I only want to allow access to my server from one domain. Lets say my domain is called "mydomain.mydomain.com" (yes, it is a subdomain).
Normally I would write everywhere server_name mydomain.mydomain.com, but I changed it to a non-existing domain and I can still enter the website? Why is my website working also from other domains? I know nginx is normally using the first server-block if no server_name is found, but my first server-block is my catch-all non-existing domain block. I defined server_name _; and default_server, but still, my website is working.
I have the following configuration:
server {
#If server_name mydomain.mydomain.com is not found return 444
listen 80 default_server;
server_name _;
return 444;
}
# redirect all traffic to https if the domain is mydomain.mydomain.com (server_name)
server {
listen 80;
listen [::]:80;
#-------------------------------------------
# I CHANGE HERE TO A NON-EXISTING DOMAIN AND MY WEBSITE IS STILL WORKING?!?!?
#-------------------------------------------
server_name nonExistingDomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /config/www;
index index.html index.htm index.php;
#-------------------------------------------
# I CHANGE HERE TO A NON-EXISTING DOMAIN AND MY WEBSITE IS STILL WORKING?!?!?
#-------------------------------------------
server_name nonExistingDomain.com;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;
client_max_body_size 0;
error_page 404 =200 /portal;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
location = / {
return 301 https://mydomain.mydomain.com/portal;
#try_files $uri $uri/ /index.html /index.php?$args =404;
}
location /pea {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8080/pea;
# do not pass the CORS header from the response of the proxied server to the
# client
#proxy_hide_header 'Access-Control-Allow-Origin';
}
location /portal {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8180/portal;
}
location /auth {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8280/auth;
}
}
You are listening to the IpV6 network socket in your server blocks where you change domain to non-existent. Since there are no other such server blocks, they are the default for those IPv6 ports.
Note that your first server block is default only for IPv4 network socket listen 80 default_server;.
Thus the behavior can be explained only by the fact that you are connecting/testing over IpV6.
To avoid inconsistency, use default_server for all your listen options. E.g. in the first server block add default server for IPv6 too:
server {
#If server_name mydomain.mydomain.com is not found return 444
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
Related
I am currently developing a web study for my research using Strapi for my backend on a virtual machine. Although all have been running smoothly, now that I am going for full deployment, I ran into a minor issue that I cannot seem to get my head around.
The frontend is already online, running on Nginx (v.1.18.0) For security and best practice, I generated an SSL certificate for my domain and rerouted all HTTP requests to HTTPS which worked fine.
However, Strapi is still running on localhost:1337 without HTTPS, understandably causing for browsers to refuse to connect. In response to that, I followed Strapi's documentation to set up a proxy (Nginx Proxying) but when trying to curl the proxy, I get an unresolved host error.
I am quite new to Ngnix and Strapi. When I test nginx -t, it responses successfully. Yet, the proxy is not working.
Below, my files:
My ./config/env/production/server.js is still quite basic and looks as follows:
module.exports = ({ env }) => ({
host: env('HOST', '127.0.0.1'),
port: env.int('PORT', 1337),
url: 'https://api.my-domain.com',
app: {
keys: env.array('APP_KEYS'),
},
});
/etc/nginx/conf.d/upstream.conf
# Strapi server
upstream strapi {
server 127.0.0.1:1337;
}
My /etc/nginx/sites-available/strapi.conf (within location, i added the return 200 'OK' for testing..)
server {
# Listen HTTP
listen 80;
server_name api.my-domain.com;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
# Listen HTTPS
listen 443 ssl;
server_name api.my-domain.com;
# SSL config
ssl_certificate path/to/certificate/fullchain.pem
ssl_certificate_key path/to/certificate/privkey.pem
# Proxy Config
location / {
proxy_pass http://strapi/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass_request_headers on;
return 200 "OK";
}
}
I changed the default domain to a custom file - gonna keep calling it default here thoguh:
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
root /var/www/my-domain/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name my-domain.com www.my-domain.com;
location / {
# First attempt to serve request as file, then
try_files $uri $uri/ =404;
}
}
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl ;
listen [::]:443 ssl ;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
root /var/www/my-domain.com/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name my-domain.com; # managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
ssl_certificate path/to/certificate/fullchain.pem
ssl_certificate_key path/to/certificate/privkey.pem
}
Thanks in advance!
Strapi Version: 4.4.3
Operating System: Ubuntu 20.04.5 LTS
Database: MySQL
Node Version: v18.10.0
NPM Version: 8.19.2
Yarn Version: 1.22.19
Turns out, following multiple guides can quickly turn any Nginx config into a mess. I went through it all and cleaned my files. The resulting one works like a charm:
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/ssl-params.conf;
ssl_certificate /etc/letsencrypt/live/certificate/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/certificate/privkey.pem;
root /var/www/my-domain/html;
index index.html index.htm index.nginx-debian.html;
server_name my-domain.com www.my-domain.de;
# Proxy Config
location /strapi/ {
rewrite ^/strapi/?(.*)$ /$1 break;
proxy_pass http://strapi/;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass_request_headers on;
return 200 "OK";
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
How to proxy 127.0.0.1:8000/wordpress/ to www.domain.com/ in Nginx and Wordpress?
And make sure the site resouce path and redirection is correct.
And for example , when the user opening www.domain.com, it will show the result of 127.0.0.1:8000/wordpress that runing in the server.
/etc/nginx/sites-available/
server {
listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/example.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name example.com;
}
Use this
server {
listen 8000;
server_name localhost;
location /wordpress {
proxy_pass http://www.example.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
My current configuration for Nginx is
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.html;
server_name url.tdl;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://localhost:2368;
}
}
server {
listen 443 ssl;
server_name url.tdl; # Replace with your domain
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
ssl_certificate /root/url.tdl.chained.crt;
ssl_certificate_key /url.tdl.me.key;
client_max_body_size 10G;
location / {
proxy_pass http://localhost:2368;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
}
In the above configuration file, I have no redirects written, but still the website redirects to HTTPS.
According to nginx - Disable http to https redirect?, they have disabled listen 443 but I want to have the 443 as an option.
Is there any way to keep both options?
I have the following Nginx server block:
server {
listen 80;
listen [::]:80;
server_name example.com;
root /usr/share/nginx/html;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://localhost/page-1/;
}
}
I would like that when the user gets a 404 error on example.com, the proxy_pass should change to direct to http://localhost/example-404/.
However, this server block and the one for http://localhost both have the same root so alternatively it could just point to /example-404/ internally, I'm not sure which is easier to do. Either way, I want the address in the browser's address bar to stay the same.
The reason I want this is that there will be a different 404 page if accessing the server from http://localhost directly. I would really appreciate anyone's thoughts on this!
You can use different vhosts to give different results depending on how the user is accessing the server. I'd imagine something like this might work:
server {
listen 80;
server_name example.com;
root /usr/share/nginx/html;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_intercept_errors on;
error_page 404 = #errors;
proxy_pass http://localhost/page-1/;
}
location #errors {
root /usr/share/nginx/errors/example.com.404.html;
}
}
server {
listen 80;
server_name localhost;
root /usr/share/nginx/html;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_intercept_errors on;
error_page 404 = #errors;
proxy_pass http://localhost/page-1/;
}
location #errors {
root /usr/share/nginx/errors/localhost.404.html;
}
}
I have a server with two ip: when i use nginx as Reverse Proxy for jboss7,
in order to prevent direct access use ip address,(we have configured the dns),
i use configuration bellow:
# You may add here yourdefault_server;
# server {
#
server {
listen *:80;
server_name _;
return 404;
}
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name www.shikuaigou.com localhost;
charset utf-8;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_pass http://jboss;
}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
allow ::1;
deny all;
}
}
server {
listen 80;
server_name example.com;
rewrite "^/(.*)$" http://www.example.com/$1 permanent;
}
server {
listen 12.34.56.78;
server_name www.example.com;
root /usr/share/nginx/html;
index index.html index.htm;
location / {
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_pass http://jboss;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ /index.html;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
}
but only on ip can matche the server whitch return 404,the other one cannot match the
configuration server_name _;
which cause this?
Because you have listen 12.34.56.78; so nginx chooses this server to process requests on 12.34.56.78, since it is more specific for that IP.
Please, also note that server_name _; actually means nothing, except an incorrect domain name.
Reference:
Server names
How nginx processes a request
The listen directive