I have a Nginx running as a reverse proxy for a domain, let's call it "testdomain.com", the proxy itself is working, and I can access this website from almost anywhere I want, except locally.
To clarify it better, here's my architecture:
I have a ESXi server which has a pfsense VM, the pfsense VM port forwards all requests destined to port 80 to the port 80 of another VM. That VM has a docker container which is running nginx, so it sends to port 80 of the container, and then it proxy pass the HTTP request to another external server where tha application (WordPress) is hosted. As I said it earlier, it works fine, however, if execute a curl locally (i.e wihitn my first my first VM or nginx container) to my address it returns the following:
curl testdomain.com
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
It seems that Nginx can't find the vhost, here's how my .conf for the website looks:
server {
listen 80;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
server_name testdomain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
add_header Cache-Control public;
add_header Pragma public;
add_header Vary Accept-Encoding;
expires 60M;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://myexternalserver.com:80;
}
}
server {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
listen 443 ssl http2;
server_name testdomain.com;
access_log /var/log/nginx/access.log;
ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
#
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
#
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
#
add_header Strict-Transport-Security "max-age=31536000" always;
#
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 4h;
ssl_session_tickets on;
location / {
add_header Cache-Control public;
add_header Pragma public;
add_header Vary Accept-Encoding;
expires 60M;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://myexternalserver.com:443;
}
}
I apologize if I miss any relevant info.
Thank you!
Related
I have a problem with nginx and proxy_pass. I try to secure connection to old server without option to upgrade apache there. I can't establish there ssl connection with tls 1.2. So i Tried to secure it by reverse proxy in nginx with some success. when i open website like http://example.com or https://example.com connection is secure and it works well. But there are other sites whitch have links like https://example.com/login https://example.com/investitions (basicly every uri example.com/foo/bar/ ect.)and those connections are insecure. my nginx config looks like this:
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate ssl.crt;
ssl_certificate_key ssl.key;
ssl_client_certificate ca.crt;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
location / {
proxy_set_header X-Scheme https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr
proxy_pass http://baza.example.com/;
}
Please help me.
I have a nginx proxy in front of an application (listens 10.10.10.10:80) that a SSL certificate is terminated, but have an issue when trying to access the log-in page, as nginx redirects traffic to port 80 (which doesn't listen).
The NGINX configuration is shown below:
server {
listen 10.11.11.11:443 ssl;
server_name test.example.com;
access_log /var/log/nginx/test-access.log main;
error_log /var/log/nginx/test-error.log warn;
client_body_buffer_size 1M;
client_max_body_size 16M;
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
ssl_certificate <PATH>/cert.crt;
ssl_certificate_key <PATH>/cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_pass http://10.10.10.10;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_ignore_headers Expires Cache-Control Set-Cookie;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
proxy_max_temp_file_size 0;
proxy_force_ranges on;
}
}
what is needed in order NGINX redirects traffic always to 10.11.11.11:443 and apparently to 10.10.10.10:80?
PS If I manually enter the FQDN (https://test.example.com) to the failed request, then request becomes successful.
hope I explained it properly :)
thank you.
Sounds like you are testing using the IP Address (10.11.11.11) and your proxy_pass endpoint (10.10.10.10) is configured to only accept requests for specified FQDN (test.example.com) on HTTP (TCP port 80).
When it receives a request for a domain it does not recognize it redirects the user to what it believes should work http://test.example.com
You have a couple options to fix this
Update the upstream server to accept requests for additional host header values
Rewrite the 302 location header in the response to change the protocol from HTTP to HTTPS
Configure server block to listen on HTTP and have it redirect to HTTPS
Hard code the 'proxy_set_header Host' directive to test.example.com so it matches what the upstream expects (Not recommended because it could create unexpected results down the road when troubleshooting different issues)
I've been trying to redirect traffic from https://server:443 to internally http://server:8088 using NGINX as a reverse proxy, I can see my service on 8088 is running since I can access to it, by the time I try to access it from https and port 443 it gives me a 502 bad gateway error. The service Im running is Apache Superset.
I have already created my cert.pem and key.pem files. Already tried several combinations on /etc/nginx/conf.d/default.conf on the location section but no luck so far.
server {
listen 443 http2 ssl;
server_name localhost;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
location / {
add_header Front-End-Https on;
add_header Cache-Control "public, must-revalidate";
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";
proxy_pass_header Authorization;
proxy_pass http://localhost:8088;
proxy_redirect off;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "";
}
}
I'd expect to hit https://server:443 and it will display my service which is running at http://server:8088.
I have configured my nginx based on the documentation provided and articles available from web. It's not completely working specifically http to https.
I tried different changes but still not be able to execute successfully...Please have a look.
Few imp points : My . nodejs app is running on port 3000.
Ghost blog running on 2368.
HTTP — redirect all traffic to HTTPS
server {
listen 80;
server_name domainname.com www.domainname.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.domainname.com;
error_page 497 https://www.domainname.com$request_uri;
ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers KEY_HERE;
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
# ssl_trusted_certificate /etc/ssl/certs/dhparam.pem;
resolver 8.8.8.8;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /blog {
proxy_pass http://localhost:2368;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
This issue is resolved.
Everything is correct with nginx configuration. Issue was with Google console platform. There is a check box in GCP config with name Allow HTTP traffic, which was unchecked by default. I made the change and it started working. Thanks for the reply.
I recommend you to do as below:
location / {
return 301 https://$host$request_uri;
}
I'm trying to serve my Polymer PWA with an HTTP/2 reverse proxy using nginx, but I cannot get it to work properly. The PWA is served unbundled with prpl-server at 127.0.0.1:38765, which works fine. My prpl-server looks like this:
const express = require('express')
const prpl = require('prpl-server')
const config = require('./build/polymer.json')
const app = express()
const port = 38765
app.get('*', prpl.makeHandler('./build/', config))
app.listen(port)
and my nginx config at /etc/nginx/sites-available/default looks like this:
upstream app {
server 127.0.0.1:38765;
keepalive 64;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name app; # or full domain? tried both, doesn't work
location / {
proxy_pass http://app$request_uri;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto-Version $http2;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Connection "";
# Cache Controls
# This section sets response expiration which prevents 304 not modified
expires 0;
add_header Pragma public;
add_header Cache-Control "public";
access_log off;
# Security Patches
# This section are security patches in case the client overrides
# these values, the server re-enables it and enforce its rules
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "deny";
add_header X-Content-Type-Options "nosniff";
}
ssl on;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
}
When I go to the page, all dependencies seem to be downloaded over h2 except for ma-app.html (the app shell), which gives me a 502 error. All other files download with a 200 status and have the same size (minus some compression) as when I go to port 38765 directly, but the page is blank.
Am I missing something? Why doesn't the shell download properly? All files' request URLs are exactly the same for the nginx reverse proxy as for the prpl-server except for the port number.
Screenshots
It works when I access the prpl-server directly:
Does not work when I go through the nginx reverse proxy:
Some info for the failed request:
The problem had something to do with the buffer size being too small, as mentioned here: https://github.com/Polymer/prpl-server-node/issues/50#issuecomment-333270848.
I added
proxy_buffer_size 128k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
in the location section of the nginx config and now the thing works.