Cloudflare Nginx HTTPS proxy_pass every path - nginx

I'm trying to setup https using nginx and cloudflare. I generated a certificate and key using cloudflare and added them to my nginx config (See below).
server {
listen 443 ssl;
server_name <URL_HIDDEN>;
ssl_certificate /etc/nginx/own-certs/server.crt;
ssl_certificate_key /etc/nginx/own-certs/server.key;
location / {
proxy_pass http://localhost:8082;
proxy_http_version 1.1;
proxy_set_header UPgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
The problem: Only the main page works (/).
When going to any other page (Like /favicon.ico), I'm getting a 504 error after 30 seconds. When using the specific port and same path (http://localhost:8082/favicon.ico), everything works fine. Everything works fine when I remove the ssl part too.
It isn't a nginx timeout issue, because I'm getting a response within 5ms when using the localhost URL.

change nginx config (Also necessary if you already enabled "always https"):
server {
listen 80; # ADD THIS
listen 443 ssl;
server_name <URL_HIDDEN>;
ssl_certificate /etc/nginx/own-certs/server.crt;
ssl_certificate_key /etc/nginx/own-certs/server.key;
location / {
proxy_pass http://localhost:8082;
proxy_http_version 1.1;
proxy_set_header UPgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
set cloudflare setting:
enable always use https:

Related

Stripe webhook doesn't reach endpoint on reverse proxy

I am hosting my app in Linode and I have a stripe webhook that doesn't reach the api. I could hit the endpoint before installing ssl certificates but after the ssl configuration my app can't reach the endpoint. I am following tutorials and don't know a lot about nginx proxying and backend so apologies if my explanation is not clear.
My stripe webhook is listening to the following endpoint:
https://mywebsite.com/api/stripe-webhook
And here is my proxy configuration:
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
#
#ssl on;
ssl_certificate /etc/ssl/certs/kk/certificate.crt;
ssl_certificate_key /etc/ssl/certs/kk/private_key.key;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name mywebsite.com;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /api {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
I am not even getting any meaningful error message in Stripe:
My question is what am I doing wrong and is there any other file that I need to configure?

how to proxy_pass api path to port with nginx

I want to proxy_pass the root location (/) to the port 3000 and the /api location to the port 5000, is completely possible, right?
my nginx config file:
server {
listen 80;
server_name mywebsite.com;
location /api {
proxy_pass http://localhost:5000;
}
location / {
proxy_pass http://localhost:3000;
}
}
if I do the api request locally i can get the expected output:
myuser#myserver [conf.d]# curl localhost:5000
Hello, World!myuser#myserver [conf.d]#
but with an api client don't, and proxy_pass from the root path to the port 3000 works fine in the browser and the api client
Notes:
im not forgetting reload nginx with sudo systemctl reload nginx
the firewall is allowing traffic in both ports, im using ufw
the server OS is centos 7
I think you are using React and nodejs. I use below config.
server {
listen 80;
server_name mywebsite.com;
location / {
# My react
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /api{
# This is my nodejs API
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

Nginx SSL reverse proxy doesn't work with websocket

I'm having this configuration:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name mydomain.com;
ssl_certificate /usr/syno/etc/certificate/ReverseProxy/baac8259-962a-4d45-a265-bf747f5f007d/fullchain.pem;
ssl_certificate_key /usr/syno/etc/certificate/ReverseProxy/baac8259-962a-4d45-a265-bf747f5f007d/privkey.pem;
location / {
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_intercept_errors off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto \"http\";
proxy_set_header X-ProxyScheme \"http\";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.1.4:8090;
}
}
I want to apply SSL only on the frontend and use basic http in the backend.
This configuration should have worked but the websocket website won't open showing me this error:
WebSocket connection to 'wss://mydomain.com:80/' failed: Error in connection establishment:
net::ERR_SSL_PROTOCOL_ERROR
Digging inside the javascript file of the web application, I see this:
window.websocket = (document.location.protocol == "https:") ? new WebSocket('wss://'+document.location.hostname+":"+window.jsonPort) : new WebSocket('ws://'+document.location.hostname+":"+window.jsonPort);
The thing is that I can really not understand why will the application detect the scheme as https? Since I explicitly try to make it appear as http.
This issue was specific to the application that I was forwarding to. I have now identified and corrected the issue in that application so this is solved.

Nginx serves root of one subdomain instead of root of another subdomain

I have two subdomains, app.mydomain.com and v1.api.mydomain.com, pointing to the same IP. I want app.mydomain.com to be proxied to localhost:5000 and v1.api.mydomain.com to be proxied to localhost:1337.
The following configuration does it (app.mydomain.com/... is served by localhost:5000 and v1.api.mydomain.com/... is served by localhost:1337) except for one thing: the root of v1.api.mydomain.com (with or without a trailing slash) isn't served by localhost:1337, it is served by localhost:5000 (app.mydomain.com) and therefore it doesn't display what I expect. How is this possible?
My first configuration file in sites-enabled:
server {
listen 80;
server_name app.mydomain.com;
location / {
proxy_pass http://localhost:5000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
My second configuration file in site-enabled:
server {
listen 80;
server_name v1.api.mydomain.com;
location / {
proxy_pass http://localhost:1337/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
To make sure that the problem wasn't a redirection of some sort by the server running on localhost:1337, I shut it down and the problem is still there, so it really is something with my nginx configuration. Thanks for helping.

NGINX redirecting to root for escaped_fragment URI

I have a very weird situation where NGINX (used as proxy for node app) is redirecting all ?_escaped_fragment_= to root (/) when using https://domain.com?_escaped_fragment_=/app/someurl BUT when I use https://dev.domain.com?_escaped_fragment_=/app/someurl all works fine.
Just want to make it clear that prerenderer works well and I have tested it both directly on machine as well as using dev subdomain.
I can give the original URL for those that would like to check things live.
Thanks a million guys :)
server {
server_name domain.com www.domain.com;
listen 80;
return 301 https://domain.com$request_uri;
}
server {
server_name domain.com;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/***.crt;
ssl_certificate_key /etc/nginx/ssl/***.key;
location / {
proxy_pass http://x.x.x.x:4567;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
server_name dev.domain.com;
location / {
proxy_pass http://x.x.x.x:4567;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
For those of you who had a similar experience maybe also with apache please note that it's not NGINX but the app where you need to specify to the prerender middleware .set('protocol', 'https'));
protocol
Option to hard-set the protocol. Useful for sites that are available
on both http and https.
app.use(require('prerender-node').set('protocol', 'https'));

Resources