Due to a mess of work networks i need to setup an NGINX reverse proxy to an external website that goes via the company MPLS proxy.
This is so other apps can point to an internal DNS address via HTTPS and then that address can either point to an internal STUB App which does not go through a proxy, or it's pointed to and ALB Listening on HTTPS that is pointed to the Reverse Proxy EC2 running listening on HTTP which sends it out to the External Host as a NGINX Transparent Reverse Proxy via HTTPS.
On the EC2 Instance if i do curl -x http://111.222.333.444:1234 https://external.host.name:5678 i get back an expected result from hitting the external host but i cannot get the same responce back from my nginx x host the upstream proxy seems to be denied access "Access Denied (policy_denied)"
Since i am not on my work computer i have to manually type out my current configuration so sorry if i make a mistake (Ip Addresses and Hosts obscured for obvious security reasons)
Also to rule out SELINUX issues i've set setenforce 0 for the moment untill i can get a working connection.
There are HTTP_PROXY and HTTPS_PROXY variables on the box set to another broxy, but i don't believe NGINX is using them, though i could be wrong.
My current configs after several hours of playing around:
under /etc/nginx/conf.d/proxy.conf
upstream proxy {
server 111.222.333.444:1234
}
under /etc/nginx/default.d/reverse-proxy.conf
location / {
proxy_buffering off;
proxy_pass http://proxy;
proxy_redirect http://proxy https://external.host.name:5678;
proxy_set_header Host external.host.name;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
}
I believe that's the whole config at current, Sorry if i've forgotten anything. Does anyone have a working config for this type of setup or show me where i'm going wrong please?
Edit:
Further Info, if i do curl http://111.222.333.444:1234/https://external.host.name:5678 I get the same error as the NGINX result
The only difference i can see is the Host Header
on the failed one the Header is "Host: 111.222.333.444:1234"
on the success the Header is "Host: external.host.name:5678" and there's an additional header "X-Forwarded-For: 555.666.777.888"
I have not been able to figure out what the ip in the X-Forwarded-For is as it's not the box i am on
I have tried the following but all i get back from the proxy is Network Error (dns_server_failure)
location / {
proxy_buffering off;
proxy_pass http://111.222.333.444:1234/https://external.host.name:5678;
proxy_set_header Host external.host.name:5678;
proxy_set_header X-Forwarded-For 555.666.777.888;
}
Related
I am setting up a reverse proxy on Nginx, and the client request has a header X-OUTBOUND-URI, which will then hit my reverse proxy on a particular port.
I am trying to do a proxy_pass on the variable $http_x_outbound_uri, but there is a resolver error.
server {
listen 8082;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass $http_x_outbound_uri;
}
}
This is the curl command that is used: curl localhost:8082 -H "X-OUTBOUND-URI: http://localhost:9001", and I have a webserver running on port 9001.
Am I doing this wrongly? Also, for this use case, is it more suitable to do a redirect instead. Thanks.
For those who have encountered the same issue, I managed to resolve this issue by changing localhost to 127.0.0.1, otherwise, we have to set a resolver. I found the explanation in another post.
I have an application running in Kubernetes with the following topology:
Some-ingress-controller--> nginx reverse proxy -->dynamically generated services.
I have set the NGINX reverse proxy with the following test configuration
location /mysite1/ {
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_pass http://myservice1.default.svc:9000/;
}
So far everything works fine - when I go to my website http://example.com/mysite1/ I see what I expect from the myservice1 application hosted at http://myservice1.default.svc:9000/. However, the application myservice1 issues requests to various internal (internal meaning they are part of the same container) resources on /get_resourceX. When the myservice1 application tries to access these resources they will be accessed at http://example.com/get_resourceX/ and not at http://example.com/mysite1/get_resourceX as they should - and that is my problem.
What could work is to simply reverse proxy all the relevant resource names as well. However, then I would need to do the same for http://example.com/mysite2, http://example.com/mysite3 etc. which is impractical since these are generated dynamically.
Another possible solution is to check the http Referrer header and see whether it originates from mysite1 - but that seems awfully hackish.
How can I easily have myservice1 requests issued to /get_resourceX served by itself? Is there a generic way to set the root path for the myservice1 application to myservice1?
We are nginx newbies and trying to replace httpd with it.
We have the following nginx configuration:
location /auth {
proxy_pass http://keycloak_server$request_uri;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
This works in providing access to the administrator portal. However we use also keycloak for authentication for our applications, and the problem is that keycloak responds with a 302 redirect however nginx treats it as a 502 bad gateway error.
The apache httpd works without any problems.
What are we doing wrong ? Any pointers or specific configuration guidance would be appreciated.
The issue was resolved. It was because the upstream was sending too big a header. Modifying the buffer size for proxy worked.
I'm trying to deploy a websocket server to Elastic Beanstalk.
I have a Docker container that contains both nginx and a jar server, with nginx just doing forwarding. The nginx.conf is like this:
listen 80;
location /ws/ { # <-- this part only works locally
proxy_pass http://127.0.0.1:8090/; # jar handles websockets on port 8090
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location / { # <-- this part works locally and on ElasticBeanstalk
proxy_pass http://127.0.0.1:8080/; # jar handles http requests on port 8080
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
I can run this docker locally and everything works fine - http requests are served, and I can connect websockets using ws://localhost:80/ws/ However, when I deploy to Elastic Beanstalk, http requests are still ok, but trying to connect websockets on ws://myjunk.elasticbeanstalk.com:80/ws/ gives a 404 error. Do I need something else to allow websockets on Elastic Beanstalk?
Ok, got it working. I needed the ElasticBeanstalk load balancer to use TCP instead of HTTP.
To do this from the AWS console (as it's laid out on 5/16/2015), go to your ElasticBeanstalk environment, choose "Configuration" on the left menu, under "Network Tier" there's a "Load Balancing" pane. Click its cog wheel, then you can change the load balancer protocol from http to tcp.
EDIT: It turns out that the my setup below actually works. Previously, I was getting redirections to port 36000 but it was due to some configuration settings on my backend application that was causing it.
I am not entirely sure, but I believe I might be wanting to set up a reverse proxy using nginx.
I have an application running on a server at port 36000. By default, port 36000 is not publicly accessible and my intention is for nginx to listen to a public url, direct any request to the url to an application running on port 36000. During this entire process, the user should not know that his/her request is being sent to an application running on my server's port 36000.
To put it in more concrete terms, assume that my url is http://domain.somehost.com/
Upon visiting http://domain.somehost.com/ , nginx should pick up the request and redirect it to an application already running on the server on port 36000, the application does some processing, and passes the response back. Port 36000 is not publicly accessible and should not appear as part of any url.
I've tried a setup that looks like:
server {
listen 80;
server_name domain.somehost.com
location / {
proxy_pass http://127.0.0.1:36000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
and including that inside my main nginx.conf
However, it requires me to make port 36000 publicly accessible, and I'm trying to avoid that. The port 36000 also shows up as part of the forwarded url in the web browser.
Is there any way that I can do the same thing, but without making port 36000 accessible?
Thank you.
EDIT: The config below is from a working nginx config, with the hostname and port changed.
You need to may be able to set the server listening on port 36000 as an upstream server (see http://nginx.org/en/docs/http/ngx_http_upstream_module.html).
server {
listen 80;
server_name domain.somehost.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:36000/;
proxy_redirect http://localhost:36000/ https://$server_name/;
}
}