We run a API web service and have two web sites that access the web
service via AJAX. The web sites are accessed via HTTPS and, for security
reasons, we need to have the API web service also accessed by HTTPS.
Due to the need to support the IE9 browser, which does not properly
support CORS, we are unable to have the web applications on our web
servers configured to access the API web service through a different
hostname than the hostnames of the two web sites. Consequently, we
trick IE9 into thinking the origin host (web site) and destination host
(API service) are on the same host and proxy requests from the web sites
to the web service via proxy_pass. Unfortunately, since the API web
service must be accessed by HTTPS, nginx has to establish an SSL session
with the API web service, because we cannot proxy to HTTP. Our config
looks something like this for simplicity I only show one of the web
sites nginx config.
server {
listen 443;
server_name app.example.com; // this is the web application
server_tokens off;
ssl on;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
// this URL pattern is interpreted as meaning: forward the request to
the web service running on another host
location /svc/api/ {
proxy_pass https://svc.example.com/api/; // this is
the web service running on another host
proxy_set_header Host svc.example.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
Location / {
// normal web site access here
}
}
This works fine. However, every once in a while (say, every week or
so), traffic to https://app.example.com/svc/api/xxxx returns gateway 502
errors. The API service (located at https://svc.example.com/api) is
working fine and is accessible directly. However, through the proxy
setup (above), nginx will not pass traffic. Simply restarting nginx
gets it working again for another week or so, only to have it get into
the same state again some random interval later.
Does anyone have any ideas what might be causing nginx to fail to proxy
traffic when no changes to the configuration have been made and the
backend service is functioning normally?
Since I anticipate some will want to tell me that proxying to HTTPS is a
bad idea, please realize we do not have the luxury of talking to the
backend service (which lives on the Internet and is accessed by multiple
parties) via HTTP. Also, yes, I realize that the proxy_set_header stuff
probably has no useful effect with HTTPS proxying.
Thanks much in advance. Eric