I'm trying to add basic authentication to a nginx reverse proxy which is in front of a nuxtjs app.
I've configured nginx as so
server {
server_name <url>;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
gzip on;
gzip_types text/plain application/xml text/css application/javascript;
gzip_min_length 1000;
location / {
proxy_pass http://127.0.0.1:3222;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
But if hangs. I've also tried it in the location section, but this hangs too, what am I missing?
The .htpasswd file exists with the correct details in.
Have also tried changing
upstream backend {
server backend1.example.com weight=5;
server backend2.example.com:8080;
server unix:/tmp/backend3;
server backup1.example.com:8080 backup;
server backup2.example.com:8080 backup;
}
server {
location / {
proxy_pass http://backend;
}
}
to something similar to this, but still no luck
EDIT: I have gone through various posts and have adjusted a number of the nginx proxy_pass timeout settings, although I have had no successes.
upstream backend {
server 127.0.0.1:3222;
keepalive 7000;
}
and
auth_basic "Restricted Content";
auth_basic_user_file conf.d/.htpasswd;
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_read_timeout 7200s;
proxy_connect_timeout 75s;
proxy_buffer_size 8k;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
}
The only error I can see is in my pm2 logs
ERROR Request failed with status code 401
at createError (node_modules/axios/lib/core/createError.js:16:15)
at settle (node_modules/axios/lib/core/settle.js:17:12)
at IncomingMessage.handleStreamEnd (node_modules/axios/lib/adapters/http.js:269:11)
at IncomingMessage.emit (events.js:327:22)
at endReadableNT (_stream_readable.js:1220:12)
| at processTicksAndRejections (internal/process/task_queues.js:84:21)
Thanks to all that have helped so far.
Related
I am trying to get my fortigate router's web interface behind my reverse proxy, not to be accessible from the internet, but to use my LetsEncrypt cert on my internal network. This is the config I'm using:
upstream websockets {
server 192.168.1.99:443;
}
server {
listen 443 ssl;
allow 192.168.1.0/24;
deny all;
server_name f60e.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Authorization "";
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Origin "";
proxy_pass_header X-XSRF-TOKEN;
proxy_pass https://192.168.1.99;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 1000m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /websockets/ {
proxy_pass https://websockets;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header Origin "";
}
}
Everything appears to work except for the "Edit in CLI" button. When I attempt to use it, the interface window comes up blank and after a few seconds it says "Connection lost" and I get this error in my browser console
GET https://f60e.walnuthomelab.com/favicon/site.webmanifest net::ERR_CONNECTION_TIMED_OUT
main.js:1
WebSocket connection to 'wss://f60e.walnuthomelab.com/ws/cli/open?cols=66&rows=34' failed:
createWebSocket # main.js:1
I was trying to host flask application in NGINX which uses websockets.
It is working fine with the servers which do not use any proxy servers.
When it is hosted in a server that passes requests to proxy servers, client does not receive any message sent via websocket.
Initially none of the external API calls were working which started working when I added environ variable http_proxy and https_proxy for the service.
But the socket is still not working.
Got error: "no pong received in 3 seconds" in the server when trying to connect to websocket
This is what I get in browser
The following is the nginx configuration.
log_format upstreamlog '$server_name to: $upstream_addr [$request] '
'upstream_response_time $upstream_response_time '
'msec $msec request_time $request_time';
upstream socket_nodes {
ip_hash;
server 127.0.0.1:4000;
server 127.0.0.1:4001;
server 127.0.0.1:4002;
}
server {
listen 80;
listen [::]:80;
access_log /var/log/nginx/access.log upstreamlog;
add_header Strict-Transport-Security max-age=15768000;
location /static/* {
alias /file_path;
}
location / {
include uwsgi_params;
proxy_pass http://socket_nodes;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_buffer_size 16k;
proxy_busy_buffers_size 16k;
}
location /socket.io {
proxy_pass http://socket_nodes/socket.io;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Try changing the socket configuration as below,
location /socket.io {
proxy_pass http://socket_nodes/socket.io;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
I'm trying to get websockets (socket.io) to work through 2 proxy_pass and 2 different servers (one is a server loadbalancer, the another one is the actual server). I get an 400 when the socket.io is trying
In this case, I have two servers, 1 domainName :
domainName : dev-socket.domain.com -> cname to lb.domain.com
Server 1 : lb.domain.com
- handling all the certifications
- handling all our {subdomain}.domain.com requests, proxy_pass them to the rightfull servers
- everything works fine, except websockets
Server 2 : dev.domain.com
- host the actual api handling all the websockets
- nginx proxyPass to rightfull :port application
What should work, and doesn't :
dev-socket.domain.com (domainName) -> lb.domain.com (Server1, ssl) -> dev.domain.com (server2) -> nodeJsApp
This is getting an 400.
WHAT WORKS : this works, if I bypass the lb.domain.com and directly do this :
dev-socket.domain.com (domainName) -> dev.domain.com (server2, ssl) -> nodeJsApp
server 1 : lb.domain.com :
map $http_connection $upgrade_requested {
default upgrade;
'' close;
}
server {
listen 80;
listen 443 ssl http2;
server_name dev-socket.domain.com;
access_log /var/log/nginx/dev-socket.domain.com-access.log;
error_log /var/log/nginx/dev-socket.domain.com-error.log error;
client_max_body_size 256M;
ssl_certificate /etc/letsencrypt/live/dev-
socket.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dev-
socket.domain.com/privkey.pem;
includeSubDomains; preload";
location /socket/live {
proxy_read_timeout 120;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://91.121.117.17/socket/live;
}
location / {
proxy_pass http://server_dev;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
location ~ ^/.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
root /usr/share/nginx/html/;
}
}
server 2 : dev.domain.com
map $http_connection $upgrade_requested {
default upgrade;
'' close;
}
server {
listen *:443;
server_name dev-socket.domain.com;
#ssl_certificate /etc/letsencrypt/live/dev-socket.domain.com/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/dev-socket.domain.com/privkey.pem;
#ssl on;
client_max_body_size 5M;
access_log /var/log/nginx/dev-socket.domain.com;
error_log /var/log/nginx/dev-socket.error;
location /socket/live {
proxy_pass http://localhost:3000;
proxy_read_timeout 120;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen *:80;
server_name dev-socket.domain.com;
if ($http_x_forwarded_proto != "https") {
return 301 https://$server_name$request_uri;
}
access_log /var/log/nginx/dev-socket.domain.com;
error_log /var/log/nginx/dev-socket.error;
location / {
proxy_pass http://localhost:3000;
}
}
the above configuration gets a simple 400 error during the handshake instead of succeeding.
WebSocket connection to 'wss://dev-socket.domain.com/socket/live/?Auth=e02b7a2ab5c158d7f46c18d36f45955bf3769716&sessionId=5a38e191fc6bf8602001b237&EIO=3&transport=websocket&sid=Fu6M2b1I9sh9stLFAANX' failed: Error during WebSocket handshake: Unexpected response code: 400
I can confirm by checking the activty logs of both nginx (server1, server2) that the request is getting to server2. So my guess for the moment is something about a malformed header..
As a said, if I bypass lb.domain.com, and activate ssl on the dev.domain.com direclty, it is working
I used Nginx as a reverse proxy and when I access the url from the browser (Chrome, Firefox) it will show 504 gateway timeout. But when I use curl or wget to access the url, it works fine. It is really a weird issue, can anyone give me some help?
Following is my configuration: https://pastebin.com/fZHEtRGa
The upstream configuration is:
upstream default-nginx-z-80 {
# Load balance algorithm; empty for round robin, which is the default
least_conn;
keepalive 32;
server 10.1.228.195:80 max_fails=0 fail_timeout=0;
}
The server configuration is
server {
server_name z-ingress.mixhub.cn ;
listen 80;
listen [::]:80;
set $proxy_upstream_name "-";
location / {
port_in_redirect off;
set $proxy_upstream_name "default-nginx-z-80";
set $namespace "default";
set $ingress_name "nginx-z";
set $service_name "";
client_max_body_size "1m";
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
proxy_set_header ssl-client-cert "";
proxy_set_header ssl-client-verify "";
proxy_set_header ssl-client-dn "";
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $the_real_ip;
proxy_set_header X-Forwarded-For $the_real_ip;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Scheme $pass_access_scheme;
# Pass the original X-Forwarded-For
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
# Custom headers to proxied server
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
proxy_buffering off;
proxy_buffer_size "4k";
proxy_buffers 4 "4k";
proxy_request_buffering "on";
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
proxy_pass http://default-nginx-z-80;
}
}
Why there are so many tcp connections between localhost and localhost when I use nginx proxy service.
this is my nginx proxy configuration:
server {
listen 80;
server_name www.domain1.com;
location /{
proxy_pass http://localhost:4999;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 80;
server_name www.domain2.com;
location /{
proxy_pass http://localhost:4999;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
}
Nginx acts as a reverse proxy here, which establish client-proxy tcp connection and proxy-server tcp connection for one http request(http keep-alive will reuse tcp conn)
I guess the proxy-server connection will be closed after client-proxy is closed by client with configuration proxy_pass http://localhost:4999;
You can try the following configuration:
upstream backend {
server localhost:4999;
keepalive 10;
}
server {
listen 80;
server_name www.domain2.com;
location /{
proxy_pass http://backend;
}
}