Reputation: 5871
Nginx catch "broken header" when listening to proxy_protocol
I need to use http health checks on a Elastic Beanstalk application, with proxy protocol turned on. That is currently not possible, and the health check fails with a an error --> *58 broken header while reading PROXY protocol
I figured I have two options
- Perform the health check on another port, and setup nginx to listen to http requests on that port and proxy to my app.
- If it is possible to catch the
broken headererrors, or detect regular http requests in theproxy_protocolserver block, then redirect those requests to a port that listens to http.
I would prefer the latter(#2), if possible. So is there any way to do this?
Ideally, I would prefer not to have to do any of this. A feature request to fix this has been submitted to AWS, but it has no ETA.
Upvotes: 5
Views: 7279
Answers (1)
Reputation: 1896
The proxy protocol specification says:
The receiver MUST be configured to only receive the protocol described in this specification and MUST not try to guess whether the protocol header is present or not. This means that the protocol explicitly prevents port sharing between public and private access. Otherwise it would open a major security breach by allowing untrusted parties to spoof their connection addresses.
I think this means that option 2 is a sufficiently bad idea that it's not even supported by conforming implementations of the proxy protocol.
Option 1, on the other hand, seems pretty reasonable. You can set up a security group so that only legitimate health checks can come in on the port without proxy protocol enabled.
Another couple of options spring to mind too:
Simply point your health checks at the thing that's adding the header (i.e. ELB?), rather than directly at your Nginx instance. Not sure if this is possible with Elastic Beanstalk, it's not a service I use.
Use something else to add the proxy protocol header before forwarding the health-check traffic on to your Nginx, which would avoid having to duplicate your Nginx config. For instance a HAProxy running on the same machine as your Nginx could do this. Again, use security groups to ensure that only legitimate traffic gets through.
Upvotes: 1
Related Questions
- Nginx discards invalid headers when ignore_invalid_headers is set to off
- How to fix nginx throws 400 bad request headers on any header testing tools?
- Nginx: Reject request if header is not present or wrong
- Verify if nginx is working correctly with Proxy Protocol locally
- Change proxy's response header through Nginx
- Nginx proxy_pass missing error body
- Nginx proxy_pass block client header and force nginx to use custom header
- nginx and proxy_pass - send Connection: close headers
- Conflict of sent_http_* logging and proxy_hide_header in nginx
- nginx: Take action on proxy_pass response headers