I'm using wso2am version 3.2.0 and trying to configure reverse proxy using NginX following the below mentioned documentation.
https://apim.docs.wso2.com/en/latest/install-and-setup/setup/setting-up-proxy-server-and-the-load-balancer/configuring-the-proxy-server-and-the-load-balancer/
I want to access the devportal and publisher with a new url context like https://{domain-name}/wso2am/devportal and https://{domain-name}/wso2am/publisher. My nginx configuration file is as below.
server {
listen 443 ssl;
server_name {domain-name};
proxy_set_header X-Forwarded-Port 443;
ssl_certificate /etc/nginx/ssl/{cert_name};
ssl_certificate_key /etc/nginx/ssl/{key_name};
location /wso2am/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://<server-ip>:9443;
}
access_log /etc/nginx/log/am/https/access.log;
error_log /etc/nginx/log/am/https/error.log;
}
with this configuration, when I try to access https://{domain-name}/wso2am/devportal it is redirected to the carbon login url (https://{domain-name}/carbon/admin/login.jsp) with a 404 not found error. Should I change any values in carbon.xml or in some other files for get this working?
Note: I tried to change the <WebContextRoot> in carbon.xml file with /wso2am as its value. When I restarted the server the value is overwritten again to the default /.
Where should I add the /wso2am context path in carbon configurations?
Related
I use nginx for reverse proxy with domain name. I've some application publish on IIS and i want to proxy different location name for each application.
For example;
Domain name on nginx :
example.com.tr
application end points for app:
1.1.1.1:10
1.1.1.2:10
upstream for app in nginx.conf:
upstream app_1 {
least_conn;
server 1.1.1.1:10;
server 1.1.1.2:10;
}
server {
listen 443 ssl;
server_name example.com.tr;
proxy_set_header X-Forwarded-Port 443;
ssl_certificate /etc/cert.crt;
ssl_certificate_key /etc/cert.key;
location /app_1/ {
proxy_pass http://app_1/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-REAL-SCHEME $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
access_log /etc/nginx/log/access.log;
error_log /etc/nginx/log/error.log;
}
}
When I try to access example.com.tr/app_1/ , I can access application but not all data.
I inspected this site and so many requests of application were failed.
All requests sended to example.com.tr/uri instead of example.com.tr/app_1/uri. How can I fix this ?
thanks,
You need a transparent path proxy setup. Means NGINX should use the requested URI without removing the matched location from it.
proxy_pass http://app_1;
Remove the tailing slash to tell NGINX not to do so. Using an upstream definition is great but make sure you apply keepalive.
Using Ubuntu Server 20.04, nginx/1.18.0 (Ubuntu).
For what it is worth I am trying to set up Jellyfin with remote access. I'm also using a dynamic domain name. I have a nextcloud service completely up and running using a similar ish set up. I also want the server to be accessible remotely.
When I access my domain name it simply takes me to the NGINX welcome page. I have removed it from site-enabled, and I have disabled the default.conf listen tags (and renamed the file default.conf.bak)
In essence what is supposed to happen is that when I type in the domain name it is supposed to automatically redirect to the correct port. It doesn't.
I can access the server using the ip address and jellyfin's port. But using the domain name or the ip address will simply get me the welcome screen. I am using the domain name primarily as I have other services that also use port 80.
I can access the Jellyfin site at it's local ip without the port.
I've tried a number of tips from elsewhere including editing the hosts file to ensure the domain name is linked to 127.0.0.1 but I'm running at a bit of a loss.
There is nothing in the access or error logs.
I've also checked the nginx.conf for any server blocks, there are none. Here's the file I'm using... (it's practically a copy paste from the the Jellyfin site).
server {
listen 80;
listen [::]:80;
server_name (scrambled).ydns.eu;
access_log /var/log/nginx/reverseaccess.log;
error_log /var/log/nginx/reverseerror.log;
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $>
#Security / XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-sr>
location / {
# Proxy main Jellyfin traffic
proxy_pass http://127.0.0.1:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/inde>
# location ~ ^/web/$ {
# # Proxy main Jellyfin traffic
# proxy_pass http://127.0.0.1:8096/web/index.html/;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_set_header X-Forwarded-Host $http_host;
# }
location /socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://127.0.0.1:8096/socket/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}
Okay key thing here is that there are two machines involved. So the forwarding wasn't working as expected. I believe that it needs the redirect rather than a simple pass and the listening on port 80 wasn't going to happen. The router had no idea where it was supposed to send the information.
One key thing with Jellyfin installed it doesn't seem like you need a conf file on the host machine as it is currently supposed to be listening on 8080 but Jellyfin listens on 8096.
If someone want's to come along and give their expert opinion to fill in the blanks would be much appreciated. Thanks all for your help.
At any rate the following is now my config file for reverse proxy...
# Reverse proxy on forwarding machine.
server {
server_name domainname.eu;
# Not sure if this is required, it's purpose was to see where /
# the nginx page was being served from it wasn't the client as thought.
root /usr/share/nginx/test;
location / {
proxy_pass http://192.168.1.2:8096$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://192.168.1.2:8096$request_uri http://domainname.eu;
}
# The certbot action has to be done on the forwarding machine not \
# the hosting machine. Any attempt to run it on the host fails. \
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domainname.eu/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domainname.eu/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/domainname.eu/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = domainname.eu) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name domainname.eu;
root /usr/share/nginx/test;
location / {
proxy_pass http://192.168.1.2:8096$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://192.168.1.2:8096$request_uri http://domainname.eu;
}
}
Here's hoping it'll help someone in the future.
I have a Single Page Application running on a node server serving angular at www.xxx.com. This is currently working.
I am trying to server a second Node application named www.yyy.com however when I set up the NGINX server blocks it is defaulting to the NGINX welcome page.
www.xxx.com NGINX server block (Which is working fine):
server {
listen 80;
listen [::]:80;
server_name xxx.com.au www.xxx.com.au;
return 301 https://xxx.com.au$request_uri;
}
server {
listen 443;
server_name xxx.com.au www.xxx.com.au;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:3000/;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
}
ssl on;
ssl_certificate /etc/letsencrypt/live/xxx.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com.au/privkey.pem;
}
www.yyy.com Server block: (Currently only serving welcome page)
server {
listen 80;
server_name yyy.com www.yyy.com;
location /site {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:3002/;
proxy_redirect off;
}
}
I have all the DNS set up and the host names set up on my droplet as well. I am using Vultr running Ubuntu if that helps.
I have added both via symbolic link to Sites-available and the line is present in the conf file.
EDIT: As Henry pointed out I was server /site
location /site {
You're serving the app at /site and not /.
You can map different different config blocks to different URLs, so you could e.g. route /example to a different node server if you wanted.
Replacing location /site { with location / { as for your working block will serve your node application at the root. With no configuration for the root node nginx routes it to its default page.
I have the following config:
js_include /etc/nginx/scripts/encode_request.js;
js_set $encoded_request re_encode_url;
log_format logEncoded $encoded_request;
server {
listen 443 ssl;
listen [::]:443;
server_name myfirst-domain.com;
ssl on;
ssl_certificate /etc/ssl/certs/cert.cer;
ssl_certificate_key /etc/ssl/private/cert.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
if ($request_uri ~ ^/lool/https%3A/alf.mydomain.com/(.*)$){
access_log /var/log/nginx/access.log logEncoded; #Output the encoded url to the logs. (For debugging purposes)
rewrite ^/lool/https%3A/alf.mydomain.com/(.*)$ $encoded_request;
}
proxy_pass https://localhost:9980;
}
}
The purpose of which is to filter a URL request that that contains a decoded URL that's required by the backend service. The problem is whilst the request URL has been successfully encoded, it is not being proxied to the backend service and instead I get the original decoded URL which in turn causes an error, though I do get the correctly encoded URL output in the access.log.
Not by far an NGINX or web server saavy person so I'd appreciate some pointers as to what I'm doing wrong / missing.
Another thing that might be of note is that the request upgrades to websocket communication between the client and the sever and I am proxying that.
I'm using NGINX 1.13.6 on Debian Jessie.
I solved the issue using nginScript in the end.
I tossed the conditional and just did everything in nginScript, so the virtual host file (or server block) is simplified thus:
server {
listen 443 ssl;
listen [::]:443;
server_name myfirst-domain.com;
ssl on;
ssl_certificate /path/to/ssl/certificate;
ssl_certificate_key /path/to/ssl/certificate/key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
#Optional
access_log /var/log/nginx/ll_access.log;
error_log /var/log/nginx/ll_error.log;
proxy_pass https://127.0.0.1:9980$encoded_request;
}
}
I have a cluster glassfish instance running in Ubuntu 12.04 server with nginx as the front-end.
I have configured glassfish upstream in nginx conf file and proxy params are all set.
nginx.conf
glassfish_custer ( upstream name )
Now the problem is,
I added a file realm in glassfish with username and password entries to enable basic authentication for one of my applications.
I added necessary login config params in web.xml file, bundled war and deployed in glassfish server and when I fire url,
http://domain.com/application
It falls in redirect loop
https://domain.com/application
It happens only when I enable basic authentication. If I switch off, everything is working as expected.
I think I need to set some proxy header params and change auth settings in glassfish admin console for http listener ?
If anyone experienced this issue before, Please let me know....
In short, How to make basic authentication works in nginx load balancer with glassfish as the upstream
UPDATE 1:
nginx.conf
## http redirects to https ##
server {
#listen [::]:80;
listen 80;
server_name domain.com www.domain.com;
location / {
try_files $uri $uri/ #backend;
}
location #backend {
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header x-forwarded-for $remote_addr;
proxy_pass http://glassfish_servers;
proxy_intercept_errors on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
# Strict Transport Security
# add_header Strict-Transport-Security max-age=2592000;
# rewrite ^/.*$ https://$host$request_uri? permanent;
}
server {
listen 443 ssl;
#listen [::]:443 ssl;
server_name domain.com www.domain.com;
location / {
try_files $uri $uri/ #backend;
}
## default location ##
location #backend {
proxy_buffering off;
proxy_pass http://glassfish_servers;
proxy_intercept_errors on;
#proxy_http_version 1.1;
#proxy_set_header Connection "";
# force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
# set headers
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
#proxy_redirect off;
}
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/domain_com.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!$
}
Answering my own question.
Having this xml configuration in web.xml was the root cause of the redirection loop.
Since I added "CONFIDENTIAL" as the authority value, http request were getting redirected to https when request hit backend glassfish instance.
I changed this value to "NONE" and everything worked like charm.
<security-constraint>
<web-resource-collection>
<web-resource-name>wholesale</web-resource-name>
<url-pattern>/acme/wholesale/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>PARTNER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Make the following changes
Change <transport-guarantee>CONFIDENTIAL</transport-guarantee>
to
<transport-guarantee>NONE</transport-guarantee>
Also, make sure to set proper proxy header values in nginx conf file (or) if you configured sites conf files separately in sites-available folder, pls add the following proxy headers
proxy_set_header x-forwarded-for $remote_addr;
proxy_intercept_errors on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;