Jenkins Https reverse proxy configuration is not working in centos - nginx

I have installed nginx and jenkins server in centos. I want to connect my jenkins server with https. so I have configured reverse-proxy. But its not working, I'm getting the following error
Below are the my configuration values
File - /etc/nginx/sites-enabled/default
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name 134.68.44.235;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://localhost:8080;
proxy_read_timeout 90;
proxy_redirect http://localhost:8080 https://134.68.44.235;
}
}
File /etc/default/jenkins
JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpListenAddress=127.0.0.1 --httpPort=$HTTP_PORT -ajp13Port=$AJP_PORT"
Note : I can able to access the jenkins site using http://134.68.44.235:8080
But I can't able access it using https, I installed certificates and followed the steps from this article
I'm not sure what I'm missing, Anyone kindly advise me on this.

This snippet below should work well, you'll have to edit the content sections to match the FQDN or IP you want Jenkins to serve the web UI, together with the valid SSL CERT path and SSL KEY path if you want to provide https.
upstream app_server {
server 127.0.0.1:8080 fail_timeout=3;
}
server {
listen 80;
server_name <FQDN OR IP>;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name <FQDN OR IP>;
ssl on;
ssl_certificate /<PATH>/<TO>/<YOUR SSL CERT>;
ssl_certificate_key /<PATH>/<TO>/<YOUR SSL KEY>;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Redirect any /* request to port 8080
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Headers' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range,Location';
}
proxy_redirect http:// https://;
proxy_pass http://app_server;
}
}

Related

NGINX configuration for CORS and proper HTTPS rerouting

Hi I'm quite inexperienced with NGINX and am having difficulty understanding why things aren't working as expected. I'm trying to test an API that I made with a docker container, which is being run with the command: docker run -d -v $(pwd):/app -p 8080:8000 --rm wiseeast/ya_bot.
I'm able to make API requests with Postman at http://ffpr.isi.edu:8080/api with a POST request, but the same request on AJAX with javascript returns an apparently frequent No 'Access-Control-Allow-Origin' header is present on the requested resource. error. I tried to bypass this by enabling CORS on my server by adding add_header 'Access-Control-Allow-Origin' '*' always; because I have control over it but it didn't resolve the issue. Also what is bugging me is that with Postman I can make a successful POST request to http://ffpr.isi.edu:8080/api but not to https://ffpr.isi.edu:8080/api.
Also, I have a rerouting issue that I feel should be straightforward given what I've read but isn't working. I have a webpage properly rerouting http://ffpr.isi.edu to https://ffpr.isi.edu but the rest of the rerouting doesn't work. For instance http://ffpr.isi.edu:5050/ loads through port 80 unsecurely and won't reroute to https://ffpr.isi.edu:5050/. On the other hand, https://ffpr.isi.edu:5050/ won't open at all with a time out error.
Here is my full nginx.conf file:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
upstream frontend {
server 0.0.0.0:8000;
}
upstream ased_api {
server 0.0.0.0:5000;
}
upstream ya_bot {
server 0.0.0.0:8080;
}
upstream yesand {
server 0.0.0.0:5050;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
return 301 https://$host$request_uri;
}
# Settings for a TLS enabled server.
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ffpr.isi.edu;
ssl_certificate "/etc/nginx/ssl/ffpr_isi_edu_cert.cer";
ssl_certificate_key "/etc/nginx/ssl/ffpr_isi_edu.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://frontend;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location /api {
proxy_pass http://ased_api;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location /ya_bot {
proxy_pass http://ya_bot;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
location /yesand {
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://yesand;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/etc/nginx/ssl/ffpr_isi_edu_cert.cer";
ssl_certificate_key "/etc/nginx/ssl/ffpr_isi_edu.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
I've been suffering with these issues for so long, any pointers are greatly appreciated!!
In my experience, the add_header 'Access-Control-Allow-Origin' '*'; on the proxy machine did not fix the problem.
However, setting the 'Access-Control-Allow-Origin' header from the backend API as a response header did work. For example, You can run the following Go code on the backend API:
(*w).Header().Set(“Access-Control-Allow-Credentials”, “proxy-host-name”)
As for the redirect issue, you don’t need to use two separate server blocks, try this instead in the nginx.conf:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ffpr.isi.edu;
ssl_certificate "/etc/nginx/ssl/ffpr_isi_edu_cert.cer";
ssl_certificate_key "/etc/nginx/ssl/ffpr_isi_edu.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($scheme != https) {
return 301 https://$host$request_uri
}
}
I hope this helps.

TFS behind Nginx reverse proxy

Trying to configure Team Foundation Server behind Nginx reverse proxy.
Also, I'm using a self-signed SSL Certificate.
Getting ERR_TOO_MANY_REDIRECTS
Here is my nginx configuration:
server {
listen 80 default;
server_name tfs.domain.com;
return 301 https://$host$request_uri;
}
upstream tfs.domain.com {
server 12.34.56.78:80; #local tfs address
keepalive 16;
}
server {
listen 443 ssl;
server_name tfs.domain.com;
ssl_certificate /etc/nginx/ssl/tfs.domain.com.pem;
ssl_certificate_key /etc/nginx/ssl/tfs.domain.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://12.34.56.78:80; #local tfs address
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect http:// $scheme://;
}
access_log /var/log/nginx/tfs.domain.com/443-access.log;
error_log /var/log/nginx/tfs.domain.com/443-error.log;
}
What I'm doing wrong?
Just try to set the proxy_redirect explicitly:
e.g.:
proxy_redirect http://localhost:8080 https://tfs.domain.com;
You can reference below article to configure the nginx (It should be similar with TFS):
How To Configure Nginx with SSL as a Reverse Proxy for Jenkins
And this thread may helps: https://serverfault.com/questions/754351/what-is-a-correct-ways-to-allow-login-to-an-iis-site-through-a-reverse-proxy
Besides, you can reference below articles to troubleshoot the ERR_TOO_MANY_REDIRECTS issue:
How to Fix ERR_TOO_MANY_REDIRECTS on Your WordPress Site
How to Fix Err Too Many Redirects Error

Nginx redirect config issue

I have nginx bitnami container deployed in Openshift that serves my application. The issue that I am facing is that the redirect is not working. In the logs, there are no indications that the request is caught by a proxy_pass location block.
So. the idea is that a request to app.com/backend1/api/something should be forwarded to service1.com/backend1/api/something. The same goes for service2.
worker_processes 1;
events {
worker_connections 1024;
}
http {
upstream service1 {
server service1.com;
}
upstream service2 {
server service2.com;
}
server {
listen 8443 ssl;
listen [::]:8443 http2 ssl;
server_name app.com;
error_log /opt/bitnami/nginx/error.log debug;
ssl on;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
include /opt/bitnami/nginx/conf/mime.types;
root /opt/bitnami/nginx/html;
location ~ ^/backend1/api/(.*)$ {
proxy_pass https://service1/backend1/api/$1;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^/backend2/api/(.*)$ {
proxy_pass https://service2/backend2/api/$1;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
try_files $uri /index.html;
}
}
}
I have also tried moving the order of the location blocks, as well as moving the root directive, but without success.
Any ideas on how to resolve this issue?

Deploying a node js app with proxypass with ssl enabled

I have ameteor ap which i am running as is the norm and it runs on my server like
http://my-ip:3000
I have nginx installed and i can access the meteor app using this sites-enabled configuration
My file looks like this
server {
listen *:80;
server_name _;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
I am following this tutorial to get letsencrypt to work https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8
How would i enable ssl in my configuration above
To run with ssl,make sure you have a letencrypt certificate and this is my configuration
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/meteor.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://localhost:3000;
proxy_read_timeout 90;
proxy_redirect http://localhost:3000 https://domain.com;
}
}
The above runs the meteor app with ssl enabled.

Nginx Proxy for github.io is returning 404

I'm trying to use Nginx as a reverse-proxy for my pages at github pages. Based on info from here: https://pascal.io/github-pages-https/, and others, my config looks like this:
server {
listen 80 default_server;
server_name leepope.com www.leepope.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name leepope.com;
ssl on;
ssl_certificate <my cert>;
ssl_certificate_key <my key>;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
location / {
proxy_pass https://leepope.github.io;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_intercept_errors on;
expires off;
}
}
When I make a request to the server root, I get a github page, but it's a 404.
I've enabled nginx debugging, but I can't see what the request going to github looks like - their headers are in the log, but there's no info about what's going out.
Can anyone help me troubleshoot this?
Thanks.

Resources