Cache issue with NGINX reverse proxy

Hi!

I have and issue of non appearing web elements and non loading pages of the new OH3 interface behind LetsEncrypt secured NGINX reverse proxy with no auth configured as it is all internal. The certificate is a wildcard cert for all of my internal domain servers. OpenHAB 3 running release version in docker container.
I tested the same pages in paralel but on direct access and it has no issues. It must be some NGINX config mistake. I have a lot other local istes proxied like this working without issues.
NGINX config is this:

    server {
    	listen 			80;
    	server_name		oh3.xxxx.xx;
    	return 	301		https://$server_name$request_uri;
    }
    server {
    	listen			443	ssl	http2;
    	server_name		oh3.xxx.xx;
        ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    	ssl_prefer_server_ciphers on;
    	ssl_certificate		/etc/nginx/ssl/wildcard.cer;
    	ssl_certificate_key	/etc/nginx/ssl/wildcard.key;            
        ssl_session_timeout     1d;
        ssl_session_cache       shared:SSL:10m;
        keepalive_timeout       70;
    	add_header              Strict-Transport-Security "max-age=31536000"; 
        add_header              Set-Cookie X-OPENHAB-AUTH-HEADER=1;
        location / {
                proxy_pass 				                http://192.168.1.241:8081;
                proxy_set_header Host                   $http_host;
                proxy_set_header X-Real-IP              $remote_addr;
                proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto      $scheme;
                proxy_set_header Upgrade                $http_upgrade;
    	        proxy_set_header Authorization          "";
                proxy_set_header Connection             "Upgrade";
                satisfy                                 any;
                allow                                   192.168.1.0/24;
    	        allow                                   192.168.5.0/24;
                allow                                   127.0.0.1;
                deny                                    all;
            }
    }

If I open Astro Moon first channel Configuration I’ve got this:


On direct connection I’ve got this as expected:

Strangely If I hit refresh both direct connection and proxied returns this:

Sorry
Requested content not found.

Debug information
* **Url:** /settings/things/astro:moon:local/channels/rise#start/edit
* **Path:** /settings/things/astro:moon:local/channels/rise
* **Hash:** start/edit
* **Params:**
* **Query:**
* **Route:** (.*)

In chrome console I have no clue what is missing no errors or 404. On direct connection I get @iolation of added non-passive event listener to a scroll-blocking “wheel” event. And the data for astro events in JSON apeears:

Update earliest to 00:00
app.js:7 {"offset":0,"earliest":"00:00"} 
Update latest to 00:00
app.js:7 {"offset":0,"earliest":"00:00","latest":"00:00"}

Both enabled and disabled simple AUTH in REST setting makes no difference. In OH2 (which is still running with almost the same NGINX proxy settings on the same NGINX server) I have no issue.

Testing further:

If I empty cache and tmp folders and restart the container I cannot log in with proxy only with direct connection. In Chrome when I click admin login icon this message appears on console:
image

If I hit Ctrl+Shift+R in chrome I can logon with proxy access as well.

Any idea what went wrong?

1 Like

I see promise mentioned which is ES6 JavaScript. If something only supports ES5 JavaScript there would be an error.
What browser are you using? I know the ECMA Scripting in OH3 is only ES5. Most browsers, apart from IE support ES6. I do not know how the reverse proxy affect that , if at all.

Google Chrome 87.0.4280.88 64 bit on Windows 10 Pro 64 bit 20H2 19042.685

I managed to catch some upstream timeout in NGINX logs (110: Connection timeout). Based on this article from stackoverflow I changed some options and it seems to work. My current NGINX conf is this:

server {
	listen 			80;
	server_name		oh3.xxxx.xx;
	return 	301		https://$server_name$request_uri;
}

server {
	listen			443	ssl	http2;
	server_name		oh3.xxxx.xx;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
	ssl_certificate		/etc/nginx/ssl/wildcard.cer;
	ssl_certificate_key	/etc/nginx/ssl/wildcard.key;
    ssl_session_timeout     1d;
    ssl_session_cache       shared:SSL:10m;
    keepalive_timeout       70;
	add_header              Strict-Transport-Security "max-age=31536000"; 
    add_header              Set-Cookie X-OPENHAB-AUTH-HEADER=1;
    location / {
            proxy_pass 				    http://192.168.1.241:8081;
	        proxy_set_header Host                   $http_host;
            proxy_set_header X-Real-IP              $remote_addr;
            proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto      $scheme;
            proxy_set_header Upgrade                $http_upgrade;
	        proxy_set_header Authorization          "";
            proxy_set_header Connection             "";
            proxy_http_version                      1.1;
            #proxy_cache_bypass 	                    $cookie_nocache $arg_nocache;
            #proxy_read_timeout                      3600;
            satisfy                                 any;
            allow                                   192.168.1.0/24;
	        allow                                   192.168.5.0/24;
            allow                                   127.0.0.1;
            deny                                    all;
        }
}

I removed “Upgrade” from <proxy_set_header Connection> and inserted proxy_http_version with 1.1. Does it make sense?

1 Like

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.