I have multiple web servers with IP address say 172.18.1.1 to 172.18.1.20, hosting different website on 443(https) and A nginx server which I need to use for proxying above servers.
Example :
My nginx server IP is https://10.220.5.39:9200 by giving web server in URL , I need to show the websites
i.e. https://10.220.5.39:9200/proxy/172.18.1.1, should get website of https://172.18.1.1
AND
https://10.220.5.39:9200/proxy/172.18.1.2, should get website of https://172.18.1.2
location /proxy/(?<uniqueId>[^/]+).* {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://$uniqueId/;
}
But it is not working , I can not use redirect , since client will not have access to web servers directly
Also some website use css file from route i.e. href="/static/theme.css"
because of which in browser console we are getting
not found https://10.220.5.39:9200/static/theme.css
Is this even possible with nginx
Related
I'm configuring reverse proxy server with nginx
Nginx.conf file is like this, location / -> front server address, location /api -> api server address.
Front server fetch from http://${api_addr}/api originally(before setting nginx), but now I changed api URL to http://${nginx_addr}/api for constructing reverse proxy server. I am wondering if it is correct to send the request directly from the front to the api address or if it is correct to send the request to the nginx address?
reverse proxy server structure
So you're configuring a website and you want it to direct traffic to your frontend (html etc) and have an api route going to your api, if I'm reading that correctly?
You'd do it similar to this
server {
listen 80;
server_name yourdomain.com;
set $frontend = "frontend-stuff.com";
set $backend = "backend.com";
location /api {
## if your api backend starts at / rather than /api you'd rewrite away the /api path
# rewrite /api/(.*) /api/$1 break;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $backend;
proxy_pass http://$backend;
break;
}
location / {
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $frontend;
proxy_pass http://$frontend;
break;
}
}
The variables stop nginx hitting an 'emerg' (fatal error) if a host falls down in the background between reloads; it can also be helpful with services where the frontend has a large IP range like cloudfront etc.
In the case of your frontend if you're calling something like CloudFront you'd need to force TLS1.2
proxy_ssl_protocols TLSv1.2;
proxy_ssl_server_name on;
X-Forwarded-Proto https is needed if the backend app is returning paths (.net apps use this to set paths to https etc)
I am wondering if it is correct to send the request directly from the front to the api address or if it is correct to send the request to the nginx address?
Its best to proxy all your requests for an application via the same site config for multiple reasons, such as...
Combined logging (easier to debug)
Simpler to secure (set CSP and unified security headers across site)
Easier to handle CORS for any frontend related activities (ajax/xhrf)
If you provide a bit more info I can probably pad this out
It is best practice to always query the Nginx endpoint and not the specific port. By directly querying the specific api port, you are completely bypassing the server routing service and could therefore accidentally overload your api endpoint if not careful.
By routing everything through the Nginx server, you ensure that your api service remains healthy and works as expected.
I have the following setup:
1: Keycloak docker container running on an EC2 instance. (I have configured it temporarily to accept http connections)
2: My Flask applicatioĊ together with nginx reverse proxy running in docker on another EC2 instance.
I have created the realm and client on keycloak and configured the redirect uri.
I am able to get my flask application to reach the Keycloak instance for authentication.
I added from werkzeug.middleware.proxy_fix import ProxyFix and app.wsgi_app = ProxyFix(app.wsgi_app)to get the redirect_uri to work.
However, when the redirection happens, I get a 'Not authorized' error (i can also see 401 in nginx log).
I have set the OVERWRITE_REDIRECT_URI as OVERWRITE_REDIRECT_URI = 'https://authenticationdemo.mydomain/oidc_callback'
I configured nginx to forward the https request with endpoint oidc_callback to my flask application route /oidc_callback (i do not implement my own callback).
location /oidc_callback{
proxy_pass http:/<flask_app_name_in_docker>:<port>/oidc_callback;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_redirect off;
}
I am not able to solve this problem as I am not able to figure our where the callback is going wrong. I can see the log from nginx with GET /oidc_callback?state=<...somevalue..>&session_state=<...somevalue>&code=<..somevalue...>
But after redirection this does not work.
I tried both by
using ip addresses in the redirect uri
domain name same as my certificates and configuring hosts file on the EC2 instance with keycloak to point to the correct ip address of the EC2 instance with flask application
Both are not working.
I am not able to figure out if something is going wrong in passing back the authentication information or is there some basic config wrong.
Can somebody please point to the correct approach?
I already looked up and tried information in other related questions:
Flask_oidc gives Errno 99 Cannot assign requested address when run in Docker container
flask-oidc-redirect-uri-value-being-overwritten-somewhere
flask-oidc-with-keycloak-oidc-callback-default-callback-not-working
(and read many other similar ones)
I am not looking for a custom callback. I just need the default callback behavior as it is without a reverse proxy.
Update:
I figured out that the problem was due to the failing check for matching 'OIDC_VALID_ISSUER' in the function _is_id_token_valid(self,id_token) in flask_oidc. Putting port number in the url for issuer in client_secrets was causing the problem. Removing it solved the problem.
I need your help to solve an issue i have with OAuth on my MVC5 application. On my development environment everything's fine. I set up Twitter/Google/Facebook/Microsoft providers and it works like a charm for now.
My issue is on a test environment. I'm using nGinx as a front server to holds the certificates and serves some static content through a subdirectory of the domain.
The proxy part is configured as followed :
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
The problem is that all my configured callback URLs for external providers are on the HTTPS scheme but running the application on HTTP makes the callback url having an HTTP protocol (for example, the authorized callback URL is https://example.com/signin-facebook but the effective callback URL sent to provider is http://example.com/signin-facebook).
I saw on other posts that there is a AspNetCore solution with UseForwardedHeaders but as i'm still on normal AspNet, it's not an option.
As a dirty workaround, i temporarly allowed URLs with an HTTP protocol as callback URLs for Twitter/Facebook and Google but Microsoft is strict and only allow HTTPS (This workaround works because my nGinx is configured to perform a 301 Redirect on incoming HTTP requests to the same request over HTTPS)
Does anyone have a solution to change the scheme of the base URL used to build the callback URL ?
I have a webserver behind a VPC and normally we setup an SSH tunnel and connect to localhost with a web browser. However to make it easier to connect to the site via a mobile device I was thinking of using our NGINX installed on the bastion/gateway server to proxy requests to the web server behind the VPC. Does anyone have a configuration of what is needed in NGINX to do this?
Thanks!
Sounds like a simple reverse proxy - to expose your internal web server e.g. 172.31.0.1 to the outside at /some/path/:
location /some/path/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://172.31.0.1;
}
I have a MEAN.io application deployed to AWS EC2. Its running via Nginx proxy pass on a 8087 port, config is as follows:
location /myapp/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://0.0.0.0:8087/;
}
The problem I have is that in the browser some POST/PUT requests sent via AJAX are returning 404 errors and default nginx error page. Those requests are not even making it through to Node.js server as I can see in the logs that they are not recorder. There is definately a route provided for those requests, as the app works totally fine on localhost. The same POST/PUT requests seem to work fine when queried directly using 'curl' in the console.
I am not an nginx / AWS expert, so I wanted to ask simple question - is there anyway nginx could be caching those requests and why would they return different HTTP code when queried from 'curl' or via AJAX in the browser?
I think you have a problem with the way you have configured your nginx server, please do check the following rules for nginx.
url rewriting
public folder and
static content