/selfsigned_wildcard_san_cert.crt;
>
> ssl_certificate_key
> /etc/nginx/ssl/privatekey_selfsigned_wildcard_san.pem;
>
>
>
># Docker /v2 and /v1 (for search) requests
>
>resolver 10.78.128.2:53 valid=300s ipv6=off;
>
>resolver_timeout 10s;
>
>
>
>location /v2 {
>
>  proxy_set_header Host $host:$server_port;
>
>  proxy_set_header X-Real-IP $remote_addr;
>
>  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
>  proxy_set_header X-Forwarded-Proto "https";
>
>  set $backend "nexus.itt.aws.oprd.com.au";
>
>  proxy_pass
> https://$backend/repository/proxy-to-nonprod-hosted$request_uri;
>
> #proxy_pass
> https://nexus.itt.aws.oprd.com.au/repository/proxy-to-nonprod-hosted/$request_uri
> ;
>
>}
>
>location /v1 {
>
>  proxy_set_header Host $host:$server_port;
>
>  proxy_set_header X-Real-IP $remote_addr;
>
>  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
>  proxy_set_header X-Forwarded-Proto "https";
>
>  set $backend "nexus.itt.aws.orpd.com.au";
>
>  proxy_pass
> https://$backend/repository/proxy-to-nonprod-hosted$request_uri;
>
> #proxy_pass
> https://nexus.itt.aws.oprd.com.au/repository/proxy-to-nonprod-hosted/$request_uri
> ;
>
>}
>
>location / {
>
>  proxy_set_header Host $host:$server_port;
>
>  proxy_set_header X-Real-IP $remote_addr;
>
>  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
>  proxy_set_header X-Forwarded-Proto "https";
>
>  set $backend "nexus.itt.aws.oprd.com.au";
>
>  proxy_pass https://$backend/;
>
> #proxy_pass https://nexus.itt.aws.oprd.com.au/;
>
>}
>
> }
>
> server {
>
>listen 443 ssl;
>
>listen 80;
>
>server_name mcr.itt.aws.oprd.com.au;
>
>
>
> ssl_certificate /etc/nginx/ssl/selfsigned_wildcard_san_cert.crt;
>
> ssl_certificate_key
> /etc/nginx/ssl/privatekey_selfsigned_wildcar