Forward IP Addresses - NGINX and IIS - nginx

We have a working NGINX redirecting our external users to our IIS server. The problem is that the IP seen by the IIS is the NGINX machine, not the IP from external users. Our logs are full of "10.0.0.2" IPs which is incorrect.
A similar configuration file is shown. We already included "proxy_set_header" lines.
Is this config file correct? What should be done at IIS server? Should we just include some topics at web.config file? If this is the case, what should we add?
server {
listen 10.0.0.2:443 ssl;
server_name web.mydomain.com;
ssl_certificate /home/admin/conf/web/ssl.web.mydomain.com.pem;
ssl_certificate_key /home/admin/conf/web/ssl.web.mydomain.com.key;
error_log /var/log/apache2/domains/web.mydomain.com.error.log error;
location / {
proxy_set_header x-real-IP Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_pass https://10.0.0.11;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf)$ {
root /home/admin/web/web.mydomain.com/public_html;
access_log /var/log/apache2/domains/web.mydomain.com.log combined;
access_log /var/log/apache2/domains/web.mydomain.com.bytes bytes;
expires max;
try_files $uri #fallback;
}
}
location /error/ {
alias /home/admin/web/web.mydomain.com/document_errors/;
}
location #fallback {
proxy_pass https://10.0.0.11;
}
location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
include /home/admin/conf/web/snginx.web.mydomain.com.conf*;
}

You can use IIS enhanced logging to write custom headers like X-Forwarded-For to log files,
https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/logfile/customfields/add
There is no way to change the source IP field, because indeed that's IP address recorded in the TCP/HTTP packets.

At first I though this would be something related to IIS/NGINX, but after #lex-li and #bruce-zhang repplies I researched more about it.
I actually did not know but inside our application (running at IIS) there are listeners to those headers, and those listeners were not properly implemented.
So it was just a misalignment between our application and NGINX.
Thanks both #lex-li and #bruce-zhang

Related

How do I make this directory public with nginx?<

I have a ghost.org pre-built droplet on DigitalOcean that I'm willing to use for a music production blog. This is what my site conf looks like:
server {
listen 80;
listen [::]:80;
server_name mydomain.com;
root /var/www/ghost/system/nginx-root; # Used for acme.sh SSL verification (https://acme.sh)
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2369;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
I want to serve some html pages I uploaded at this directory /var/www/downloads when people visits my domain.com/downloads. How do I do it leaving everything else working? I've tried this
location /downloads/ {
alias /var/www/downloads/;
}
but it did not work. Any help?
Thanks!
Try this:
location /downloads {
root /var/www;
}

How to restrict ip access in nginx

I want to restrict access by IP for specific php file in Nginx reverse_proxy.
so in my virtual host path /etc/nginx/sites-available/sub.mydmn.com I have the following configs:
server {
server_name wwww.sub.mydmn.com sub.mydmn.com;
root /home/mydmn/;
access_log off;
# Static contents
location ~* ^.+.(png|mp4|jpeg)$ {
expires max;
}
# Limit IP access
location = /mine.php {
allow <MyIP_Here>;
deny all;
return 404;
}
# Dynamic content, forward to Apache
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
}
# Deny server with IP access!
server {
listen 80 default_server;
server_name _;
location / {
return 403;
}
}
But when I start the server, Nginx blocks all IPs for mine.php.
What is the problem?
Nginx chooses a single location block to process a request (see this document). Your location = /mine.php block, not only returns a 403 status if the IP address is denied, but also returns a 404 status if the IP address is allowed. You need the request to be handled by the service on port 8080 if the IP address is allowed.
One solution is to duplicate the statements from the location / block.
For example:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
location = /mine.php {
allow ...;
deny all;
proxy_pass http://127.0.0.1:8080;
}
location / {
proxy_pass http://127.0.0.1:8080;
}
Note that proxy_set_header statements can be moved into the outer block so that they are inherited by both blocks. See this document for details.

how to set the locaction in nginx.conf for removing URL's trailing slash?

Today I used two servers for nginx, the content of nginx.conf as follows:
#192.168.2.98
server {
listen 8091;
location ^~ /ttank {
alias /develop/servers-running/front/vue-public/dist;
index index.html;
try_files $uri $uri/ /ttank/index.html;
}
}
#192.168.2.97
location /ttank {
proxy_pass http://192.168.2.98:8091;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
I can access the 192.168.2.98:8091/ttank by enter address: http://192.168.2.98:8091/ttank in chrome, I also can access 192.168.2.98's ttank by entering the address http://192.168.2.97/ttank/, but when I change the addres http://192.168.2.97/ttank/ into http://192.168.2.97/ttank, my chrome entered into waiting status forever, the only difference between two addresses is the last "/", I don't know how to modify the config file for removing the last "/" when accessing ttank by 192.168.2.97?
Try usinge a rewrite rule to get rid of the ending slashes
location /ttank {
rewrite ^/(.*)/$ /$1 break;
...;
...;
proxy_pass ...;
}
it should do it

nginx location matching for url params only

I need to rewrite any root subdomain requests and append locale params if they aren't already there. e.g. -> de.example.com needs to be rewritten as -> de.example.com/?locale=de. then I proxy it off to the app.
2 questions:
1) is this the correct approach? or should I be using regex instead here? (new to this
so if other problems, please lmk)
2) is there a way to log things inside the location block? Having trouble getting same config working on another server, logging would help. (e.g logging what args is if it isn't matching, or if it matches on another location block).
It only needs to happen on the root page so this is my current config
#existing default (nonsubdomain block)
server {
server_name _;
root /var/www/web_app;
try_files $uri/index.html $uri.html $uri #app;
location #app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
}
#just added for subdomain
server {
server_name de.example.com;
root /var/www/web_app;
location / {
try_files $uri/index.html $uri.html $uri #app;
}
location #app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
location = / {
if ($args != locale=de ){
rewrite ^ $scheme://de.example.com/?locale=de permanent;
}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
}
1) is this the correct approach? or should I be using regex instead here? (new to this so if other problems, please lmk)
You should use $arg_locale != de instead of $args != locale=de. Look at the docs: http://nginx.org/en/docs/http/ngx_http_core_module.html#var_arg_
2) is there a way to log things inside the location block? Having trouble getting same config working on another server, logging would help. (e.g logging what args is if it isn't matching, or if it matches on another location block). It only needs to happen on the root page so this is my current config
Debug log: http://nginx.org/en/docs/debugging_log.html

Nginx wildcard proxy, pass subdomain to the server (upstream proxy)

I would like to be able to pass subdomain.domain.com to .domain.com apache server, with subdomain info too.
I would like to make a nginx cache for domain, acting like wildcard, but passing subdomain to the destination (there is apache witch wildcard too). Up to now, I pass the info via proxy_set_header Host $host; but I would like to have request with subdomain at the apache server.
upstream domain.com {
server 172.1.1.1:80 weight=50 fail_timeout=30s;
}
server {
server_name *.domain.com;
location / {
proxy_pass http://domain.com;
#proxy_pass $request;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
location ~* ^.+. (jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf)$ {
proxy_pass http://topmanagergame.com;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache my-cache;
proxy_cache_valid 200 302 30m;
proxy_cache_valid 404 1m;
}
access_log /var/log/nginx/domain.com.log main;
error_log off;
}
Do you think I can use proxy_pass with upstream ?
Nginx (*wildcard_domain.com) --(cache)--> Apache (*wildcard_domain.com)
Nginx (anything.domain.com) --(cache)--> Apache (anything.domain.com)
upstream somestring {
server domain2.com:80 weight=50 fail_timeout=30s;
}
server {
listen 80;
server_name *.domain.com;
server_name ~^(?<subdomain>.+)\.domain\.com$;
location / {
proxy_pass http://somestring;
proxy_set_header Host $subdomain.domain2.com;
}
}
So I was trying to find the answer to this problem and kept finding this post. But I think dmytrivv answer is out of date. In our scenario, we have both wildcard domains (e.g. *.mydomain.com) and custom domains (e.g. fullycustomdomain.com). But you can solve both by using proxy_set_header Host $host; and having default at the end of your listen.
upstream qaweb {
# Servers in the web farm
server ip-notreal-name.ec2.internal:80;
}
server {
listen 443 ssl default;
ssl_certificate certs/mydomain.com.crt;
ssl_certificate_key certs/mydomain.com.key;
# Support for wildcard domains
server_name admin.mydomain.com *.mydomain.com "";
location / {
# Turn off access logging so we don't fill the hardrive
access_log off;
proxy_pass http://qaweb;
proxy_set_header Host $host;
# So that the correct IP shows up in the log once libapache2-mod-rpaf is installed
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Note, we are also using it as a TLS termination proxy.
You can also find more examples on how to use proxy_pass here https://www.liaohuqiu.net/posts/nginx-proxy-pass/

Resources