Nginx reverse proxy broken after latest OMV 5 update (v5.6.21)

sbocquet · 2. Dezember 2021

Hi,

I'm facing a reverse proxy problem since this morning.
I have a qbittorrent-nox server running on my NAS, listening on port 8080 for the WebUI.
I setup a reverse proxy on nginx in order to access it from the internet with an URL on port 443.

Code

root@home-server:/etc/nginx/sites-enabled# ls -al
total 8
drwxr-xr-x 2 root root 4096 Dec  2 10:38 .
drwxr-xr-x 9 root root 4096 May 29  2021 ..
lrwxrwxrwx 1 root root   40 Jul 30  2020 openmediavault-webgui -> ../sites-available/openmediavault-webgui
lrwxrwxrwx 1 root root   37 Aug  5  2020 qbittorrent-webgui -> ../sites-available/qbittorrent-webgui


root@home-server:/etc/nginx/sites-enabled# cat qbittorrent-webgui
server {
server_name torrent.myinterneturl.fr;
listen [::]:80;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/openmediavault-68ade6e6-a294-4dd1-ac65-e60c344c6b65.crt;
ssl_certificate_key /etc/ssl/private/openmediavault-68ade6e6-a294-4dd1-ac65-e60c344c6b65.key;

access_log /var/log/nginx/qbittorrent-webgui_access.log;
error_log /var/log/nginx/qbittorrent-webgui_error.log;

location / {
proxy_pass              http://127.0.0.1:8080;
proxy_hide_header       Referer;
proxy_hide_header       Origin;
proxy_set_header        Referer                 '';
proxy_set_header        Origin                  '';
proxy_set_header        Host                    $host;
proxy_set_header        X-Forwarded-Host        $server_name:$server_port;
proxy_set_header        X-Real-IP               $remote_addr;
proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto       $scheme;
add_header              Front-End-Https         on;
}
}

Alles anzeigen

It used to work fine but until the last update (v5.6.21) this morning. I have checked the changelog but nothing seems related.

Anyway, when I try to access https://torrent.myInternetURL.fr, I have the OMV WebUI page instead of the qBittorrent page, like no redirection is done.
If I try to access directly the qBittorrent WebUI with http://torrent.myInternetURL.fr:8080, I have the correct page.

I can't figure out what could have changed to brake te redirection...
Any Web server expert here ?

Thanks

sbocquet · 2. Dezember 2021

To be complete, this configuration still works fine on another OMV server not updated yet !

Soma · 2. Dezember 2021

Instead of editing files on the host and to prevent this same situation to happen again:

Fire a SWAG docker creating a certificate for your WAN domain.

use the proxy-conf for qBittorrent (either subfolder or subdomain) and change this:

Code

set $upstream_app qbittorrent;

to this:

Code

set $upstream_app 192.168.x.x; #<--- Lan IP of where qBittorrent is running.

Problem solved

You can even use a "homebrew" proxy-conf for OMV5.

sbocquet · 2. Dezember 2021

Hummm... I don't want to use docker for several reasons, and it work fine since more than 1 year !

Any other suggestions ?

Soma · 2. Dezember 2021

Zitat von sbocquet

To be complete, this configuration still works fine on another OMV server not updated yet !

Zitat von sbocquet

Any other suggestions ?

Other than suggest you to find the diffs of the files that are changed before and after the update:

Sorry, don't have any other.

sbocquet · 2. Dezember 2021

OMV Update :

Latest known got access :

tail -f qbittorrent-webgui_access.log

Code

::ffff:91.212.21.220 - - [02/Dec/2021:09:03:54 +0100] "POST /api/v2/rss/items?kwonl09y HTTP/2.0" 200 65605 "https://torrent.myInternetURL.fr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.20 Safari/537.36 Edg/97.0.1072.13"

sbocquet · 2. Dezember 2021

Anyway to rollback and re-install openmediavault v5.6.20 ?

Soma · 2. Dezember 2021

Pretty sure it's an easy task but don't know how.

Maybe the same way you install a previous version of a deb:

How To Downgrade Packages To A Specific Version With Apt In Debian, Ubuntu Or Linux Mint - Linux Uprising Blog

Please, DO NOT follow my info without other people's confirmation.

It might do more harm than benefit.

Might be better if you can view the working OMV nginx files and compare to the non-working one.

Zoki · 2. Dezember 2021

As your config did not change, can you please check if your file is really included in the nginx config file.

nginx -c /pat/to/mginx/config -T | more will check the config and dump the result. Hit <Enter> to scroll through the pages.

sbocquet · 2. Dezember 2021

Zitat von Zoki

As your config did not change, can you please check if your file is really included in the nginx config file.
nginx -c /pat/to/mginx/config -T | more will check the config and dump the result. Hit <Enter> to scroll through the pages.

Thanks for the tip... unfortunately, after verification, the conf file is included.

Zoki · 2. Dezember 2021

Can you compare the config dump with what you have in the non-updated systems?

What you can do to debug is to run nginx in no daemon mode with excessive logging to find out why these requests are routed to OMV instead of the reverse proxy.

Stop nginx service from the command line

start nginx with

Code

/usr/sbin/nginx -g "daemon off;error_log /dev/stdout debug;"

look at the logs . if nothing is found, you have to enable debugg logging in the server parts of the config.

Please check the cli flags with the docs, it is written from memory.

sbocquet · 2. Dezember 2021

Just updated the other server and reverse proxy is broken too with v5.6.21... so for sure, this is related to the update.

So, started nginx in cli mode, and everything is normal... no error code. I'm lost !

Code

2021/12/02 14:54:15 [debug] 6736#6736: bind() 0.0.0.0:80 #11
2021/12/02 14:54:15 [debug] 6736#6736: bind() 0.0.0.0:443 #12
2021/12/02 14:54:15 [debug] 6736#6736: bind() [::]:80 #13
2021/12/02 14:54:15 [debug] 6736#6736: bind() [::]:443 #14
2021/12/02 14:54:15 [notice] 6736#6736: using the "epoll" event method
2021/12/02 14:54:15 [debug] 6736#6736: counter: 00007F5A35620080, 1
2021/12/02 14:54:15 [notice] 6736#6736: nginx/1.14.2
2021/12/02 14:54:15 [notice] 6736#6736: OS: Linux 5.10.0-0.bpo.9-amd64
2021/12/02 14:54:15 [notice] 6736#6736: getrlimit(RLIMIT_NOFILE): 1024:1048576
2021/12/02 14:54:15 [debug] 6736#6736: write: 15, 00007FFFB0BEBC00, 5, 0
2021/12/02 14:54:15 [debug] 6736#6736: setproctitle: "nginx: master process /usr/sbin/nginx -g daemon off;error_log /dev/stdout debug;"
2021/12/02 14:54:15 [notice] 6736#6736: start worker processes
2021/12/02 14:54:15 [debug] 6736#6736: channel 3:15
2021/12/02 14:54:15 [notice] 6736#6736: start worker process 6737
2021/12/02 14:54:15 [debug] 6736#6736: channel 16:17
2021/12/02 14:54:15 [debug] 6737#6737: add cleanup: 000056125677ABB8
2021/12/02 14:54:15 [debug] 6737#6737: malloc: 0000561256774CF0:8
2021/12/02 14:54:15 [notice] 6736#6736: start worker process 6738
2021/12/02 14:54:15 [debug] 6736#6736: pass channel s:1 pid:6738 fd:16 to s:0 pid:6737 fd:3
2021/12/02 14:54:15 [debug] 6737#6737: notify eventfd: 17
2021/12/02 14:54:15 [debug] 6736#6736: channel 18:19
2021/12/02 14:54:15 [debug] 6737#6737: testing the EPOLLRDHUP flag: success
2021/12/02 14:54:15 [debug] 6737#6737: malloc: 000056125673D8D0:6144
2021/12/02 14:54:15 [debug] 6737#6737: malloc: 00007F5A317E5010:184320
2021/12/02 14:54:15 [debug] 6737#6737: malloc: 0000561256782B60:73728
2021/12/02 14:54:15 [debug] 6738#6738: add cleanup: 000056125677ABB8
2021/12/02 14:54:15 [debug] 6737#6737: malloc: 0000561256794B70:73728
2021/12/02 14:54:15 [debug] 6738#6738: malloc: 0000561256774CF0:8
2021/12/02 14:54:15 [debug] 6737#6737: epoll add event: fd:15 op:1 ev:00002001
2021/12/02 14:54:15 [debug] 6737#6737: setproctitle: "nginx: worker process"
2021/12/02 14:54:15 [debug] 6737#6737: worker cycle
...

Alles anzeigen

Zoki · 2. Dezember 2021

You do not find anything in the error log, because nginx does not consider it an error, but redirects to the main server.

Did you have a chance to compare the nginx -T between working and non working servers?

Can you compare the versions of nginx between working and non working? (nginx -v)

sbocquet · 2. Dezember 2021

Zitat von Zoki

You do not find anything in the error log, because nginx does not consider it an error, but redirects to the main server.
Did you have a chance to compare the nginx -T between working and non working servers?
Can you compare the versions of nginx between working and non working? (nginx -v)

Nginx -T are the same... so same broken reverse proxy.
Nginx is v1.14.2, the latest package from debian repo.

The fact that I'm sure is :
- they have exactly the same nginx/proxy config files.
- this morning, I update from v5.6.20 to v5.6.21 the first server; reverse proxy stopped just after (<1 min).
- this afternoon, I updated the second server, reverse proxy stopped just after (<1 min).

Log file from QB access and error are empty since the update, and the access are logged in OMV access log file....

OMV access log file :

Code

Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.20 Safari/537.36 Edg/97.0.1072.13"
91.212.21.220 - - [02/Dec/2021:15:18:49 +0100] "GET / HTTP/1.1" 200 1279 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.20 Safari/537.36 Edg/97.0.1072.13"
127.0.0.1 - - [02/Dec/2021:15:18:53 +0100] "GET / HTTP/1.1" 200 3436 "-" "Monit/5.26.0"
127.0.0.1 - - [02/Dec/2021:15:18:53 +0100] "GET / HTTP/1.1" 200 3436 "-" "Monit/5.26.0"

OMV error log file

Code

91.212.21.220 - - [02/Dec/2021:15:25:25 +0100] "GET /favicon.ico HTTP/1.1" 200 1406 "https://torrent.myURL.fr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.20 Safari/537.36 Edg/97.0.1072.13"
127.0.0.1 - - [02/Dec/2021:15:25:54 +0100] "GET / HTTP/1.1" 200 3436 "-" "Monit/5.26.0"
127.0.0.1 - - [02/Dec/2021:15:25:54 +0100] "GET / HTTP/1.1" 200 3436 "-" "Monit/5.26.0"

votdev · 2. Dezember 2021

Zitat von sbocquet

The fact that I'm sure is :
- they have exactly the same nginx/proxy config files.
- this morning, I update from v5.6.20 to v5.6.21 the first server; reverse proxy stopped just after (<1 min).
- this afternoon, I updated the second server, reverse proxy stopped just after (<1 min).

If you have not pressed the Apply button in the UI then nothing should have happened. The latest version 5.6.21 has marked the nginx, host and postfix modules as dirty, thus their configuration is re-deployed on pressing Apply. But there are no changes in the code, except that the IPv6 detection has been improved/fixed, thus it can happen that now only IPv4 configuration is generated if IPv6 is not configured.

Zoki · 2. Dezember 2021

Thanks votdev for the hint. Lookin in the generated config nginx only listenes to IPv6 address on the proxy:

Code

listen [::]:80;
listen [::]:443 ssl http2;

Shouldn't there be

Code

listen 80;
listen 443 ssl https;

also?

sbocquet · 2. Dezember 2021

Zitat von votdev

If you have not pressed the Apply button in the UI then nothing should have happened. The latest version 5.6.21 has marked the nginx, host and postfix modules as dirty, thus their configuration is re-deployed on pressing Apply. But there are no changes in the code, except that the IPv6 detection has been improved/fixed, thus it can happen that now only IPv4 configuration is generated if IPv6 is not configured.

Thanks Volker ( votdev), you point me in the right direction once again As you said, no IPv6 was configured in those servers... but the nginx reverse proxy conf file was "misconfigured" !

Modified the configuration from

Code

listen [::]:80;
listen [::]:443 ssl http2;

to

Code

listen 80;
listen 443 ssl http2;

Big thanks both of you for your time.

Nginx reverse proxy broken after latest OMV 5 update (v5.6.21)

sbocquet 2. Dezember 2021

sbocquet 2. Dezember 2021

Jetzt mitmachen!

Tags