i'm relatively new to linux. My server is running Ubuntu 22.04 and i got a little problem here in my nginx configuration. I set up a reverse proxy (nginx) in /etc/nginx/sites-enabled/reverse-proxy.conf and wrote this into the file:
server {
if ($host = domain.de) {
return 301 https://$host$request_uri;
}
listen 80;
server_name domain.de;
return 404;
}
server {
server_name domain.de;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/domain.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.de/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
proxy_buffering off;
server_tokens off;
location ^~ /swagger {
return 404;
}
location / {
root /var/www/html/domain.de;
try_files $uri $uri/ /index-one.html ;
proxy_pass http://127.0.1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
# proxy_set_header X-Real-IP $http_CF_Connecting_IP;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header Strict-Transport-Security "max-age=15552000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}
server {
if ($host = second.domain.de) {
return 301 https://$host$request_uri;
}
listen 80;
server_name second.domain.de;
return 404;
}
server {
server_name second.domain.de;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/second.domain.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/second.domain.de/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
proxy_buffering off;
server_tokens off;
location ^~ /swagger {
return 404;
}
location / {
proxy_pass http://192.168.198.40:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
# proxy_set_header X-Real-IP $http_CF_Connecting_IP;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header Strict-Transport-Security "max-age=15552000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}
The second domain is a streaming service called emby and it works, the first domain is a website i want to host and it is based in /var/www/html/domain.de. The directive /var/www/html/domain.de is owned by www-data.
This config gives me an ERR_TOO_MANY_REDIRECTS on domain.de but the second.domain.de is working fine. Why? What am i doing wrong here?
When i change the ip address in the first domain from 127.0.2.1 to 192.168.198.40 the same error occurs. When i add a port to the address like 127.0.2.1:8080; or 192.168.198.40:8080; i get a 502 Bad Gateway error message.
The second domain is working fine in all constellations but i can't get the first domain to work and i don't know how to fix this.
I hope anybody can help me out here. :)
Related
Here is my nginx config setting.
server {
listen 80;
server_name _;
return 301 https://example.com;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $http_host;
proxy_set_header X-M-Secure "true";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_max_temp_file_size 0;
}
}
Can someone help? On firefox www.example.com works and opens https://www.example.com
But not on chrome
And example.com redirection to https://example.com works on both chrome and firefox.
The below code works perfectly for example.com but fails for www.example.com because $ssl_server_name becomes www.example.com and it tries to search a certificate with that name. The correct certificate location is /home/certs/example.com .
Is there any other way to resolve this?
server {
server_name _;
listen 443 ssl http2 default_server;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate /home/certs/$ssl_server_name.crt;
ssl_certificate_key /home/certs/$ssl_server_name.key;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
add_header Strict-Transport-Security "max-age=31536000" always;
location /robots.txt {
root /home/dist/common;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header X-Forwarded-Referrer $http_referer;
set $delimeter "";
if ($is_args) {
set $delimeter "&";
}
set $args $args${delimeter}from=$ssl_server_name;
proxy_pass http://127.0.0.1:8081$uri$is_args$args;
}
}
Found my answer. You need to use map.
map $ssl_server_name $mapped_name {
default $ssl_server_name;
~*www.(.*) $1;
}
server {
...
}
I have an Odoo app running on port 8069, and while this setup worked fine in my old server, my new server is using Engintron which seems to have a different method of working with vhosts. The standout issue is that under common_http.conf, this line becomes a duplicate of the vhost needed to run the app but is included in the automatically generated config that gets overridden whenever a new cpanel account is created, deleted, or when Engintron is updated.
What would be the correct way of setting this up properly within Engintron?
common_http.conf
location / {
try_files $uri $uri/ #backend;
}
# This location / ends up getting included in the custom
# vhost which is needed for all of the sites except this Odoo app.
custom_vhost.com.conf
upstream example{
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream example-chat {
server 127.0.0.1:8072 weight=1 fail_timeout=0;
}
server {
listen [::]:80;
server_name delegates.example.com;
return 301 https://delegates.example.com$request_uri;
}
server {
listen [::]:80;
server_name vendors.example.com;
return 301 https://vendors.example.com$request_uri;
}
server {
listen [::]:80;
server_name example.com;
return 301 https://example.com;
}
server {
listen [::]:80;
server_name *.example.com;
return 301 https://example.com;
}
server {
listen [::]:443 ssl;
server_name pgadmin.example.com;
# well-known_start
location ^~ /.well-known {
add_header Host-Header 192fc2e7e50945beb8231a492d6a8024;
root /home/example/public_html;
}
# well-known_end
ssl_certificate /var/cpanel/ssl/apache_tls/*.example.com/combined;
ssl_certificate_key /var/cpanel/ssl/apache_tls/*.example.com/combined;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header X-Content-Type-Options nosniff;
add_header Cache-Control public;
location / {
deny all;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:5050;
}
}
server {
listen [::]:443 ssl;
server_name example.com www.example.com;
return 301 https://example.com;
}
server {
listen [::]:443 ssl http2;
server_name vendors.example.com delegates.example.com;
client_max_body_size 200m;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-NginX-Proxy true;
#proxy_set_header X-Odoo-dbfilter ^%d\Z;
proxy_redirect off;
proxy_buffering off;
# well-known_start
location ^~ /.well-known {
add_header Host-Header 192fc2e7e50945beb8231a492d6a8024;
root /home/example/public_html;
}
# well-known_end
ssl_certificate /var/cpanel/ssl/apache_tls/*.example.com/combined;
ssl_certificate_key /var/cpanel/ssl/apache_tls/*.example.com/combined;
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# adds gzip options
gzip on;
gzip_types text/css text/plain text/xml application/xml application/javascript application/x-javascript text/javascript application/json text/x-json;
gzip_proxied no-store no-cache private expired auth;
#gzip_min_length 1000;
gzip_disable "MSIE [1-6]\.";
location /longpolling {
proxy_pass http://example-chat;
}
location ~* /web/static/ {
gzip_static on;
proxy_cache_valid 200 90m;
proxy_buffering on;
expires 864000;
add_header Cache-Control public;
proxy_pass http://example;
}
location / {
error_page 403 = https://example.com;
proxy_pass http://example;
proxy_redirect off;
gzip_static on;
}
# The above location becomes a duplicate of the previous default location - which in turn fails the validity of the configuration.
location ~* /web/content/ {
gzip_static on;
proxy_cache_valid 200 90m;
proxy_buffering on;
expires 864000;
add_header Cache-Control public;
proxy_pass http://example;
}
location /web/database/manager {
deny all;
error_page 403 https://example.com;
proxy_pass http://example;
}
}
Since the conf files are added in alphabetical order, and any conflicting or duplicate settings are ignored - I ended up changing the name of the file so that it's included before the other ones. Also made the file immutable with the following command:
chattr +ai 1_custom_vhost.com.conf
I'm quite sure this is not a graceful solution, but it does the job for now.
Hi I'm quite inexperienced with NGINX and am having difficulty understanding why things aren't working as expected. I'm trying to test an API that I made with a docker container, which is being run with the command: docker run -d -v $(pwd):/app -p 8080:8000 --rm wiseeast/ya_bot.
I'm able to make API requests with Postman at http://ffpr.isi.edu:8080/api with a POST request, but the same request on AJAX with javascript returns an apparently frequent No 'Access-Control-Allow-Origin' header is present on the requested resource. error. I tried to bypass this by enabling CORS on my server by adding add_header 'Access-Control-Allow-Origin' '*' always; because I have control over it but it didn't resolve the issue. Also what is bugging me is that with Postman I can make a successful POST request to http://ffpr.isi.edu:8080/api but not to https://ffpr.isi.edu:8080/api.
Also, I have a rerouting issue that I feel should be straightforward given what I've read but isn't working. I have a webpage properly rerouting http://ffpr.isi.edu to https://ffpr.isi.edu but the rest of the rerouting doesn't work. For instance http://ffpr.isi.edu:5050/ loads through port 80 unsecurely and won't reroute to https://ffpr.isi.edu:5050/. On the other hand, https://ffpr.isi.edu:5050/ won't open at all with a time out error.
Here is my full nginx.conf file:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
upstream frontend {
server 0.0.0.0:8000;
}
upstream ased_api {
server 0.0.0.0:5000;
}
upstream ya_bot {
server 0.0.0.0:8080;
}
upstream yesand {
server 0.0.0.0:5050;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
return 301 https://$host$request_uri;
}
# Settings for a TLS enabled server.
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ffpr.isi.edu;
ssl_certificate "/etc/nginx/ssl/ffpr_isi_edu_cert.cer";
ssl_certificate_key "/etc/nginx/ssl/ffpr_isi_edu.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://frontend;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location /api {
proxy_pass http://ased_api;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location /ya_bot {
proxy_pass http://ya_bot;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
location /yesand {
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://yesand;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/etc/nginx/ssl/ffpr_isi_edu_cert.cer";
ssl_certificate_key "/etc/nginx/ssl/ffpr_isi_edu.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
I've been suffering with these issues for so long, any pointers are greatly appreciated!!
In my experience, the add_header 'Access-Control-Allow-Origin' '*'; on the proxy machine did not fix the problem.
However, setting the 'Access-Control-Allow-Origin' header from the backend API as a response header did work. For example, You can run the following Go code on the backend API:
(*w).Header().Set(“Access-Control-Allow-Credentials”, “proxy-host-name”)
As for the redirect issue, you don’t need to use two separate server blocks, try this instead in the nginx.conf:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ffpr.isi.edu;
ssl_certificate "/etc/nginx/ssl/ffpr_isi_edu_cert.cer";
ssl_certificate_key "/etc/nginx/ssl/ffpr_isi_edu.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($scheme != https) {
return 301 https://$host$request_uri
}
}
I hope this helps.
I need to make ipfs http gateway through nginx with certbot installed together with redirecting websockets to port 9999, but I am unable to make it work as intended.
The code for running websocket service is on "location /" .
Code for ipfs gateway is at "location /ipfs" .
server {
location /ipfs {
proxy_pass http://0.0.0.0:9001;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
allow all;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_redirect http://0.0.0.0:9999/ /;
proxy_redirect ws://0.0.0.0:9999/ /;
proxy_pass http://0.0.0.0:9999/;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
allow all; # Any IP can perform any other requests
proxy_set_header Connection "Upgrade";
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Cache-Control,Content-Type,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'application/json charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
# add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Content-Type,Authorization';
}
if ($request_method = 'GET') {
# add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
}
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/recall.network/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/recall.network/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = recall.network) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name recall.network;
return 404; # managed by Certbot
}
My custom code:
location /ipfs {
proxy_pass http://0.0.0.0:9001;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
allow all;
}
do not work as intended
I would like to have an ipfs gateway accessible at https:recall.network/ipfs/HASH*
Resolution is to put correct prefix ^~ in location.
location ^~ /ipfs {
proxy_pass http://0.0.0.0:9001;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
allow all;
}