[sf-lug] 405 Method Not Allowed nginx Reverse Proxy
Michael Paoli
michael.paoli at cal.berkeley.edu
Fri Jul 28 01:35:16 PDT 2023
My suggestion would be to work it out in virtual machine(s) (VM(s)).
E.g. replicate what you need into VM(s) to reproduce the issue. Then
work with that to solve it - basically work out plan to get from
non-working state to working state ... then apply that to your actual
target environment. Anyway, I've done stuff like that fair number of
times now - including working out some quite non-trivial issues in
virtual, then applying the determined fix to the actual target
environment.
See, e.g.:
http://linuxmafia.com/pipermail/sf-lug/2015q1/010663.html
On Wed, Jul 26, 2023 at 8:04 AM Doug Bierer <doug at unlikelysource.com> wrote:
>
> I'm getting a "405 Method Not Allowed" message whenever I do a POST via an nginx reverse proxy. Any help or suggestions would be much appreciated. I've been all over stackoverflow.com, but so far none of the suggestions have born fruit.
>
> My client was running the following setup:
>
> 1. WWW is running Ubuntu 20.04 and has a PHP program that accepts DXF files and captures customer input regarding materials, dimensions, quantity, etc.
>
> 2. TestFS is running Ubuntu 8 (yes ... ouch!) with an extremely complex black-box C program that drives machines on a factory floor producing custom made-to-order gaskets. TestFS is configured for HTTP basic authentication (double ouch! I know!!!) and listens on port 10080.
>
> The client's ISP very kindly upgraded WWW (without tell him, of course) and now WWW and TestFS refuse to talk to each other. I isolated the problem down to a TLS issue. TestFS can only go up to TLS 1.0 whereas WWW now will accept nothing less than TLS 1.2.
>
> The solution was to introduce a generic off-the-shelf server which I'll refer to as GS. This server has Ubuntu 22.04 and nginx 1.24. GS. It has two Ethernet NICs: one is Internet-facing with a permanent static IP address. The other is attached to a LAN using 192.169.0.x. TestFS is assigned an IP address of 192.168.0.102.
>
> Now here's my problem. The reverse proxy works perfectly well when I do a GET request ... but returns a 405 Method Not Allowed error when I try to do a POST from WWW to TestFS via GS. The POST is necessary because WWW produces an XML file (yes ... triple ouch!) that contains the base64 encoded DXF file.
>
> Here's the nginx configuration for GS:
>
> # /etc/nginx/conf.d/gs.conf
> server {
> listen 443 ssl;
> listen [::]:443 ssl;
> ssl on;
> include snippets/self-signed.conf;
> include snippets/ssl-params.conf;
> root /var/www/html;
> index index.html;
> server_name _;
> error_page 405 =200 $uri;
> location / {
> try_files $uri /index.html $uri/ =404;
> }
> location /testfs {
> proxy_method POST;
> proxy_pass http://testfs.rapidgasket.local:10080;
> # Pass Host Header to the downstream server
> proxy_set_header Host $host;
> # Set the real IP
> proxy_set_header X-Real-IP $remote_addr;
> # Set the forwarded for header
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> # Most POST requests won't be cacheable by Nginx, but if you have some that are
> # you might want to comment out the following line
> proxy_no_cache $http_pragma $http_authorization;
> # This enables Nginix to handle the POST request
> proxy_http_version 1.1;
> proxy_set_header Connection "";
> proxy_set_header Authorization $http_authorization;
> proxy_pass_header Authorization;
> }
> }
>
> # snippets/self-signed.conf
> ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
> ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
>
> # snippets/ssl-params.conf;
> ssl_dhparam /etc/nginx/dhparam.pem;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
> ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;
> ssl_prefer_server_ciphers on;
> ssl_ecdh_curve secp384r1;
> ssl_session_timeout 10m;
> ssl_session_cache shared:SSL:10m;
> ssl_session_tickets off;
> ssl_stapling on;
> ssl_stapling_verify on;
> resolver 8.8.8.8 8.8.4.4 valid=300s;
> resolver_timeout 5s;
> # Disable strict transport security for now. You can uncomment the following
> # line if you understand the implications.
> #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
> add_header X-Frame-Options DENY;
> add_header X-Content-Type-Options nosniff;
> add_header X-XSS-Protection "1; mode=block";
>
> Test GET curl request:
>
> $ curl --insecure -X GET -d test=TEST \
> -H "Authorization: Basic ==base64EncodedUserAndPassword==" \
> https://ip.addr.of.gs/testfs
>
> Response:
>
> <html>
> <body>
> <h1>Factory Server</h1>
> <ul>
> <li><a href="FactoryServer">Transaction Web Service</a>
> <li><a href="BusinessDefinitions/BusinessDefinitions.html">Business Definitions Data</a>
> </ul>
> <hr/>
> <h1>Other Tests</h1>
> <ul>
> <li><a href="hello">Hello World service</a>
> <li><a href="echo">Echo request information</a>
> <li><a href="log">Log event service</a>
> </ul>
> </body>
> </html>
>
>
> Test POST curl request:
>
> $ curl --insecure -X POST -d test=TEST \
> -H "Authorization: Basic ==base64EncodedUserAndPassword==" \
> https://ip.addr.of.gs/testfs
>
> Response:
>
> <html><head>
> <title>405 Method Not Allowed</title>
> </head><body>
> <h1>Not Allowed</h1>
> <p>The requested method POST is not allowed on this server.</p>
> </body></html>
>
> Any help is appreciated!
>
> Doug Bierer
> SFLUG member since 2007
> Now Living the Life in Thailand :-)
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> SF-LUG is at http://www.sf-lug.org/
More information about the sf-lug
mailing list