skip to Main Content

I have two nodejs apps sitting behind an nginx reverse proxy. Here is my nginx configuration,

#main_api 
location / {
      proxy_pass http://localhost:3000;
    }

#chat_api
location /socket.io/ {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy false;
      proxy_pass http://localhost:3001/socket.io/;
      proxy_redirect off;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
....
//ssl stuffs

I can send normal HTTP requests with JSON body. But when I send multipart/formdata, nginx removes fields from my request body. My request contains few text fields and a file. If I access HTTPS version of my API url, only the file gets ignored by nginx, but when the HTTP version is accessed, the text fields also get ignored, and my POST request gets converted into GET request.

Here is my nginx access log,

103.160.233.51 - - [28/May/2022:07:23:51 +0000] "POST /api/files/upload_dp HTTP/1.1" 500 26 "-" "PostmanRuntime/7.29.0"
103.160.233.51 - - [28/May/2022:07:24:04 +0000] "POST /api/files/upload_dp HTTP/1.1" 301 178 "-" "PostmanRuntime/7.29.0"
103.160.233.51 - - [28/May/2022:07:24:04 +0000] "GET /api/files/upload_dp HTTP/1.1" 401 43 "http://myapiurl.com/api/files/upload_dp" "PostmanRuntime/7.29.0"

And the nginx error log is empty.

What nginx config option am I missing?

2

Answers


  1. Your backend returns HTTP 500, then HTTP 301. According to RFC documents, 301 does not require from the browser to use the same HTTP method when following the redirection.

    If you want to force the browser to use the same method – your backend should respond with HTTP 307 (which is supported only from newer nginX versions).

    For more information – read https://blog.codefarm.me/2021/09/24/http-redirect-3xx/

    Login or Signup to reply.
  2. You might want to check with your network team if the same is getting blocked at the WAF level. Once WAF blocks its redirects the FQDN only and removes every other URI part and redirects as a GET request.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search