How can I optimize my nginx configuration - nginx

I have nginx .conf file as below; I'm wondering if it can be write simpler:
default.conf
upstream docsapp {
server app:8000;
}
server {
listen 80;
location / {
alias /usr/share/nginx/html/;
}
location /admin/ {
proxy_pass http://docsapp/admin/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /api/ {
proxy_pass http://docsapp/api/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /api-token-auth/ {
proxy_pass http://docsapp/api-token-auth/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /docs/ {
proxy_pass http://docsapp/docs/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /media/ {
add_header Access-Control-Allow-Origin *;
alias /usr/local/src/app/media/;
internal;
}
location /static/ {
alias /usr/local/src/app/static/;
}
client_max_body_size 8M;
}
Location \ is Vue.js app, remaining is Django REST Framework. I've searched a web for a while but none of found solutions worke for me.
Another problem occurred during attempt to split this file into two:
vue.conf
server {
listen 80;
location / {
alias /usr/share/nginx/html/;
}
}
and
drf.conf
upstream docsapp {
server app:8000;
}
server {
listen 80;
location /admin/ {
proxy_pass http://docsapp/admin/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /api/ {
proxy_pass http://docsapp/api/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /api-token-auth/ {
proxy_pass http://docsapp/api-token-auth/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /docs/ {
proxy_pass http://docsapp/docs/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
location /media/ {
add_header Access-Control-Allow-Origin *;
alias /usr/local/src/app/media/;
internal;
}
location /static/ {
alias /usr/local/src/app/static/;
}
client_max_body_size 8M;
}
It also didn't work. Any help would be appreciated.

I think since you do not change request URI when you proxy requests to the docsapp upstream, you can replace four location blocks where proxy_pass directive used with the following one:
location ~ ^/(?:admin|api|api-token-auth|docs)/ {
proxy_pass http://docsapp;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
You can't split your server block in two, only one of them will work acting as default server (see the documentation).

Related

How to stop Nginx redirect if HOST HEADER is incorrect

I have been trying to solve this issue for quite awhile now. Bots are hitting my sites hard with INVALID HOST HEADERS and Nginx forwards these requests to Gunicorn/Django. I need to stop them at Nginx. I have tried every solution I can find on SO, and elsewhere, but none seem to work for my setup.
Nginx.conf:
upstream backend_server {
server backend:8000;
}
upstream backend_asgi {
server backend_asgi:8001;
}
server {
listen 80;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location ~* ^/(api|admin|static|v2) {
return 301 https://$host$request_uri;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.site *.example.site;
ssl_certificate /etc/letsencrypt/live/example.site/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.site/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /ws/ {
proxy_pass http://backend_asgi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location ~ ^/v2(?:/(.*))?$ {
root /usr/share/nginx/html;
index index.html;
try_files $uri $uri/ /v2/index.html =404;
}
location /backend_static/ {
alias /backend/assets/;
}
location /media/ {
alias /backend/media/;
}
location ~* ^/(api|admin) {
proxy_pass http://backend_server$request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https;
proxy_connect_timeout 360s;
proxy_read_timeout 360s;
}
location / {
proxy_pass http://backend_server$request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https;
proxy_connect_timeout 360s;
proxy_read_timeout 360s;
# Set upload size for videos to be 500MB
client_max_body_size 500M;
}
}
What can i add to my Nginx configuration to stop invalid host headers, given that I have a wildcard subdomain and bots are also using HOST HEADERS w/ subdomains?

How to proxy_pass to a sub path

I have a host with two containers:
nginx
check_mk
the check_mk interface is accessible by http://172.17.0.2:5000/cmk
I have proxy_pass rule set up in nginx:
server {
listen 80;
server_name cmk.domain.com;
location / {
proxy_pass http://172.17.0.2:5000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
When I hit the nginx on port 80 with cmk.domain.com/cmk it works.
What I want is that when hitting the server_name cmk.domain.com, the /cmk would be added automatically.
I tried doing proxy_pass http://172.17.0.2:5000/cmk; but then I get a page not found error.
What am I missing here?
Try this
server {
listen 80;
server_name cmk.domain.com;
location /cmk {
proxy_pass http://172.17.0.2:5000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location / {
return 301 http://cmk.domain.com/cmk$request_uri;
}
}

How to configure nginx to support signalr3 under cloudflare?

I am struggling with signalr3 and nginx reverse proxy configuration, my nginx cfg looks like this:
server {
listen 80;
server_name my.customdomain.com;
location / {
root /pages/my.customdomain.com;
index index.html index.htm;
try_files $uri $uri/ /index.html =404;
}
## send request back to kestrel ##
location /proxy/ {
proxy_pass http://xxxxxxxxxx.westeurope.cloudapp.azure.com/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
What do I miss here?
When I browse my page, I receive OK for
GET /proxy/notifications/negotiate
and
GET /proxy/notifications?id=uFQtMDg1dXib6LGvUssQhQ
but 404 for POST
POST proxy/notifications?id=uFQtMDg1dXib6LGvUssQhQ
pls halp!
ps. my Hub is very simple...
[AllowAnonymous]
public class NotificationHub : Hub
{
}
This is a websocket based app so you need additional nginx config
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
#proxy_set_header X-Forwarded-Proto https;
proxy_pass 127.0.0.1:8080;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}

nginx not finding some JS files

server {
listen 80;
access_log /var/log/nginx/dashboards.access.log;
error_log /var/log/nginx/dashboards-reg.error.log;
root /usr/share/nginx/htmlresource;
location /performance-platform/landlord-reg {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://landlord-reg/dashboard/landlord-reg/pages/;
proxy_redirect http://landlord-reg/dashboard/landlord-reg/pages/ $scheme://;
}
location ~* \.(jpg|ttf|jpeg|svg|png|gif|ico|css|js|eot|woff|woff2)$ {
root /usr/share/nginx/html/dashboards/landlord-reg/pages;
proxy_pass http://landlord-reg;
}
location /performance-platform/discharges {
root /usr/share/nginx/html/dashboards/discharges/pages;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://discharges/dashboard/discharges/pages/;
proxy_redirect http://discharges/dashboard/discharges/pages/ $scheme://;
}
location ~* \.(jpg|jpeg|svg|png|gif|ico|css|js|eot|woff|woff2)$ {
root /usr/share/nginx/html/dashboards/discharges/pages;
try_files /usr/share/nginx/html/dashboard/discharges/pages $uri;
proxy_pass http://discharges;
}
}
The above is the more or less the full nginx config that is in sites-available. the upstream servers are docker containers though that shouldn't really make any difference.
This finds all but 2 of my js files.
<script src="../resource/feedconf.js"></script>
This is NOT found ^^^
where as this is
<script src="../../../assets/js/widgets/errorWidget.js"></script>
I've tried 2 different approaches to achive the same thing one for landlord and one for discharges but neither work. Ran out of ideas hence the question on here.
On a initial look of the code I understand perhaps you meant to do the following. It would be better if you shared your folder hierarchy.
server {
listen 80;
access_log /var/log/nginx/dashboards.access.log;
error_log /var/log/nginx/dashboards-reg.error.log;
root /usr/share/nginx/htmlresource;
location /performance-platform/landlord-reg {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://landlord-reg/dashboard/landlord-reg/pages/;
proxy_redirect http://landlord-reg/dashboard/landlord-reg/pages/ $scheme://;
} <-- delete this from here
location ~* \.(jpg|ttf|jpeg|svg|png|gif|ico|css|js|eot|woff|woff2)$ {
root /usr/share/nginx/html/dashboards/landlord-reg/pages;
proxy_pass http://landlord-reg;
}
} <- add this here
location /performance-platform/discharges {
root /usr/share/nginx/html/dashboards/discharges/pages;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://discharges/dashboard/discharges/pages/;
proxy_redirect http://discharges/dashboard/discharges/pages/ $scheme://;
} <-- delete this from here
location ~* \.(jpg|jpeg|svg|png|gif|ico|css|js|eot|woff|woff2)$ {
root /usr/share/nginx/html/dashboards/discharges/pages;
try_files /usr/share/nginx/html/dashboard/discharges/pages $uri;
proxy_pass http://discharges;
} <- add this here
}

How to configure NGINX not to cache specific URL?

I have a NGINX server as front-end cache server and I'd like to disable cache on specific urls.
Here is the configuration on NGINX:
proxy_cache_path /tmp/nginx levels=1:2 keys_zone=my_zone:10m inactive=120m max_size=1000m;
proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args";
server {
listen 10.0.0.45:80 default_server;
server_name proxy2.jjd;
include /etc/nginx/default.d/*.conf;
location / {
client_max_body_size 20m;
proxy_cache my_zone;
proxy_cache_bypass $http_cache_control;
proxy_no_cache $http_pragma $http_authorization $cookie_nocache $arg_nocache;
add_header X-Proxy-Cache-NGINX $upstream_cache_status;
add_header X-Real-IP $remote_addr;
add_header Cache-Control "public";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
}
}
Add the following location to avoid an url:
location ^~ /your-url/ {
add_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
}
It just assigns this location to the proxy and doesn't enable caching for it.
As I get it, you just need a nested location with a single string proxy_cache off; inside to disable caching for nested URLs. Like this:
location / {
proxy_cache my_zone;
proxy_cache_bypass $http_cache_control;
// other stuff related to proxying or other processing
location /do/not/cache/this/url/ {
proxy_cache off;
}
}
you can just specify location do proxy_pass only for disable cache
location /will/not/cache {
proxy_pass http://127.0.0.1:8080;
..set_header ..
}

Resources