401 Unauthorized accessing arango interface behind nginx reverse proxy - nginx

When I'm trying to access the web interface of arangoDb behind a nginx reverse proxy I'm getting a 401 Unauthorized reponse
This is my current nginx configuration
location /db/bnf/ {
auth_basic off;
proxy_pass http://172.28.1.3:8529/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
The auth_basic off; is used here because of I already have security at the root of the server (.htpasswd method) I've tried with and without it
I'm able to access the login page via
http://something/db/bnf/_db/_system/_admin/aardvark/index.html#login
But then when I'm trying to login for exemple :
POST https://something/_db/_system/_open/auth
The post url seems wrong to me and should be
https://something/db/bnf/_db/_system/_open/auth
The arango conf file is set to default. I have read the documentation but they are only talking about Foxx services.
Any help would be greatly appreciated

Update
actually there is a way to serve frontend via custom path, I wasn't aware of it as I didn't find it in documentation, but then I dug in code and found issue respect x-script-name header when calculating the initial redirect into aardvark
what you need to do is
start arangod with --frontend.trusted-proxy set to ip of your proxy server
add in location in nginx conf proxy_set_header X-Script-Name /db/bnf;
access admin ui via full path /db/bnf/_db/_system/_admin/aardvark/index.html cause initial redirect doesn't work viz mentioned issue
when all set correctly you'll see your /db/bnf under basePath in /_db/_system/_admin/aardvark/config.js
ArangoDB web server serves everything via path starting /_db/..., same path is hardcoded in UI, that's why you see that login POST to /_db/... and that's why you need change in nginx config your location /db/bnf/ to location /_db

Related

Handling flask url_for behind nginx reverse proxy

I have a flask application using nginx for a reverse proxy/ssl termination, but I'm running into trouble when using url_for and redirect in flask.
nginx.conf entry:
location /flaskapp {
proxy_pass http://myapp:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
The idea is that a user navigates to
https://localhost:port/flaskapp/some/location/here
and that should be passed to flask as
http://localhost:8080/some/location/here
This works reasonably well when navigating to a defined route, however if the route has redirect(url_for('another_page')), the browser is directed to
http://localhost:8080/another_page
And fails, when the URL I actually want to go to is:
https://localhost:port/flaskapp/another_page
I have tried several other answers for similar situations, but none have seemed to be doing exactly what I am doing here. I have tried using _external=True, setting app.config['APPLICATION_ROOT'] = '/flaskapp' and many iterations of different proxy_set_header commands in nginx.conf with no luck.
As an added complication, my flask application is using flask-login and CSRF cookies. When I tried setting APPLICATION_ROOT the application stopped considering the CSRF cookie set by flask-login valid, which I assume has something to do with origins.
So my question is, how do I make it so that when flask is returning a redirect() to the client, nginx understands that the URL it is given needs flaskapp written into it?
I managed to fix it with some changes.
Change 1. Adding /flaskapp to the routes in my flask application. This eliminated the need for URL-rewriting and simplified things greatly.
Change 2. nginx.conf changes. I added logc in the location block to redirect http requests as https, new conf:
location /flaskapp {
proxy_pass http://myapp:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# New configs below
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
# Makes flask redirects use https, not http.
proxy_redirect http://$http_host/ https://$http_host/;
}
While I didn't "solve" the issue of introducing conditional rewrites based on a known prefix, since I only need one prefix for this app it is an acceptable solution to bake it into the routes.
In your situation I think the correct thing would be to use werkzeug's ProxyFix middleware, and have your nginx proxy set the appropriate required headers (specifically X-Forwarded-Prefix).
https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#module-werkzeug.middleware.proxy_fix
This should make url_for work as you would expect.
Edit: Snippet from #Michael P's answer
from werkzeug.middleware.proxy_fix import ProxyFix
app = Flask(__name__)
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_host=1)

How to setup Reverse Proxy on NGINX to External Website (with a path)

suppose i Have a server on ip 111.111.111.111
on which nginx server is installed as a web server
I want that if someone visit on
http://111.111.111.111/new
They should see the content of
http://example.github.io/new
Someone told me it is possible via NGINX Reverse Proxy or Apache Reverse Proxy
The trick of configuring sites-enabled/default works fine for locally hosted sites on different port but it is not working for external website.
What i have done for this (on server 111.111.111.111):
in /etc/nginx/sites-enabled/default
server {
listen 80;
location /new/ {
proxy_pass http://example.github.io/new;
proxy_redirect default;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
}
}
What i got :
404
There isn't a GitHub Pages site here.
GitHub Pages allows repository owners to associate a domain with that repository, which it verifies by making sure that domain's A/CNAME records are pointed to GitHub.
If you are pointing the entirety of your domain to this GitHub page, then you do not need a reverse proxy, as the A records will accurately point your domain to GitHub Pages.
Your configuration aims to only reverse proxy a directory of your domain, instead of your domain as a whole. However, you are setting your Host header to match the Host header as requested by the client. As a result, GitHub Pages is checking if that repository is configured to receive traffic as 111.111.111.111, which it is not. This is why you receive the 404 error -- there is not a GitHub Pages configuration that matches that repository and host combination.
Change the Host header in proxy_set_header to example.github.io so that, even though the client requested 111.111.111.111, GitHub receives the request as a request for example.github.io.

Jenkins Url changes when going to /jenkins/configureSecurity/

I have set up nginx as a reverse proxy for our jenkins server. Nginx is using proxy_pass to the jenkins server so it should just be forwarding the requests and responses.
When I go to my.domain.com/jenkins (hitting the nginx server) the url is fine. I can click on the url for each project and the url will still look like: my.domain.com/jenkins/job/myProject/. Even going to jenkins configure is fine.
The problem:
When I click on Configure Global Security the url changes to jenkin's sever IP. This wouldn't be such an issue but the Google Login Plugin is hitting it as well and my OAuth callbacks are set to hit the nginx server.
What I've Done:
I have set the Jenkins URL in configure to be my.domain.com/jenkins
Made sure the JENKINS_ARGS have the --prefix=/jenkins
Restarted Jenkins after setting the url in the configuration.
Verified jenkins.model.JenkinsLocationConfiguration.xml has the correct location
Any ideas or suggestions would be amazing! Thank You!
The issue was nginx and the way I was redirecting.
I was using:
location /jenkins/ {
proxy_pass $scheme://ip.address.to.server:port;
}
But needed:
location /jenkins/ {
proxy_pass $scheme://ip.address.to.server:port;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Nginx reverse proxy fails to tunnel file requests

I'm running an application inside Tomcat on port 2211 and all is well. However I would like to serve this application whenever anyone browses to site.com/service and for that I came up with this Nginx proxy pass setup.
location /service {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass https://127.0.0.1:2211;
}
But when I browse to site.com/service I can only see my jetty application in plain HTML. For some reason all files even though they exist on Tomcat the browser receives a 404 reply for all of them.
I've looked into how the browser is requesting the file, for example:
<img src="/themes/logo.png">
This image instead of being requested at site.com/service/themes/logo.png is being asked at site.com/themes/logo.png, which obviously doesn't work and therefore 404 not found. The same happens to all other files, it should be looking for them at site.com/service not on the root folder site.com.
Surely Nginx is missing some configuration parameters, could you point towards it?
Both nginx and the image are behaving correctly, the proxy is returning the html just as it is, the problem is that the tomcat server thinks that it's the root, so it returns all the assets relative to the root, you can fix this in a couple of ways
Either change the subfolder /service to a subdomain service.domain.com this way the assets will truely be in the root.
Somehow configure the tomcat server to return all it's links relative to the /service folder, an easy way would be adding a base inside the head tag
<base href='http://domain.com/service'>
This way the urls will all be absolute, but that will only make the urls functional under that proxy
Instead of modifying your tomcat application, you can tell nginx to add that header by it self, by doing some replacement in the returned html using sub_filter, it would insert in inside the head tag
sub_filter '</head>' '<base href='$scheme://$server_name/service></head>';

github oauth and nginx proxy

I am feeling that I have searched the complete internet and tried nearly everything to solve my problem. Now I decided to ask you and hope that there is anybody out there who is able to help me.
I have a node application running on sub2.domain.tld:3000. Now I want to proxy this application to port 80 with nginx in the way that I am able to reach the app with sub.domain.tld. But that is not the problem. I am able to reach the first site.
The problem follows by an authentification routine with OAuth-API to verify the user for the application.
When surfing to sub2.domain.tld:3000 the process works fine. But when I change the url in the configs and try to surf to sub.domain.tld the authentification process runs into an error (error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL.....).
So I guess I am making a mistake in the redirecting of the url with nginx.
I am using nginx 1.4.7 and node 0.10.26
My nginx configuration file looks like that:
server {
listen 80;
access_log /var/log/nginx/access_log_sub;
server_name sub.domain.tld;
location / {
include proxy_params;
proxy_pass http://IP:3000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Client-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
}
}
But I belive OAuth is verifying sub2.domain.tld:3000 and that it gets in conflict with sub.domain.tld
I hope you are able to help me, solving this issue.
The error isn't coming from nginx, it's coming from your OAuth provider:
The redirect_uri parameter is optional. If left out, GitHub will redirect users to the callback URL configured in the OAuth Application settings. If provided, the redirect URL's host and port must exactly match the callback URL. The redirect URL's path must reference a subdirectory of the callback URL.
-- https://developer.github.com/v3/oauth/#redirect-urls
This is an old question, but...
Try changing your Host header to
proxy_set_header Host $host:$server_port
This may or may not work depending on your application.
As an aside, X-Forwarded-For should include a comma-separated list of the originating client and any proxies it passes through.

Resources