Closed GoogleCodeExporter closed 9 years ago
Good catch. I installed Nginx and noticed that I wasn't getting any responses.
Turns
out, the version of nginx that was installed by Debian always uses HTTP/1.0 and
"Connection: close" when connecting through "proxy_pass". I haven't checked
whether
there are any other versions of Nginx that support HTTP/1.1 for outgoing
connections,
or whether this is a configuration option that I forgot to set.
In general, ShellInABox goes to great lengths to attempt to keep connections
open, as
that will significantly improve performance. It erroneously assumed that there
weren't any browsers and/or proxies around, that don't know how to parse
"Content-Length".
The newest code in SVN now has a fix that respects "Connection: close". With
that
change, ShellInABox should work fine when using Nginx as a reverse proxy. There
is
going to be a small performance penalty for all the connections that get
constantly
opened and closed, but as this is happening on localhost, the cost won't be as
noticable as when it happens over the WAN. Nonetheless, if you can figure out
how to
make Nginx speak HTTP/1.1 and keep outgoing connections open, you should see a
performance improvement.
There are a few other non-obvious configuration details:
1) You either have to tell ShellInABox to not upgrade to SSL (with the "-t" option),
or you have to configure "proxy_pass" to point to the HTTPS URL. Otherwise,
you'll
end up with an infinite redirection loop. The former is preferable, as you
otherwise
needlessly waste cycles with encrypting, decrypting, and re-encrypting each bit
of data.
2) You either need to tell Nginx to rewrite addresses to point to the root "/" entry
when forwarding the request; or you can add a new service entry with the "-s"
option,
but then you have to make sure that users always type the URL so that it has a
trailing "/".
Of course, the alternative is that you don't use Nginx at all, and that you
just host
ShellInABox on a dedicated port. But that has the drawback that some users can
only
reach servers on port 80, because their outgoing traffic gets filtered.
If this code change did not fix the problem that you were seeing, please file
another
bug report with detailed instructions on how to reproduce it.
Original comment by zod...@gmail.com
on 21 Jun 2009 at 7:09
Thanks, the code worked - mostly. I neglected to remember and mention that from
nginx
doing HTTPS, I proxy to apache which handles digest authentication (nginx can
only do
basic auth) and that then proxies to shellinabox.
Using your code from SVN, nginx -> Apache2 -> SIAB doesn't work. However,
nginx ->
SIAB does work. Currently I've turned on basic authentication in nginx, but is
there
anything I'm missing in my apache2 config that you can think of, that could care
about this connection closing?
Original comment by gnute...@gmail.com
on 22 Jun 2009 at 3:38
For debugging purposes, can you temporarily disable all encryption. Then use
wireshark to log the network traffic. Take a look at the traffic between NGinx
and
Apache, and the traffic between Apache and ShellInABox. Do you see any
unexpected
differences?
Original comment by zod...@gmail.com
on 22 Jun 2009 at 4:00
I cannot reproduce this problem. I can successfully proxy through
nginx->Apache2->ShellInABox.
Nginx is configured like this:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_timeout 5m;
keepalive_timeout 70;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1;
}
}
Apache 2 is configured like this:
<VirtualHost *:80>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /shell/ http://localhost:4200/
RedirectMatch permanent /shell$ /shell/
</VirtualHost>
And ShellInABox is configured like this:
SHELLINABOX_DAEMON_START=1
SHELLINABOX_PORT=4200
SHELLINABOX_ARGS=--no-beep
SHELLINABOX_ARGS="${SHELLINABOX_ARGS} -t --localhost-only"
Original comment by zod...@gmail.com
on 5 Jul 2009 at 7:50
Original comment by zod...@gmail.com
on 8 Jul 2009 at 5:39
Revision 152 in the SVN repository changed the way that we redirect URLs. This
should
make it easier to configure proxies.
Original comment by zod...@gmail.com
on 27 Jul 2009 at 6:32
Original issue reported on code.google.com by
gnute...@gmail.com
on 21 Jun 2009 at 1:33