I've enabled nginx reverse proxy server with the following configuration:
events{}
http {
server {
listen 80;
server_name test.reverseproxy.in;
location /.well-known/public/whoami {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5002;
}
location /.well-known/acme-challenge {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5002;
}
}
}
and ensured that curl localhost/.well-known/acme-challenge/<REQUIRED_NAME> returns correct value, but still getting the same 403 error, as described in first case (also tried with another port, 8333). I investigated behavior of 127.0.0.1:5002 and 10.30.50.3:5002 and ensured that they are completely different. The curl 10.30.50.3:5002/.well-known/acme-challenge/<REQUIRED_NAME> returns empty string and, furthermore, it accepts any route. I tried to use curl 10.30.50.3:5002/anyaddress/1111 and it returns empty string too with 200 OK (captured in Wireshark):
Frame 79: 160 bytes on wire (1280 bits), 160 bytes captured (1280 bits) on interface veth88c85f6, id 0
Ethernet II, Src: 02:42:7a:11:cc:b9 (02:42:7a:11:cc:b9), Dst: 02:42:0a:1e:32:03 (02:42:0a:1e:32:03)
Internet Protocol Version 4, Src: 10.30.50.1, Dst: 10.30.50.3
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 146
Identification: 0x6f22 (28450)
Flags: 0x40, Don't fragment
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0x5304 [validation disabled]
[Header checksum status: Unverified]
Source Address: 10.30.50.1
Destination Address: 10.30.50.3
Transmission Control Protocol, Src Port: 48744, Dst Port: 5002, Seq: 1, Ack: 1, Len: 94
Source Port: 48744
Destination Port: 5002
[Stream index: 3]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 94]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 2529221429
[Next Sequence Number: 95 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 781436275
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x78c4 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
[SEQ/ACK analysis]
TCP payload (94 bytes)
Hypertext Transfer Protocol
GET /anyaddress/1111 HTTP/1.1\r\n
Host: 10.30.50.3:5002\r\n
User-Agent: curl/7.81.0\r\n
Accept: */*\r\n
\r\n
[Full request URI: http://10.30.50.3:5002/anyaddress/1111]
[HTTP request 1/1]
[Response in frame: 81]
Also, checked /etc/hosts, it is empty.
I'm not sure, but according to README the 10.30.50.3:5002 is a challenge server, and, maybe, it is deployed separately (so, the 10.30.50.3:5002 and 127.0.0.1:5002 are different servers). But can't understand, why the destination IP for challenge validation is 10.30.50.3. Probably, i need to change default docker-compose.yml?