Hello,
I currently use haproxy 1.5.18 that has a backend of two servers running Nginx listening on port 80 & 443 and i’m trying to drop haproxy but every time i try it i get “broken header while reading proxy protocol” and i think the issue might be with “send-proxy” option.
Any recommendations will be helpful.
You will need to remove the proxy_protocol directive from your nginx configuration then, if you no longer use it.
This is one of the virtual host files:
i tried commenting out the proxy_protocol but same result.
server {
listen 0.0.0.0:443 ssl;
# listen *:443 ssl http2;
error_log /var/log/nginx/ar.islamway.net.error.log;
server_name test.com;
error_page 500 502 503 504 /50x.html;
# ssl on;
ssl_certificate /etc/letsencrypt/live/islamway.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/islamway.net/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/pki/tls/dhparams.pem;
real_ip_header proxy_protocol;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; ";
location = /test/push.html {
http2_push /test/push.css;
root /data/web/webroot3/web;
}
if ($request_uri ~ 'select|union|ascii|database|undefined' ) {return 403;}
# real_ip_header proxy_protocol;
location ~* ^/(sf|phplist|ramadan|gaza|hajj|team|teams|quranflash|Basateen|api|api2|kids)/ {
proxy_pass http://127.0.0.1:81;
http2_push_preload on;
proxy_connect_timeout 2000;
proxy_read_timeout 3000;
proxy_send_timeout 3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding “”;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~* ^/fonts/ {
add_header Cache-Control public;
add_header Access-Control-Allow-Origin *;
}
location ~* \.(gif|jpg|jpeg|png|bmp|ico|ttf|woff|otf|eot|txt|pdf|css|js|wmv|avi|mpg|mpeg|mp4|amr|mp3|ogg|wav|wma|m3u|mid|ram|rm|rmvb|rar|psd|swf|doc|xls|exe|zip|gz|bz2|tar.gz|tar.bz2)$ {
root /data/web/webroot3/web; # here
http2_push_preload on;
add_header Access-Control-Allow-Origin *;
expires max;
}
location / {
proxy_pass http://127.0.0.1:81;
proxy_connect_timeout 2000;
proxy_read_timeout 3000;
proxy_send_timeout 3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding “”;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ .css$ {
add_header Content-Type text/css;
proxy_pass https://127.0.0.1:444;
}
location ~ .js$ {
add_header Content-Type application/x-javascript;
proxy_pass https://127.0.0.1:444;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ /.ht {
deny all;
}
location /nginx_status {
stub_status on;
error_log on;
allow 127.0.0.1;
allow 192.168.100.98;
deny all;
}
No, you commented out real_ip_header proxy_protocol;. However what’s relevant is:
listen *:443 ssl http2 proxy_protocol;
You need to remove the proxy_protocol from all of the listen directives.
Will try that and see.
Commenting out the proxy_protocol worked out.