We have been trying for days (we tested hundreds of setups) to make a Nginx Reverse Proxy successfully reverse proxy a web application that needs FQDNs (this is mandatory for this web application to work).
Using the configuration below for the Nginx Reverse Proxy together with a local DNS service (see resolver attribute) that knows the FQDN we can successfully make these http calls...
server {
access_log /var/log/nginx/apps.mbr.domain.abc-access.log;
error_log /var/log/nginx/apps.mbr.domain.abc-error.log;
server_name *.apps.mbr.domain.abc;
location / {
proxy_pass https://$host$request_uri;
resolver 127.0.0.1:53;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.domain.abc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.domain.abc/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
... , however if I change the proxy_pass attribute to using an IP as shown here...
server {
access_log /var/log/nginx/apps.mbr.domain.abc-access.log;
error_log /var/log/nginx/apps.mbr.domain.abc-error.log;
server_name *.apps.mbr.domain.abc;
location / {
proxy_pass https://10.2.0.18:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.domain.abc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.domain.abc/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
... the web application reports not knowing the URL (error). In other words, clearly there is some parameter/data (we don't know what it is) that is added by the DNS service to the http call.
QUESTION: What is the local DNS service provided parameter/data that Nginx Reverse Proxy is not providing?
NOTE: We are asking this because we believe this is something that can be provided by the Nginx Reverse Proxy itself so that we will not need to use the local DNS service.
Thanks! =D
Related
I have a problem with nginx and proxy_pass. I try to secure connection to old server without option to upgrade apache there. I can't establish there ssl connection with tls 1.2. So i Tried to secure it by reverse proxy in nginx with some success. when i open website like http://example.com or https://example.com connection is secure and it works well. But there are other sites whitch have links like https://example.com/login https://example.com/investitions (basicly every uri example.com/foo/bar/ ect.)and those connections are insecure. my nginx config looks like this:
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate ssl.crt;
ssl_certificate_key ssl.key;
ssl_client_certificate ca.crt;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
location / {
proxy_set_header X-Scheme https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr
proxy_pass http://baza.example.com/;
}
Please help me.
I have two sites to be used on my server load balancing them using nginx. First one www.something.club and other one is extras.something.club. The first one has https and http setup already, while extras.something.club I'm yet to set up https certs, so just need http.
The problem here is when I hit extras.something.club it opens same page as www.something.club and plus redirects to https://extras.something.club. Here the page should load extra.something.club owns page, and I do not nee https since certificate is of www, it starts giving me warning anyway. Below are the configurations I'm using.
www.something.com has file at /etc/nginx/sites-available/web.conf and has symlink at /etc/nginx/sites-enabled/web.conf. Below is config:
upstream webapp {
server 123.123.0.12:8080;
server 123.234.0.18:8080;
}
server {
listen 80;
server_name www.something.club;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name www.something.club;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.something.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.something.club/privkey.pem;
# skipping some more ssl settings.
access_log /var/log/nginx/web.access.log;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://webapp;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
extras.something.com has file at /etc/nginx/sites-available/extras.conf and has symlink at /etc/nginx/sites-enabled/extras.conf
upstream extraswebapp {
server 123.123.0.12:8081;
server 123.234.0.18:8081;
}
server {
listen 80;
server_name extras.something.club;
access_log /var/log/nginx/web.access.log;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://extraswebapp;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
I have verified this config with many sample available on various websites + documents. I was not able to locate anything wrong in this. Plus there nothing in code which redirects http to https for extra.something.club Plus if I access direct IPs with those port, it works perfectly fine & doesn't redirect to https as Nginx does.
Can somebody please help me to locate the problem?
I use nginx to act as a proxy between 2 servers. I have a domain aswell as a subdomain attached to an ip. I need to send requests to a third ip via a subdomain for convoluted reasons that I wont bore you with.
An issue im having is communication between servers with rest. Any actions I take in my webapp result in
Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID
Ive been trying to figure it out and I got one login request to pass but after that everything stopped working.
The domain I have setup and everything works fine the subdomain looks like this
server {
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name api.example.com www.api.example.com;
location / {
proxy_pass "http://x.x.x.x:8080$request_uri";
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
}
Im relative new to nginx but to me I think this should work as a proxy. Ive had it call one request but fail there after could it either be a firewall/network issue?
I'm trying to put an nginx together with the following setup:
I have two http servers running on my localhost.
One listening on port 8080, the other on port 8081.
Both should be served through https and
the production server listening on 8080 should be accessible
to www.awesomesite.io.
the test server listening on port 8081 should be accessible through
test.awesomesite.io.
Somehow, when navigating to the test.awesomesite.io the nginx server directs me to my production server.
I use the following configuration to direct www-requests to localhost:8080 and test-request to 8081.
server {
listen 80;
server_name www.awesomesite.io;
rewrite ^ https://$host$request_uri? permanent; # force redirect http to https
server_tokens off;
}
# SSL port production server
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/www.awesomesite.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.awesomesite.io/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl on;
server_name www.awesomesite.io;
server_tokens off;
# ......
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 1200s;
}
}
# SSL test server
server {
listen 80;
server_name test.awesomesite.io;
rewrite ^ https://$host:8443$request_uri? permanent; # force redirect http to https
server_tokens off;
}
server {
listen [::]:8443 ssl ipv6only=on;
listen 8443 ssl;
ssl_certificate /etc/letsencrypt/live/test.awesomesite.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.awesomesite.io/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl on;
server_name test.awesomesite.io;
server_tokens off;
# ......
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host:8443;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 1200s;
}
}
To answer my own question in case someone had the same problem:
I used the answer of https://serverfault.com/questions/538803/nginx-reverse-ssl-proxy-with-multiple-subdomains to change my configuration.
I defined multiple server blocks with www.awesomesite.io and test.awesomesite.io name for the port 443, instead of rewriting the test subdomain to use port 8443.
After these changes, the host from the test request header did match the specific server block and was routed to localhost 8081.
I still did not figure out why original configuration did not work. All requests match the production server block (or at least were handle by the first server block).
I'm having trouble of being able to access http://example.com:8000 and https://example.com:8000 but I can't seem to get them both work. This will serve as our backend and will API requests all through out. I want to either
open http://example.com:8000 and https://example.com:8000 open for API request
or
redirect from http to https redirect including the CORS authentication and and everything so the client can still get the return even with the redirect
This is my configuration so far
server {
listen 8000 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;
charset utf-8;
location / {
proxy_pass http://ghost:8000;
proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 497 https://$host:$server_port$request_uri;
}
You need to use different ports:
server {
listen 8000;
listen 8443 ssl;
# other directives
}