<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
OAG's NGINX Service in Error with "proxy_pass cannot have URI part in location given by regular expression"
Jun 26, 2025
Access Gateway
Overview

NGINX service on Okta Access Gateway (OAG)is throwing an error such as the following (this is seen in logs or when checking the NGINX service status via the Management Console):


nginx: [emerg] "proxy_pass" cannot have URI part in location given by regular expression, or inside named location, or inside "if" statement, or inside "limit_except" block in /etc/nginx/conf.d/icsgw_app_3071745c-061b-42fe-ac68-6cfe23002d5e.active.conf:168

If NGINX is restarted in this state, it may fail to start up. If changes to the application are made in this state, NGINX can not reload to apply the configuration changes.

Applies To
  • Okta Access Gateway (OAG)
Cause

By default, OAG application policies are created with "case sensitive" disabled. Internally, this results in the NGINX configuration file's policy to include a regex in the "location" directive for that policy. The regex is how NGINX is able to process the policy regardless of the case.

Within the "location" block for each application policy, OAG adds a "proxy_pass" directive that includes the Protected Resource. This is how NGINX is able to reverse proxy to the Protected Resource.

When NGINX has a policy where the "location" directive has regex, it will not allow a "proxy_pass" to contain additional URI elements after the domain.

Therefore, this error can occur when:

  • Application's Protected Resource includes an additional URI element after the domain (for example, https://example.com/URIelement).
  • The Application includes a Policy that has "Case sensitive" unchecked.
Solution
  1. For any application that has a Protected Resource in a format with an additional URI element after the domain (for example, https://example.com/URIelement), enable the "Case sensitive" setting for all policies.
  2. If the policy should not be case-sensitive, reconfigure the application so that the Protected Resource does not include the additional URI element after the domain (in the above example, that would entail removing "/URIelement" from the end of the Protected Resource). This may require reconfiguring other policies as needed.

Recommended content

Still looking for help?
Loading
OAG's NGINX Service in Error with "proxy_pass cannot have URI part in location given by regular expression"