====== Notes for Reverse Poxy with NginX ======

===== Basic Auth passthrough =====

Passing basic auth from the backend through NginX is actually quite simple as long as you don't start catching the 403 return codes sent from the backend.

Here is a standard reverse proxy host for a magento shop that works correctly. Pay attention to the "error_page" block that is commented out:

<file>
root@bps1:/etc/nginx/conf.d# cat niedersachsen.com.conf 
  server {
      server_name partnershop.niedersachsen.com;
      listen 178.15.51.205:80;
      add_header  Cache-Control public;
      access_log  /var/log/nginx/niedersachsen.com.access.log main;
      error_log   /var/log/nginx/niedersachsen.com.de.error.log debug;
      index       index.php index.html index.htm;
      limit_conn  gulag 50;

     ## Only allow these request methods
      if ($request_method !~ ^(GET|HEAD|POST)$ ) {
         return 444;
      }

     ## PROXY - Web
     location ~* \.(jpg|png|gif|jpeg|css|js|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
        proxy_pass              http://10.1.21.333;
	proxy_pass_header	Set-Cookie;
        proxy_cache             cache;
        proxy_cache_key         backend$scheme://$host$request_uri;
        proxy_cache_use_stale   error timeout invalid_header updating http_500 http_502 http_503 http_504;
        proxy_cache_valid       200 24h;
        proxy_ignore_headers    Expires Cache-Control;
        proxy_redirect          off;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-Host $host;
	proxy_set_header	Host $host;
        proxy_set_header        X-Forwarded-Server $host;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      }

    location / {
        proxy_pass              http://10.1.21.333;
        proxy_pass_header       Set-Cookie;
        proxy_ignore_headers    Expires Cache-Control;
        proxy_redirect          off;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-Host $host;
	proxy_set_header	Host $host;
        proxy_set_header        X-Forwarded-Server $host;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    }

     ## All other errors get the generic error page
#      error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
#                 500 501 502 503 504 505 506 507 /error_page.html;
#      location  /error_page.html {
#          internal;
#      }
  }

root@bps1:/etc/nginx/conf.d# 
</file>

Once the error_page block is commented out the basic auth requests will be relayed as they should be.

===== Clearing the cache from the backend =====

Cache control in nginx is a touchy topic at best. There are a few modules that can help you get control of the cache, but these modules are not part of the normal package installs that you get from most distros. If you are in a situation where Company policy restrict the introduction of non-standard code into a package then you are in a situation where cache control in nginx can get tricky.

Luckily you can control the cache on specific pages with the follow bit of code:

<file>
server {
…
    location / {
        ...
        proxy_cache_bypass      $cookie_session $http_x_update_cache;
        ...
    }
…
}
</file>

Once that bit of code is in your server block (Where the caching is actually being done. Not in a block where the cache is being bypassed.) all you have to do is call the URL you want to clear from the backend with a script that sets the X-update-cache Header. Perl, PHP, Python or any other language that allows you to set the outgoing headers of your HTTP request is sufficient to get this working.

<file>
curl -H „X-Update-Cache: 1“ http://subdomain.domain.tld/your/url/to/clear.html
</file>

enjoy.