Disable Nginx from decoding SAP Fiori URLs - nginx

I have a SAP Fiori installation behind an Nginx reverse proxy, no matter what I do with proxy_pass %2F in URL always gets decoded to /, I've tried a pletora of different configurations but the result is always the same.
location / {
# tried all of the following...
proxy_pass https://x.x.x.x:xxxx;
proxy_pass https://x.x.x.x:xxxx/;
proxy_pass https://x.x.x.x:xxxx$uri;
proxy_pass https://x.x.x.x:xxxx$request_uri;
proxy_pass https://x.x.x.x:xxxx/$uri;
proxy_pass https://x.x.x.x:xxxx/$request_uri;
# additional config below, not much, the vhost configuration is pretty straight forward
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
}
Any idea?
EDIT: Worth to mention I guess, Nginx version is 1.18.0 running on Debian 11.

Related

NGINX proxy http://host/jenkins to http://host:8080

I try to use NGINX as a reverse proxy for my Jenkins server. Basically when http://host/jenkins gets opened in the browser NGINX should proxy the request to http://host:8080 where Jenkins is listening.
I tried various different configurations but none really works. Here the location configuration that I use at the moment. It somehow works, but does not show any images, etc..
location /jenkins/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8080/;
proxy_read_timeout 90s;
# Fix potential "It appears that your reverse proxy set up is broken" error.
proxy_redirect http://localhost:8080/ https://host/jenkins/;
}
Make sure to update your Jenkins configuration
JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --prefix=/jenkins"
Taken from https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy

Combination of using nginx as a reverse proxy with keycloak as upstream server fails

We are nginx newbies and trying to replace httpd with it.
We have the following nginx configuration:
location /auth {
proxy_pass http://keycloak_server$request_uri;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
This works in providing access to the administrator portal. However we use also keycloak for authentication for our applications, and the problem is that keycloak responds with a 302 redirect however nginx treats it as a 502 bad gateway error.
The apache httpd works without any problems.
What are we doing wrong ? Any pointers or specific configuration guidance would be appreciated.
The issue was resolved. It was because the upstream was sending too big a header. Modifying the buffer size for proxy worked.

Executing Liferay behing a Nginx reverse proxy

I am trying to test the last version of Liferay (Liferay 7.0-ga4) and install it behind a reverse proxy (nginx). I am using docker and docker compose for testing purposes, and I create a dummy domain docker.domain.com.
Liferay works fine if I access directly to its url and no reverse proxy is configured.
Also, I have success to install Liferay behind the nginx server if I use the root location:
location / {
proxy_pass http://liferay:8080;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
Where liferay in the proxy_pass section is the name of the docker container linked in the docker compose. And Liferay's options:
web.server.host=docker.domain.com
web.server.protocol=http
web.server.http.port=80
To configure the reverse proxy in Liferay. The results is correct if I type http://docker.domain.com/:
I can login, accept terms and conditions, ... everything seems fine.
But when I use a location that is not root (i.e /lifeay), I have issues with links, images, and css in general.
With a configuraion in nginx similar to:
location /liferay {
proxy_pass http://liferay:8080;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
And adding as suggested here to Liferay's configuration:
portal.proxy.path=/liferay
When accessing to http://docker.domain.com/liferay all url are messed up and CSS are not shown. Here I attach an screenshot of the final result:
It is interesting the line
http://docker.domain.com/liferay/liferay
Where "liferay" appears two times in the url. Some errors appear at the liferay's tomcat log:
12:48:29,019 WARN [http-nio-8080-exec-3][code_jsp:172] {code="404", msg="/liferay/o/mentions-web/css/mentions.css", uri=/liferay/o/mentions-web/css/mentions.css}
12:48:29,021 WARN [http-nio-8080-exec-8][code_jsp:172] {code="404", msg="/liferay/o/frontend-css-web/main.css", uri=/liferay/o/frontend-css-web/main.css}
....
Obviously some files are not found. I have created a simple example with docker github to test it only spending a few minutes if somebody is interested. Still, I am pretty sure that something is missing in my Liferay configuration, but I am not able to figure out what. At least I am not able to find any clue in the official documentation.
Seems that the problem was with the the trailing slash in proxy_pass. It is what makes a difference. Following this example, the nginx configuration file will be:
location /liferay {
return 302 /liferay/;
}
location /liferay/ {
proxy_pass http://liferay:8080/;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
And now seems that Liferay CSS and URLs are correctly working.

nginx blank page/400 bad request for special characters in URL on Confluence 6.2.1

So recently I have been experiencing issue where when accessing URL, like www.example.com/comfluence/display/TST/<testpage>+test would show just white blank page and from Chrome console it shows 400 bad request. This started to happen just after upgrading Confluence. Previously on 5.8.5 version there was no such issue. Upgrading to 6.1.1 or 6.2.1 it started ti behave like this.
I am using nginx proxy server and no config has been changed during the upgrade.
The config looks like this
location /confluence/ {
proxy_intercept_errors on;
error_page 404 #error_404;
error_page 500 502 503 504 #error_5xx;
client_max_body_size 100m;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 900;
proxy_pass http://Dconfluence/confluence/;
}
location /synchrony/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://Dsynchrony/synchrony/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
As per documentation.
I am sure its nginx issue as I can access those pages bypassing it and using private IP.
If anyone could help me on this, I would appreciate it. I have already contacted Atlassian Support and waiting for their reply as well.
If you only have problem with URLs that contains characters like (<>) it might be related to the double encoding. So, I would say check if you have chunked_transfer_encoding on; in your Nginx Configuration files or not. If so, remove it and restart your Nginx. Atlassian has a KB about similar behaviour would be good if you take a look at it as well (here).

Jenkins behind nginx without subdirectory

I have Jenkins running inside my Glassfish installation, so Jenkins can be reached #
http://localhost:8090/jenkins/
I managed to setup nginx so Jenkins can be reached from the outside #
http://build.example.com/jenkins/
This setup works well so far, but I am not really happy with it. What I would really want to achieve is to hit
http://build.example.com
in the browser to reach Jenkins.
Here is my current nginx config:
server {
listen 80;
server_name build.example.com;
location / {
proxy_pass http://localhost:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I hope this is possible via some url rewrite, but I'm totally clueless how to do it...
Then change:
proxy_pass http://localhost:8090;
to
proxy_pass http://localhost:8090/jenkins/;
Reference: http://nginx.org/r/proxy_pass
It seems to me the problem is the Glassfish configuration.
How about setting in application.xml the following value:
<context-root/>
Instead of the default, which is the name of the WAR file, without the .war extension.
There seems to be similar questions on SO.
From http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
location / {
rewrite /jenkins/(.*) /$1 break;
proxy_pass http://localhost:8090/jenkins/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Resources