7

I setup nginx as a reverse proxy for my apache tomcat. It works normally as I expected. However, I got confused when NGINX is always returning a 502 Bad Gateway when the Apache Tomcat server is down. Instead of returning a 504 Bad Gateway timeout?

502 Bad Gateway: The server was acting as a gateway or proxy and received an invalid response from the upstream server.

504 Gateway Timeout The server was acting as a gateway or proxy and did not receive a timely response from the upstream server.

user  root;
worker_processes  1;

events {
        worker_connections  1024;
}

http {
       include       mime.types;
       default_type  application/octet-stream;
       sendfile        on;

       ssl_session_cache   shared:SSL:20m;
       ssl_session_timeout 10m;
       keepalive_timeout  65;

       map $http_upgrade $connection_upgrade {
               default Upgrade;
               '' close;
       }

        server {
                listen          *:80;
                return 301      https://$host:443$request_uri;
        }

        server{
                listen       *:443; #Ip of client
                # Specifies the maximum accepted body size of a client request, as indicated by the request header Content-Length.
                client_max_body_size 1024M;
                # ssl config
                ssl                  on;
                ssl_certificate      server.crt;
                ssl_certificate_key  server.key;

                # for proxy timeout
                proxy_connect_timeout 75s;
                proxy_read_timeout 600s;
                proxy_send_timeout 600s;

                # not cache authorization
                proxy_no_cache $http_pragma $http_authorization;


                location /wss {
                        rewrite ^.*\/wss\/(?<api>.*) /$api break;
                        proxy_pass http://127.0.0.1:8071;

                        # for websocket
                       proxy_set_header Upgrade $http_upgrade;
                       proxy_set_header Connection $connection_upgrade;
                       proxy_http_version 1.1;
                       proxy_buffering off;
                       proxy_ignore_client_abort off;
                       proxy_read_timeout 1d;
                       proxy_send_timeout 1d;
                }

                location / {
                        proxy_buffering off;
                        proxy_pass http://127.0.0.1:8071;
                }
        }
}

Error log when accessing:

2015/10/19 10:10:03 [error] 29475#0: *44 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.70.60, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8071/", host: "192.168.70.161"

2015/10/19 10:10:03 [error] 29475#0: *44 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.70.60, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8071/", host: "192.168.70.161"

Can anyone explain why the NGINX returns a 502 HTTP error instead of a 504? Or, are there problems with my configuration?

I think, I missed. 504 only happen when NGINX can't forward request to proxied server but the proxied server doesn't response in time as NGINX expected. In my case:

proxy_connect_timeout 75s;
proxy_read_timeout 600s;
proxy_send_timeout 600s;

So in case of Proxied Server is down, NGINX will respond with the HTTP error code 502, 503?

Improve this question

1 Answer 1

Reset to default
12

By default, the SELinux configuration does not allow NGINX to connect to a remote web, fastCGI, or other server. You can set permissive mode with setenforce 0 to check whether SELinux is to blame. If it is, All you have to do is use audit2allow to generate a set of policy rules that would allow the required actions:

grep nginx /var/log/audit/audit.log | audit2allow -M nginx

semodule -i nginx.pp

After that, remember to enable SELinux again with setenforce 1.

For more about that, you can see this acticle.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This works, Thanks!. This should be marked as answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.