Avoid nginx decoding query parameters on proxy_pass (equivalent to AllowEncodedSlashes NoDecode)

StackOverflow https://stackoverflow.com/questions/20496963

Pergunta

I use nginx as a load balencer in front of several tomcats. In my incoming requests, I have encoded query parameters. But when the request arrives to tomcat, parameters are decoded :

incoming request to nginx:

curl -i "http://server/1.1/json/T;cID=1234;pID=1200;rF=http%3A%2F%2Fwww.google.com%2F"

incoming request to tomcat:

curl -i "http://server/1.1/json/T;cID=1234;pID=1200;rF=http:/www.google.com/"

I don't want my request parameters to be transformed, because in that case my tomcat throws a 405 error.

My nginx configuration is the following :

upstream tracking  {
    server front-01.server.com:8080;
    server front-02.server.com:8080;
    server front-03.server.com:8080;
    server front-04.server.com:8080;
}

server {
    listen 80;
    server_name tracking.server.com;
    access_log /var/log/nginx/tracking-access.log;
    error_log  /var/log/nginx/tracking-error.log;

    location / {
        proxy_pass  http://tracking/webapp;
    }
}

In my current apache load balancer configuration, I have the AllowEncodedSlashes directive that preserves my encoded parameters:

AllowEncodedSlashes NoDecode

I need to move from apache to nginx.

My question is quite the opposite from this question : Avoid nginx escaping query parameters on proxy_pass

Foi útil?

Solução

I finally found the solution: I need to pass $request_uri parameter : 

location / {
    proxy_pass  http://tracking/webapp$request_uri;
}

That way, characters that were encoded in the original request will not be decoded, i.e. will be passed as-is to the proxied server.

Outras dicas

Jean's answer is good, but it does not work with sublocations. In that case, the more generic answer is:

location /path/ {
  if ($request_uri ~* "/path/(.*)") {
    proxy_pass http://tracking/webapp/$1;
  }
}

Note that URL decoding, commonly known as $uri "normalisation" within the documentation of nginx, happens before the backend IFF:

  • either any URI is specified within proxy_pass itself, even if just the trailing slash all by itself,

  • or, URI is changed during the processing, e.g., through rewrite.

Both conditions are explicitly documented at http://nginx.org/r/proxy_pass (emphasis mine):

  • If the proxy_pass directive is specified with a URI, then when a request is passed to the server, the part of a normalized request URI matching the location is replaced by a URI specified in the directive

  • If proxy_pass is specified without a URI, the request URI is passed to the server in the same form as sent by a client when the original request is processed, or the full normalized request URI is passed when processing the changed URI

The solution depends on whether or not you need to change the URL between the front-end and the backend.

  • If no URI change is required:

    # map `/foo` to `/foo`:
location /foo {
    proxy_pass  http://localhost:8080;  # no URI -- not even just a slash
}

  • Otherwise, if you do need to swap or map /api of the front-end with /app on the backend, then you can get the original URI from the $request_uri variable, and the use the rewrite directives over the $uri variable similar to a DFA (BTW, if you want more rewrite DFA action, take a look at mdoc.su). Note that the return 400 part is needed in case someone tries to get around your second rewrite rule, as it wouldn't match something like //api/.

    # map `/api` to `/app`:
location /foo {
    rewrite  ^  $request_uri;            # get original URI
    rewrite  ^/api(/.*)  /app$1  break;  # drop /api, put /app
    return 400;   # if the second rewrite won't match
    proxy_pass    http://localhost:8080$uri;
}

  • If you simply want to add a prefix for the backend, then you can just use the $request_uri variable right away:

    # add `/webapp` to the backend:
location / {
    proxy_pass    http://localhost:8080/webapp$request_uri;
}

You might also want to take a look at a related answer, which shows some test-runs of the code similar to the above.

There is one documented option for Nginx proxy_pass directive

If it is necessary to transmit URI in the unprocessed form then directive proxy_pass should be used without URI part:

location  /some/path/ {
  proxy_pass   http://127.0.0.1;
}

so in your case it could be like this. Do not worry about request URI it will be passed over to upstream servers

location / {
    proxy_pass  http://tracking;
}

Hope it helps.

In some cases, the problem is not on the nginx side - you must set the uri encoding on Tomcat connector to UTF-8.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top