Skip to content
This repository has been archived by the owner on Nov 1, 2023. It is now read-only.

nginx: [emerg] unknown directive "proxy_ssl_server_name" when using proxies on Heroku-20 #185

Closed
edmorley opened this issue Nov 19, 2020 · 7 comments · Fixed by #186
Closed
Assignees

Comments

@edmorley
Copy link
Member

When using proxies on Heroku-20, nginx aborts with:
nginx: [emerg] unknown directive "proxy_ssl_server_name"

STR:

$ mkdir testapp-static && cd $_ && git init && h create --stack heroku-20
$ h buildpacks:add https://github.com/heroku/heroku-buildpack-static
$ cat > static.json <<EOF
{
  "proxies": {
    "/api/": {
      "origin": "https://example-app-that-does-not-exist.herokuapp.com/"
    }
  }
}
EOF
$ git add -A; git commit -m '.' && git push heroku main
...
$ curl -sSI https://infinite-forest-04844.herokuapp.com/api/ | head -n1
HTTP/1.1 503 Service Unavailable
$ h logs
...
2020-11-19T13:44:20.084652+00:00 heroku[web.1]: Starting process with command `bin/boot`
2020-11-19T13:44:22.800187+00:00 app[web.1]: Starting log redirection...
2020-11-19T13:44:22.800411+00:00 app[web.1]: Starting nginx...
2020-11-19T13:44:22.875465+00:00 app[web.1]: nginx: [emerg] unknown directive "proxy_ssl_server_name" in ./config/nginx.conf:77
2020-11-19T13:44:22.879244+00:00 app[web.1]: Process exited unexpectedly: nginx
2020-11-19T13:44:22.879338+00:00 app[web.1]: Going down, terminating child processes...

bin/nginx -V reports:

nginx version: nginx/1.19.0
built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
configure arguments: --add-module=/tmp/ngx_mruby.9Ikl --add-module=/tmp/ngx_mruby.9Ikl/dependence/ngx_devel_kit --prefix=/tmp/ngx_mruby.9Ikl/build/nginx --with-http_stub_status_module --with-stream --without-stream_access_module --with-cc-opt=-fno-common

And a h run bash followed by:

~ $ bin/boot &
~ $ cat /app/config/nginx.conf

Shows the generated config to be:

`nginx.conf` (click to expand)

daemon off;
worker_processes auto;

events {
  use epoll;
  accept_mutex on;
  worker_connections 2048;
}

http {
  gzip on;
  gzip_comp_level 6;
  gzip_min_length 512;
  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  gzip_vary on;
  gzip_proxied any;

  server_tokens off;


  access_log logs/access.log;



  error_log stderr error;


  include mime.types;
  default_type application/octet-stream;
  sendfile on;

  #Must read the body in 5 seconds.
  client_body_timeout 5;

  server {
    listen 36736 reuseport;
    charset UTF-8;
    port_in_redirect off;
    keepalive_timeout 5;
    root public_html/;


    resolver 172.16.0.23 8.8.8.8;




    mruby_post_read_handler /app/bin/config/lib/ngx_mruby/headers.rb cache;

    location / {
      mruby_set $fallback /app/bin/config/lib/ngx_mruby/routes_fallback.rb cache;

      try_files $uri $uri/ $fallback;

    }









  # need this b/c setting $fallback to =404 will try #{root}=404 instead of returning a 404
  location @404 {
    return 404;
  }

  # fallback proxy named match

    set $upstream_endpoint_0 https://hone-ember-todo-rails.herokuapp.com;
    location @/api/ {
      rewrite ^/api//?(.*)$ /$1 break;
      # can reuse variable set above
      proxy_pass $upstream_endpoint_0;
      proxy_ssl_server_name on;

      proxy_redirect http://hone-ember-todo-rails.herokuapp.com/ /api/;

      proxy_redirect https://hone-ember-todo-rails.herokuapp.com/ /api/;

    }


  # fallback redirects named match


  }
}

@edmorley
Copy link
Member Author

The buildpack generates the proxy section of the nginx config here:

# fallback proxy named match
<% proxies.each do |location, hash| %>
set $<%= hash['name'] %> <%= hash['host'] %>;
location @<%= location %> {
rewrite ^<%= location %>/?(.*)$ <%= hash['path'] %>/$1 break;
# can reuse variable set above
proxy_pass $<%= hash['name'] %>;
proxy_ssl_server_name on;
<% %w(http https).each do |scheme| %>
proxy_redirect <%= hash["redirect_#{scheme}"] %> <%= location %>;
<% end %>
}
<% end %>

Comparing this generated content between an app on heroku-18 and heroku-20 I see no differences.

The nginx docs say that the proxy_ssl_server_name directive should be available in all nginx versions since 1.7.0:
https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_server_name

My only thought is that perhaps SSL/TLS isn't enabled correctly in this build, and that nginx has an awful UX that doesn't say "this directive isn't supported when SSL isn't enabled".

@valentinoli
Copy link

I encountered this problem with heroku-20, had to temporarily downgrade to heroku-18. My static.json is pretty basic:

{
  "root": "dist",
  "clean_urls" :false,
  "https_only" :true,
  "routes": {
    "/**": "/app.html"
  },
  "proxies": {
    "/api/": {
      "origin": "https://someapi.com"
    }
  }
}

@edmorley
Copy link
Member Author

Re-running the nginx compile locally (using make build-heroku-20) I see this in the output:

Configuration summary
  + using system PCRE library
  + OpenSSL library is not used
  + using system zlib library

This is surprising, since the build docs for ngx_ruby suggested openssl was a requirement for building, so I hadn't imagined it would be off by default.

Now trying a build locally that passes --with-http_ssl_module.

edmorley added a commit that referenced this issue Nov 19, 2020
Previously the compile silently skipped the SSL module:

```
Configuration summary
  ...
  + OpenSSL library is not used
```

Which causes failures if SSL related directives are used.

Now the `--with-http_ssl_module` flag is passed, which results in:

```
Configuration summary
  ...
  + using system OpenSSL library
```

And `nginx -V` now includes an additional line:

```
built with OpenSSL 1.1.1f  31 Mar 2020
```

See:
https://github.com/matsumotory/ngx_mruby/tree/master/docs/install#3-a-using-buildsh

Fixes #185.
edmorley added a commit that referenced this issue Nov 19, 2020
Previously the compile silently skipped the SSL module:

```
Configuration summary
  ...
  + OpenSSL library is not used
```

Which causes failures if SSL related directives are used.

Now the `--with-http_ssl_module` flag is passed, which results in:

```
Configuration summary
  ...
  + using system OpenSSL library
```

And `nginx -V` now includes an additional line:

```
built with OpenSSL 1.1.1f  31 Mar 2020
```

See:
https://github.com/matsumotory/ngx_mruby/tree/master/docs/install#3-a-using-buildsh

Fixes #185.
@edmorley edmorley self-assigned this Nov 19, 2020
@edmorley
Copy link
Member Author

I have a fix in #186 - after that's approved/merged I'll generate/upload new binaries to S3.

edmorley added a commit that referenced this issue Nov 19, 2020
Previously the compile silently skipped the SSL module:

```
Configuration summary
  ...
  + OpenSSL library is not used
```

Which causes failures if SSL related directives are used.

Now the `--with-http_ssl_module` flag is passed, which results in:

```
Configuration summary
  ...
  + using system OpenSSL library
```

And `nginx -V` now includes an additional line:

```
built with OpenSSL 1.1.1f  31 Mar 2020
```

See:
https://github.com/matsumotory/ngx_mruby/tree/master/docs/install#3-a-using-buildsh

Fixes #185.
Closes W-8449334.
@edmorley
Copy link
Member Author

The STR no longer reproduce for me now that I've regenerated the binaries in #186.

@valentinoli
Copy link

I redeployed my app with heroku-20 and now everything works as expected. Thank you for this quick fix!

@edmorley
Copy link
Member Author

@valentinoli You're welcome! :-)

mikaelbartlett pushed a commit to nixonnixon/heroku-buildpack-static that referenced this issue Apr 4, 2021
Previously the compile silently skipped the SSL module:

```
Configuration summary
  ...
  + OpenSSL library is not used
```

Which causes failures if SSL related directives are used.

Now the `--with-http_ssl_module` flag is passed, which results in:

```
Configuration summary
  ...
  + using system OpenSSL library
```

And `nginx -V` now includes an additional line:

```
built with OpenSSL 1.1.1f  31 Mar 2020
```

See:
https://github.com/matsumotory/ngx_mruby/tree/master/docs/install#3-a-using-buildsh

Fixes heroku#185.
Closes W-8449334.
sidmitra pushed a commit to Airbase/heroku-buildpack-static that referenced this issue Jun 21, 2021
Previously the compile silently skipped the SSL module:

```
Configuration summary
  ...
  + OpenSSL library is not used
```

Which causes failures if SSL related directives are used.

Now the `--with-http_ssl_module` flag is passed, which results in:

```
Configuration summary
  ...
  + using system OpenSSL library
```

And `nginx -V` now includes an additional line:

```
built with OpenSSL 1.1.1f  31 Mar 2020
```

See:
https://github.com/matsumotory/ngx_mruby/tree/master/docs/install#3-a-using-buildsh

Fixes heroku#185.
Closes W-8449334.
niels-van-den-broeck added a commit to Pelckmans/heroku-buildpack-static that referenced this issue Dec 22, 2022
* [changelog skip] Ensure PRs include a Changelog entry

The goal of this PR is to add a github action that checks for the presence of a changelog entry.

It is better to add entries as a PR is merged instead of having to remember what was merged and generate a changelog at release time.

By automating this check, it's one less thing the maintainer has to remember, and it's one less thing a change might be blocked on i.e. "Looks good, but please add a changelog entry".

Let me know if you have any questions and Happy Friday!

* [changelog skip] Fix Escaping in Changelog Script

The previous PR had a bug where the REGEX for grep was not properly escaped. This PR fixes that issue.

* Update check_changelog.yml

* Add missing changelog entries for v4 (heroku#176)

And clean up the existing changelog slightly.

Closes heroku#175.

* Bump json from 2.0.2 to 2.3.1 (heroku#173)

Bumps [json](https://github.com/flori/json) from 2.0.2 to 2.3.1.
- [Release notes](https://github.com/flori/json/releases)
- [Changelog](https://github.com/flori/json/blob/master/CHANGES.md)
- [Commits](ruby/json@v2.0.2...v2.3.1)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump rake from 10.4.0 to 12.3.3 (heroku#158)

Bumps [rake](https://github.com/ruby/rake) from 10.4.0 to 12.3.3.
- [Release notes](https://github.com/ruby/rake/releases)
- [Changelog](https://github.com/ruby/rake/blob/master/History.rdoc)
- [Commits](ruby/rake@v10.4.0...v12.3.3)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump excon from 0.54.0 to 0.78.0 (heroku#180)

Bumps [excon](https://github.com/excon/excon) from 0.54.0 to 0.78.0.
- [Release notes](https://github.com/excon/excon/releases)
- [Changelog](https://github.com/excon/excon/blob/master/changelog.txt)
- [Commits](excon/excon@v0.54.0...v0.78.0)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump rack from 1.6.11 to 1.6.13 in /spec/support/docker/proxy (heroku#179)

Bumps [rack](https://github.com/rack/rack) from 1.6.11 to 1.6.13.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md)
- [Commits](rack/rack@1.6.11...1.6.13)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Added MIT License (heroku#117)

* Remove redundant `exit 0`

Since with exit on error, if that line is ever reached,
the exit code will always be zero anyway.

* Fail the build early on unsupported stacks

In order to prevent the build completing apparently successfully, but
the app fail to boot at runtime due to stack incompatibility.

At first glance this would seem unnecessary due to the stack-specific
URL meaning the `curl` would 404 on supported stacks. However heroku#165
means the Cedar-14 binary is installed on all stacks, and on Heroku-20
causes the failures at runtime seen in heroku#166.

Future PRs will fix the curl/binary handling to use stack-specific URLs,
however it's still nicer to explicitly handle unsupported stacks with a
clear error message than a 404.

* Remove unused archive caching

The caching of the nginx archive isn't used in production (nothing ever
writes to the cached file) or in CI. Whilst it may speed up some local
development workflows slightly, on a fast connection downloading from
S3 takes less than a second, so isn't worth the added `bin/compile`
complexity / confusion as to behaviour in production.

* Switch to recommended S3 URL format

- The `s3-external-1` endpoint is a legacy reference to `us-east-1`:
  https://stackoverflow.com/a/26622229
- The path based bucket specification is deprecated:
  https://aws.amazon.com/blogs/aws/amazon-s3-path-deprecation-plan-the-rest-of-the-story/

* Fix the printing of the installed nginx version

Previously the nginx version command was failing since the
`nginx-$STACK` binary does not exist, resulting in output like:

```
remote: -----> Installed directory to /app/bin
```

This failure went unnoticed since `pipefail` mode is not enabled.

The nginx binary path has been fixed, and the command now uses
`-v` instead of `-V` since the former only output one line, avoiding
the need to `head -n1`. In addition, the `cut` usage shows more of
the original line in the case of no match.

Fixes heroku#174.

* Enable stricter bash error checking modes

Enables the following bash modes:
- `u`: error on undefined variables
- `pipefail`: error if an earlier command in a pipe sequence exits
  non-zero, rather than only if the final command is non-zero

See:
http://redsymbol.net/articles/unofficial-bash-strict-mode/

* Make curl retry in case of a failed download

To improve the reliability of the build.

See:
https://curl.haxx.se/docs/manpage.html#--retry
https://curl.haxx.se/docs/manpage.html#--connect-timeout

* Exclude unnecessary files when publishing buildpack (heroku#178)

Since currently the archive on the buildpack registry contains
a lot more than the ~15 files needed at compile time:

```
$ curl -sSf https://buildpack-registry.s3.amazonaws.com/buildpacks/heroku-community/static.tgz | tar -zt | wc -l
234
```

See:
https://devcenter.heroku.com/articles/buildpack-registry#creating-a-buildpack-descriptor

* Fix compatibility with ngx_mruby 1.18.4+ (heroku#181)

The `mruby_post_read_handler` directive should always have been outside
the `location` block, however due to a bug in ngx_mruby the previous
implementation happened to still work.

In ngx_mruby 1.18.4 this silently stopped being the case:
matsumotory/ngx_mruby#210

And in ngx_mruby 1.18.5 this incorrect usage was turned into an error:
matsumotory/ngx_mruby#217

Moving `mruby_post_read_handler` outside the location block is a no-op
for the older ngx_mruby currently used by this buildpack, but ensures
compatibility with the newer ngx_mruby being used in the upcoming
Heroku-20 support PR.

See matsumotory/ngx_mruby#210.

* Add support for Heroku-20 (heroku#182)

This adds support for the new Heroku-20 stack:
https://devcenter.heroku.com/articles/heroku-20-stack

The buildpack's binaries were previously generated by:
https://github.com/hone/docker-nginx-builder

However that repository is quite out of date, and much of its complexity
is no longer required thanks to improvements to `ngx_mruby`'s upstream
build scripts/process:
https://github.com/matsumotory/ngx_mruby/tree/v2.2.3/docs/install
https://github.com/matsumotory/ngx_mruby/blob/v2.2.3/build.sh

The new build script has been co-located in this buildpack to improve
discoverability, and prevent needing to open PRs against multiple repos
when performing updates.

The buildpack previously used a subdirectory of the Ruby buildpack's
S3 bucket, however I've created a new S3 bucket to improve isolation.

This PR adds support for building new binaries for all stacks, however
for now only switches to them for Heroku-20, so that the newer nginx
version can be tested on the new stack for a while before backporting
to the others.

The newer ngx_mruby required a compatibility fix, however that has
already landed in heroku#181.

The binaries have been uploaded already, using the newly documented
steps in the README.

Closes heroku#166.
Closes W-8367040.

* Release v5 (heroku#183)

* Ensure the SSL module is enabled (heroku#186)

Previously the compile silently skipped the SSL module:

```
Configuration summary
  ...
  + OpenSSL library is not used
```

Which causes failures if SSL related directives are used.

Now the `--with-http_ssl_module` flag is passed, which results in:

```
Configuration summary
  ...
  + using system OpenSSL library
```

And `nginx -V` now includes an additional line:

```
built with OpenSSL 1.1.1f  31 Mar 2020
```

See:
https://github.com/matsumotory/ngx_mruby/tree/master/docs/install#3-a-using-buildsh

Fixes heroku#185.
Closes W-8449334.

* Update nginx for Heroku-16 and Heroku-18 to 1.19.0 (heroku#190)

Upgrades nginx from 1.9.7 to 1.19.0, to match that already used for
Heroku-20. In addition, the buildpack now uses the correct binaries
for these stacks, rather than using a binary compiled for Cedar-14.

Fixes heroku#165.

* Release v6 (heroku#191)

* Docs: Use the buildpack registry URL in usage example (heroku#194)

Since this buildpack exists on the buildpack registry under the name
`heroku-community/static`, and using buildpack registry versions is
recommended over the GitHub URLs.

* Output a helpful error message when no static.json is found (heroku#202)

The error message is now output to `stderr` otherwise it's not shown.

Closes GUS-W-8799430.
Refs heroku#198.

* Release v7 (heroku#203)

To pick up heroku#202.

Refs GUS-W-8799430.

* README: Fix spelling of 'instead' (heroku#213)

Signed-off-by: Josh Soref <[email protected]>

Co-authored-by: Josh Soref <[email protected]>

* Updated/Added CODEOWNERS with ECCN

* Port Check Changelog improvements from other repos (heroku#237)

eg:
https://github.com/heroku/heroku-buildpack-python/blob/5d6776f77a89e7ef3ada701d05c473117ecf817a/.github/workflows/check_changelog.yml

Notably, one can not use both a label and a PR description attribute, rather than the unsightly PR title annotation.

* Bump sinatra from 1.4.7 to 2.2.0 in /spec/support/docker/proxy (heroku#236)

Bumps [sinatra](https://github.com/sinatra/sinatra) from 1.4.7 to 2.2.0.
- [Release notes](https://github.com/sinatra/sinatra/releases)
- [Changelog](https://github.com/sinatra/sinatra/blob/master/CHANGELOG.md)
- [Commits](sinatra/sinatra@v1.4.7...v2.2.0)

---
updated-dependencies:
- dependency-name: sinatra
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Drop support for Cedar-14 and Heroku-16 (heroku#238)

Since they are EOL and it's no longer possible to perform builds
using them.

Closes heroku#214.
GUS-W-10346704.

* Update ngx_mruby to 2.2.4 and nginx to 1.21.3 (heroku#240)

The binary build process for this buildpack uses the default `nginx`
version specified by `ngx_mruby`. As such, updating `ngx_mruby`
from `2.2.3` to `2.2.4` means the bundled `nginx` version is also
updated from `1.19.0` to `1.21.3`:
https://github.com/matsumotory/ngx_mruby/blob/v2.2.3/nginx_version
https://github.com/matsumotory/ngx_mruby/blob/v2.2.4/nginx_version

Changes:
https://github.com/matsumotory/ngx_mruby/releases/tag/v2.2.4
https://nginx.org/en/CHANGES

GUS-W-10346704.

* Release v8 (heroku#241)

To pick up heroku#238 and heroku#240.

GUS-W-10346704.

* Bump rack from 2.2.3 to 2.2.3.1 in /spec/support/docker/proxy (heroku#242)

Bumps [rack](https://github.com/rack/rack) from 2.2.3 to 2.2.3.1.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@2.2.3...2.2.3.1)

---
updated-dependencies:
- dependency-name: rack
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Deprecate buildpack (heroku#243)

* Deprecate buildpack

This build pack is currently not maintained by a team and carries no support obligations. Let's make this clearer by deprecating the build pack.

This is done right before the release of heroku-22 as supporting new stacks require maintenance effort. Also before the desire to re-write it as a CNB comes into play.

* Bring back Readme contents

Having README docs makes it easier for developers to lookup features while they transition off the buildpack.

* Update docs for deprecation

- Mention the need to re-write mruby parts
- Link to a specific nginx build pack and give commands on how to add it
- Give specific command to remove this buildpack from app
- Mention in README we're open to extra docs/help for people migrating off.
- Space after testing header because it's my thing and I looked at those docs. 
- Added a link to where  `Nginx::Request` is defined because it's not obvious it comes from ngx_mruby

* Update README.md

Co-authored-by: Ed Morley <[email protected]>

* Update bin/compile

Co-authored-by: Ed Morley <[email protected]>

* Address PR comments

Co-authored-by: Ed Morley <[email protected]>

* v9 (heroku#244)

Co-authored-by: schneems <[email protected]>
Co-authored-by: Ed Morley <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ben Williams <[email protected]>
Co-authored-by: Josh Soref <[email protected]>
Co-authored-by: Josh Soref <[email protected]>
Co-authored-by: svc-scm <[email protected]>
Co-authored-by: niels-van-den-broeck <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants