Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Nginx config for Hue - reverse proxy

avatar
Contributor
First of all this is a DEV server, just trying to figure out the configuration. From what I read, this should work, but it is not. 
 
I have a Nginx server running on SSL and trying to do a reverse proxy to a non-ssl cluster (5.15) running Hue. Why does this config not work?
 
server {
  server_name myhostname.com;
  charset utf-8; 
  
  listen 8001;
  ssl on;
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_certificate /ssl/grav.crt;
  ssl_certificate_key /ssl/grav.key;
  client_max_body_size 0;
 
  location / {
    proxy_pass http://hue;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;   
  }
 
  location /static/ {
    # Uncomment to expose the static file directories.
    #autoindex on;
 
    # Or if on a parcel install:
    proxy_pass http://hue;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $remote_addr;   
    proxy_set_header X-Forwarded-Proto https;
    #alias /opt/cloudera/parcels/CDH/lib/hue/build/static/;
    expires 30d;
    add_header Cache-Control public;
  }
}
 
upstream hue {
  ip_hash;
 
  # List all the Hue instances here for high availability.
  server node1_IP:8888 max_fails=3;
  server node2_IP:8888 max_fails=3;
}
 
 
Get error message - 
 
login:1 Failed to load resource: the server responded with a status of 404 (Not Found)
12 REPLIES 12

avatar
Expert Contributor

Hello,

 

In order to try to help you with this issue we will need to see more log data or you will need to review the log data. A 404 error is a generic error code which may originate from one of two places in your scenario. The 404 may originate directly from Nginx or it may originate from Hue. 

 

You will need to review the nginx logs and hue logs to determine what is returning the 404 error and for what resource. One way to make this easier is to remove one of your upstream servers from the server group so that it only proxies to one Hue instance while you investigate the 404 error condition.

---
Customer Operations Engineer | Security SME | Cloudera, Inc.

avatar
Contributor
Thanks, will post details later today.


avatar
Contributor

Nginx log:

2018/12/11 19:44:51 [warn] 19347#19347: could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size
2018/12/11 19:51:44 [error] 19352#19352: *3 open() "/www/gravalytics/public/favicon.ico" failed (2: No such
2018/12/11 20:04:18 [error] 19352#19352: *14 connect() failed (111: Connection refused) while connecting to upstream, client: <client_ip>, server: gravalytics.com, request: "GET / HTTP/1.1", upstream: "http://<node1_ip>:8888/", host: "gravalytics.com:8001", referrer: "https://gravalytics.com/"
2018/12/11 20:04:18 [error] 19352#19352: *14 connect() failed (111: Connection refused) while connecting to upstream, client: <client_ip>, server: gravalytics.com, request: "GET /favicon.ico HTTP/1.1", upstream: "http://<node1_ip>:8888/favicon.ico", host: "gravalytics.com:8001", referrer: "https://gravalytics.com:8001/"

 

 

There is no entry in the Hue instance log in /var/log/hue-httpd/ folder.

avatar
Expert Contributor

Hello,

 

While we do not provide support directly for Nginx reviewing the log data you have posted it would appear as though the Hue backend you are attempting to proxy to on Node 1 is not accepting incoming request. Are you sure that there are no firewalls between the proxy and the node yo uare connecting to? Are you sure that Hue is available at the address you have configured?

 


2018/12/11 20:04:18 [error] 19352#19352: *14 connect() failed (111: Connection refused) while connecting to upstream, client: <client_ip>, server: gravalytics.com, request: "GET /favicon.ico HTTP/1.1", upstream: "http://<node1_ip>:8888/favicon.ico", host: "gravalytics.com:8001", referrer: "https://gravalytics.com:8001/"

---
Customer Operations Engineer | Security SME | Cloudera, Inc.

avatar
Contributor

Firewall rules are setup to allow traffic from nginx vm to cluster.

Hue is running on that node and port.

avatar
Contributor

Also another thing to note.

 

This config works for http (nginx) to http (hue), but fails for https (nginx) to http (hue).

avatar
Expert Contributor

Outside of the last time items below I am not seeing anything else that might be wrong with your configuration. Are you certain that TLS is not already enabled on Hue? 

 

You seem to have proxy_set_header Host twice in the first location path. Can you please remove this one shown below? 

 

  proxy_set_header Host $host;

 

Also please uncomment the follow line under the static location. This alias is required if you deployed using parcels if you deployed using packages the path will be slightly different.

 

> #alias /opt/cloudera/parcels/CDH/lib/hue/build/static/;

 

If you used packages.

 

# If Hue was installed with packaging install:
## alias /usr/lib/hue/build/static/;

---
Customer Operations Engineer | Security SME | Cloudera, Inc.

avatar
Contributor

Changed what you requested. Did not help.

 

 
400 Bad Request
The plain HTTP request was sent to HTTPS port

nginx/1.14.2
 
On Inspection:
:8001/favicon.ico:1 Failed to load resource: the server responded with a status of 400 (Bad Request)
login:1 Failed to load resource: the server responded with a status of 400 (Bad Request)
 
From logs:
2018/12/17 15:15:34 [error] 19342#19342: *99 connect() failed (111: Connection refused) while connecting to upstream, client: <My-client-ip>, server: _, request: "GET / HTTP/1.1", upstream: "http://<hue-node-ip>:8888/", host: "gravalytics.com:8001", referrer: "https://gravalytics.com/explore/home"
2018/12/17 15:47:50 [warn] 20199#20199: could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size

avatar
Expert Contributor

Hello,

 

Can you try commenting out this line in your nginx configuration?

 

proxy_set_header X-Forwarded-Proto https;

 

The error that you are reporting now is being returned directly by Nginx. It means that something is trying to use plain text instead of TLS. You may also have to alter the way the server is configured. At the moment you have set Nginx to accept on TLS request only which may impact your ability to proxy to the backend since it does not use TLS.

 

You may need to alter the server block, you may need to comment out:

 

> ssl on

 

Then alter the listen paramter on Niginx like so:

 

> listen 8001 ssl;

 

https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-tcp/

---
Customer Operations Engineer | Security SME | Cloudera, Inc.