openresty
ngx.location.capture uses wrong certificate from a different server block
Hi,
I am using Nginx 1.19.5 with ngx_http_lua_module. We have been using ngx.location.capture().
Recently we use more server blocks. From the documentation, we expect subrequest is limited to the same server block. But what we have found is that when the set up is like below, the subrequest will randonly use a certificate from the other server block to fire a subrequest.
server {
listen 11123 ssl;
..
location /main {
access_by_lua_block {
ngx.location.capture("/sub")
}
proxy_pass https://www.testing.com;
}
location /sub {
proxy_ssl_certificate crt-1.pem;
proxy_ssl_certificate_key key-1.key;
proxy_pass https://www.some-domain.com;
}
}
server {
listen 11124 ssl;
..
location /main {
access_by_lua_block {
ngx.location.capture("/sub")
}
proxy_pass https://www.testing.com;
}
location /sub {
proxy_ssl_certificate crt-2.pem;
proxy_ssl_certificate_key key-2.key;
proxy_pass https://www.some-domain.com;
}
}
From the above setup. If the main request is using port 11123, the subrequest will sometimes use crt-2.pem instead of crt-1.pem, causing some issues.
Is this an expected behavior? is there any way to fix the issue? Any suggestions welcomed. Thank you!
Yes. Both server blocks have _ as their server name. See below:
server_name _;
try to add a different server name for each server. I think the location.capture did not consider the port.
I have added a specific server name to one of the server block, and keeping the other one to use _, but the issue persists.
http://nginx.org/en/docs/http/server_names.html `In catch-all server examples the strange name “_” can be seen:
server { listen 80 default_server; server_name _; return 444; } There is nothing special about this name, it is just one of a myriad of invalid domain names which never intersect with any real name. Other invalid names like “--” and “!@#” may equally be used.`