Nginx 0.8.14 - cookie / proxy_pass issue

Server NGINX
1

Hey Guys,

I see the following on the nginx server by going to
http://virtual_ip_on_ngix however, the cookie headers are never
passed to the clients browser. I can see the headers in the http proxy
header but my firefox browser never sees the cookies (i do see the
ookie with __utma* ones but not the cookie that is GCD, PHPSESSID,
SESSIOn2)

any ideas? topology is : client --> virtual ip on nginx proxy -->
proxy_pass to origin -->

Log file:

2009/09/17 17:01:08 [debug] 4087#0: *192 http script copy: “Connection:
close
"
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header:
“User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.14) Gecko/2009082706 Firefox/3.0.14”
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header:
“Accept-Language: en-us,en;q=0.5”
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header:
“Accept-Encoding: gzip,deflate”
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header:
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,;q=0.7"
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header: “Cookie:
payam; __utma=182747233.1236263871.1253228942.1253228942.1253231200.2;
__utmc=182747233;
__utmz=182747233.1253228942.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=182747233.4.10.1253231200; GCD=Z6SV699O;
PHPSESSID=fa4326f19f65c889ee383a879a410116;
session2=59e5538b72f46538f80cf8521b3dc014”
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header:
"GET / HTTP/1.0
Host: 69.172.200.17
X-Real-IP: 70.68.178.133
X-Forwarded-For: 70.68.178.133
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.14) Gecko/2009082706 Firefox/3.0.14
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,;q=0.7
Cookie: payam;
__utma=182747233.1236263871.1253228942.1253228942.1253231200.2;
__utmc=182747233;
__utmz=182747233.1253228942.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=182747233.4.10.1253231200; GCD=Z6SV699O;
PHPSESSID=fa4326f19f65c889ee383a879a410116;
session2=59e5538b72f46538f80cf8521b3dc014

"
2009/09/17 17:01:08 [debug] 4087#0: *192 http cleanup add: 094FED34
2009/09/17 17:01:08 [debug] 4087#0: *192 get rr peer, try: 1
2009/09/17 17:01:08 [debug] 4087#0: *192 socket 76
2009/09/17 17:01:08 [debug] 4087#0: *192 epoll add connection: fd:76
ev:80000005
2009/09/17 17:01:08 [debug] 4087#0: *192 connect to 174.143.25.223:80,
fd:76 #2021
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream connect: -2
2009/09/17 17:01:08 [debug] 4087#0: *192 event timer add: 76:
300000:3396885177
2009/09/17 17:01:08 [debug] 4087#0: *192 http run request: “/?”
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream check client,
write event:1, “/”
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream recv(): -1 (11:
Resource temporarily unavailable)
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream request: “/?”
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream send request
handler
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream send request
2009/09/17 17:01:08 [debug] 4087#0: *192 chain writer buf fl:1 s:725
2009/09/17 17:01:08 [debug] 4087#0: *192 chain writer in: 094FED50
2009/09/17 17:01:08 [debug] 4087#0: *192 writev: 725
2009/09/17 17:01:08 [debug] 4087#0: *192 chain writer out: 00000000
2009/09/17 17:01:08 [debug] 4087#0: *192 event timer del: 76: 3396885177
2009/09/17 17:01:08 [debug] 4087#0: *192 event timer add: 76:
300000:3396885218

==>
/var/log/nginx/69.172.200.17_ypf_http_thathostingplace_www.gametimezone.com.access.log
<==
70.68.178.133 - - [17/Sep/2009:17:01:08 -0700] “GET / HTTP/1.1” “200”
5524 “-”“Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.14) Gecko/2009082706 Firefox/3.0.14” “-”

==>
/var/log/nginx/69.172.200.17_ypf_http_thathostingplace_www.gametimezone.com.error.log
<==
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream request: “/?”
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream process header
2009/09/17 17:01:08 [debug] 4087#0: *192 malloc: 096D3150:16384
2009/09/17 17:01:08 [debug] 4087#0: *192 recv: fd:76 1448 of 16339
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy status 200 “200 OK”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header: “Date:
Thu, 17 Sep 2009 23:58:44 GMT”
2009/09/17 17:01:08 [debug] 4087#0: *192 malloc: 09506628:4096
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header: “Server:
Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c
mod_perl/2.0.2 Perl/v5.8.8”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header:
“X-Powered-By: PHP/5.2.0-8+etch15”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header:
“Set-Cookie: GCD=Z6SV699O; expires=Mon, 16-Nov-2009 23:58:44 GMT;
path=/”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header: “Expires:
Sat, 26 Jul 1997 05:00:00 GMT”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header:
“Cache-Control: no-cache, must-revalidate”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header: “Pragma:
no-cache”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header: “Connection:
close”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header:
“Content-Type: text/html; charset=UTF-8”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header done
2009/09/17 17:01:08 [debug] 4087#0: *192 HTTP/1.1 200 OK
Server: nginx/0.7.54
Date: Fri, 18 Sep 2009 00:01:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.0-8+etch15
Set-Cookie: GCD=Z6SV699O; expires=Mon, 16-Nov-2009 23:58:44 GMT; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Encoding: gzip

If i go to http://origin_ip_server all proper cookies are applied to
the header and cilent side can see all cookies

nginx.conf

http {
include proxy.conf;
include mime.types;
include cache.conf;
include rate-limit.conf;
include con-limit.conf;

log_format main '$remote_addr - $remote_user [$time_local]
“$request” ’
‘"$status" $body_bytes_sent “$http_referer”’
‘"$http_user_agent" “$http_x_forwarded_for”’;

include /etc/nginx/sites-enabled/conf/*.conf;
include /etc/nginx/servers/*http_server.conf;


    sendfile        on;
    tcp_nodelay        off;
    keepalive_timeout  300;

send_timeout 90;
client_body_timeout 60;
client_header_timeout 60;

client_header_buffer_size 1k;
large_client_header_buffers 4 4k;

proxy.conf

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_buffer_size 16k;
proxy_buffers 32 4k;
proxy_busy_buffers_size 64k;

any help would greatly be appreciated as I cant not locate the issue
at this point

2

versions verified the issue with:

nginx-0.8.14 - down to 8.05
nginx-0.7.62
nginx-0.7.61
nginx-0.7.60

confirmed working versions:
nginx-0.7.54 - to up nginx-0.7.59
nginx-0.8.0

working example:
UnclePiemanss-MacBook-2:~ payam$ wget -S -v http://69.172.200.17/
–18:16:38-- http://69.172.200.17/
=> `index.html.119’
Connecting to 69.172.200.17:80… connected.
HTTP request sent, awaiting response…
HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Fri, 18 Sep 2009 01:19:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.0-8+etch15
Set-Cookie: GCD=URTDQW4I; expires=Tue, 17-Nov-2009 01:16:39 GMT;
path=/
Set-Cookie: PHPSESSID=45f6fdf9e53cfa9fe415a949501c088a; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: session2=8c0e63311310a925e3c5cc59349cef25; expires=Wed,
18-Sep-2019 13:16:39 GMT; path=/
Length: unspecified [text/html]

[ <=>
                                ] 16,081        --.--K/s

18:16:39 (168.53 KB/s) - `index.html.119’ saved [16081]

non-working example:
UnclePiemanss-MacBook-2:~ payam$ wget -S -v http://69.172.200.17/
–18:16:20-- http://69.172.200.17/
=> `index.html.118’
Connecting to 69.172.200.17:80… connected.
HTTP request sent, awaiting response…
HTTP/1.1 200 OK
Server: nginx/0.7.60
Date: Fri, 18 Sep 2009 01:18:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Length: unspecified [text/html]

[ <=>
                                ] 16,081        --.--K/s

18:16:21 (136.66 KB/s) - `index.html.118’ saved [16081]

Perhaps something has changed in the versions that the testing failed
in… not too sure

Thanks,

3

On Thu, Sep 17, 2009 at 06:19:14PM -0700, Payam C. wrote:

versions verified the issue with:

nginx-0.8.14 - down to 8.05
nginx-0.7.62
nginx-0.7.61
nginx-0.7.60

confirmed working versions:
nginx-0.7.54 - to up nginx-0.7.59
nginx-0.8.0

Have you proxy_cache in this locations ?

Changes with nginx 0.8.1 08 Jun
2009

Changes with nginx 0.7.60 15 Jun
2009

*) Bugfix: the "Set-Cookie" and "P3P" response header lines were not
   hidden while caching if no

“proxy_hide_header/fastcgi_hide_header”
directives were used with any parameters.

4

Hey Igor,

Yes, here is the last bits:
proxy_pass http://LB_HTTP_x.x.x.x;
proxy_intercept_errors on;
proxy_cache one;
proxy_cache_key x.x.x.x$request_uri;
proxy_cache_valid 200 1h;
proxy_cache_valid 404 5m;
proxy_cache_use_stale error timeout invalid_header;

under the new 8.14 and 7.62 version, what would i need to do in order
to accept those cookies and not strip them?

Thanks
Payam T Chychi

2009/9/19 Igor S. [email protected]:

nginx-0.7.54 - to up nginx-0.7.59
directives were used with any parameters.
Date: Fri, 18 Sep 2009 01:19:03 GMT
Length: unspecified [text/html]
=> `index.html.118’
Pragma: no-cache

Thanks,

Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer


Igor S.
Igor Sysoev

Hey Igor,

let me check my configs tomorrow,

5

hi, can anyone help me with this please?

thanks
-Payam

---------- Forwarded message ----------
From: Payam C. [email protected]
Date: Thu, Sep 17, 2009 at 5:04 PM
Subject: Nginx 0.8.14 - cookie / proxy_pass issue
To: [email protected]

Hey Guys,

I see the following on the nginx server by going to
http://virtual_ip_on_ngix however, the cookie headers are never
passed to the clients browser. I can see the headers in the http proxy
header but my firefox browser never sees the cookies (i do see the
ookie with __utma* ones but not the cookie that is GCD, PHPSESSID,
SESSIOn2)

any ideas? topology is : client → virtual ip on nginx proxy →
proxy_pass to origin →

Log file:

2009/09/17 17:01:08 [debug] 4087#0: *192 http script copy: “Connection:
close
"
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header:
“User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.14) Gecko/2009082706 Firefox/3.0.14”
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header:
“Accept-Language: en-us,en;q=0.5”
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header:
“Accept-Encoding: gzip,deflate”
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header:
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,;q=0.7"
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header: “Cookie:
payam; __utma=182747233.1236263871.1253228942.1253228942.1253231200.2;
__utmc=182747233;
__utmz=182747233.1253228942.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=182747233.4.10.1253231200; GCD=Z6SV699O;
PHPSESSID=fa4326f19f65c889ee383a879a410116;
session2=59e5538b72f46538f80cf8521b3dc014”
2009/09/17 17:01:08 [debug] 4087#0: 192 http proxy header:
"GET / HTTP/1.0
Host: 69.172.200.17
X-Real-IP: 70.68.178.133
X-Forwarded-For: 70.68.178.133
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.14) Gecko/2009082706 Firefox/3.0.14
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,;q=0.7
Cookie: payam;
__utma=182747233.1236263871.1253228942.1253228942.1253231200.2;
__utmc=182747233;
__utmz=182747233.1253228942.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=182747233.4.10.1253231200; GCD=Z6SV699O;
PHPSESSID=fa4326f19f65c889ee383a879a410116;
session2=59e5538b72f46538f80cf8521b3dc014

"
2009/09/17 17:01:08 [debug] 4087#0: *192 http cleanup add: 094FED34
2009/09/17 17:01:08 [debug] 4087#0: *192 get rr peer, try: 1
2009/09/17 17:01:08 [debug] 4087#0: *192 socket 76
2009/09/17 17:01:08 [debug] 4087#0: *192 epoll add connection: fd:76
ev:80000005
2009/09/17 17:01:08 [debug] 4087#0: *192 connect to 174.143.25.223:80,
fd:76 #2021
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream connect: -2
2009/09/17 17:01:08 [debug] 4087#0: *192 event timer add: 76:
300000:3396885177
2009/09/17 17:01:08 [debug] 4087#0: *192 http run request: “/?”
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream check client,
write event:1, “/”
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream recv(): -1 (11:
Resource temporarily unavailable)
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream request: “/?”
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream send request
handler
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream send request
2009/09/17 17:01:08 [debug] 4087#0: *192 chain writer buf fl:1 s:725
2009/09/17 17:01:08 [debug] 4087#0: *192 chain writer in: 094FED50
2009/09/17 17:01:08 [debug] 4087#0: *192 writev: 725
2009/09/17 17:01:08 [debug] 4087#0: *192 chain writer out: 00000000
2009/09/17 17:01:08 [debug] 4087#0: *192 event timer del: 76: 3396885177
2009/09/17 17:01:08 [debug] 4087#0: *192 event timer add: 76:
300000:3396885218

==>
/var/log/nginx/69.172.200.17_ypf_http_thathostingplace_www.gametimezone.com.access.log
<==
70.68.178.133 - - [17/Sep/2009:17:01:08 -0700] “GET / HTTP/1.1” “200”
5524 “-”“Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.14) Gecko/2009082706 Firefox/3.0.14” “-”

==>
/var/log/nginx/69.172.200.17_ypf_http_thathostingplace_www.gametimezone.com.error.log
<==
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream request: “/?”
2009/09/17 17:01:08 [debug] 4087#0: *192 http upstream process header
2009/09/17 17:01:08 [debug] 4087#0: *192 malloc: 096D3150:16384
2009/09/17 17:01:08 [debug] 4087#0: *192 recv: fd:76 1448 of 16339
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy status 200 “200 OK”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header: “Date:
Thu, 17 Sep 2009 23:58:44 GMT”
2009/09/17 17:01:08 [debug] 4087#0: *192 malloc: 09506628:4096
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header: “Server:
Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c
mod_perl/2.0.2 Perl/v5.8.8”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header:
“X-Powered-By: PHP/5.2.0-8+etch15”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header:
“Set-Cookie: GCD=Z6SV699O; expires=Mon, 16-Nov-2009 23:58:44 GMT;
path=/”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header: “Expires:
Sat, 26 Jul 1997 05:00:00 GMT”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header:
“Cache-Control: no-cache, must-revalidate”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header: “Pragma:
no-cache”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header: “Connection:
close”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header:
“Content-Type: text/html; charset=UTF-8”
2009/09/17 17:01:08 [debug] 4087#0: *192 http proxy header done
2009/09/17 17:01:08 [debug] 4087#0: *192 HTTP/1.1 200 OK
Server: nginx/0.7.54
Date: Fri, 18 Sep 2009 00:01:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.0-8+etch15
Set-Cookie: GCD=Z6SV699O; expires=Mon, 16-Nov-2009 23:58:44 GMT; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Encoding: gzip

If i go to http://origin_ip_server all proper cookies are applied to
the header and cilent side can see all cookies

nginx.conf

http {
include proxy.conf;
include mime.types;
include cache.conf;
include rate-limit.conf;
include con-limit.conf;

log_format main '$remote_addr - $remote_user [$time_local]
“$request” ’
‘“$status” $body_bytes_sent “$http_referer”’
‘“$http_user_agent” “$http_x_forwarded_for”’;

include /etc/nginx/sites-enabled/conf/*.conf;
include /etc/nginx/servers/*http_server.conf;

   sendfile        on;
   tcp_nodelay        off;
   keepalive_timeout  300;
   send_timeout 90;
   client_body_timeout 60;
   client_header_timeout 60;

   client_header_buffer_size 1k;
   large_client_header_buffers 4 4k;

proxy.conf

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_buffer_size 16k;
proxy_buffers 32 4k;
proxy_busy_buffers_size 64k;

any help would greatly be appreciated as I cant not locate the issue
at this point


Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer

6

Any updates on this? I work with Payam, and if we update to newer
version of nginx, we cannot get cookies passing to the upstream. Any
assistance would be greatly appreciated. Thanks.

Posted at Nginx Forum:

7

Hello!

On Wed, Nov 18, 2009 at 05:20:24AM -0500, Nam wrote:

Any updates on this? I work with Payam, and if we update to newer version of nginx, we cannot get cookies passing to the upstream. Any assistance would be greatly appreciated. Thanks.

What updates? Proxy cache hides cookies by default, if you want to
pass them to client - use proxy_pass_header.

Maxim D.

8

Thanks Igor, That appears to have taken care of it. Appreciate the help.

Posted at Nginx Forum:

9

On Wed, Nov 18, 2009 at 05:20:24AM -0500, Nam wrote:

Any updates on this? I work with Payam, and if we update to newer version of nginx, we cannot get cookies passing to the upstream. Any assistance would be greatly appreciated. Thanks.

You should allow explicitly to pass cookies from the upstream to a
client:

 proxy_pass_header  Set-Cookie;
 proxy_pass_header  P3P;