I am trying to publish a blog using Ghost behind a NGINX reverse proxy. However, I am facing 1 small problem which means that content such as images cannot be loaded on blog posts. After looking in development tools, I noticed this is due to Mixed Active Content (HTTP requests instead of HTTPS) being loaded. An interesting note is this works absolutely fine on mobile devices as they do not block HTTP content.
My ghost blog is setup as http://blog.jamdoog.com because a https://blog.jamdoog.com address causes infinite redirects. In addition to this I am unsure how I am meant to create the reverse proxy file's for the HTTPS aspect.
The setup I am using is a reverse proxy with NGINX for Ghost and then a second reverse proxy on "edge" nodes. This is so that I can distribute my content to servers that are closer to the viewer.
I have attached a diagram of how my setup works and my NGINX config files.
Image of web content being served
NGINX config on blog server:
server {
listen 80;
server_name blog.jamdoog.com;
root /var/www/ghost/blog.jamdoog.com/system/nginx-root;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host blog.jamdoog.com;
proxy_pass http://127.0.0.1:2368;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
NGINX config on edge server:
upstream blog.jamdoog.com
{
server blog.jamdoog.com;
}
server {
server_name blog.jamdoog.com;
access_log /var/log/nginx.access.log;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://IPOfBlog;
proxy_set_header Host blog.jamdoog.com;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
proxy_cache proxy-cache;
proxy_cache_valid 200 302 30m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
}
location ^~ /ghost {
proxy_ignore_headers Cache-Control;
add_header X-Cache-Status $upstream_cache_status;
}
listen 443 ssl;
ssl_certificate /path/to/fullchain.cer;
ssl_certificate_key /path/to/the.key;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = blog.jamdoog.com) {
return 301 https://$host$request_uri;
}
listen 80;
server_name blog.jamdoog.com;
return 404; # managed by Certbot
}
Thank you.
EDIT: To clarify, I am asking help with a NGINX config to allow me to use Ghost with SSL by default as proposed to redirecting to HTTPS. This would fix this issue.
Alternatively a way to make ghost utilise relative paths.
Related
So I am trying to setup a nginx reverse proxy in my network to only have 2 external ports out to the world. I am taking in both http and https traffic and using HSTS to force https. I am able to reverse proxy to applications running on the standard port 80/443, but when I try to reverse proxy to a application running on a docker host it gets weird. In the address bar it changes from fireampersand.ca/website to fireampersand.ca:8050/website. Im not sure why. Im still fairly new to nginx so maybe it is something obvious. Any help would be appreciated.
nginx.conf
events {
}
http {
server {
listen 80 default_server;
server_name fireampersand.ca;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
return 301 https://$host;
}
server {
listen 443 ssl http2 default_server;
server_name fireampersand.ca;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate "/etc/letsencrypt/live/fireampersand.ca-0001/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/fireampersand.ca-0001/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
location ~* ^/owa { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/ecp { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/rpc { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/portainer { proxy_pass http://docker.fireampersand.ca:9000; }
location ~* ^/foodbank { proxy_pass https://docker.fireampersand.ca:8002; }
location ~* ^/website/ { proxy_pass http://docker.fireampersand.ca:8050; }
location / { root /usr/share/nginx/html;}
}
}
I'm having issues with nginx and proxy pass. I have setup an instance of JFrog Artifactory and pointed my domain to it successfully; however the port is still appearing in the "URL to file" (the image). Here is my nginx config
server {
server_name repo.hyperiamc.com;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
rewrite ^/$ /ui/ redirect;
rewrite ^/ui$ /ui/ redirect;
chunked_transfer_encoding on;
client_max_body_size 0;
location / {
proxy_read_timeout 2400s;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_pass http://x.x.x.x:8082;
proxy_next_upstream error timeout non_idempotent;
proxy_next_upstream_tries 1;
proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location ~ ^/artifactory/ {
proxy_pass http://x.x.x.x:8081;
}
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/repo.hyperiamc.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/repo.hyperiamc.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot }
Visiting the site the URL works, it appears that it's only the URL to file. I have set my Base URL inside of artifactory to match that of the proxy.
I believe it is due to the header value we are setting up in the config. Change the line.
From: proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
TO: proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host;
Hope this helps.
I have added multiple subdomains on nginx and now I would like to proxy pass all subdomains to a single jetty instance.
Let´s say
subdomain1.blog.com -> localhost:8080/subdomain1
jenkins.blog.com -> localhost:8080/jenkins
I tested a lot of examples and in the end I struggled with the url.
If I open http://jenkins.blog.com I will redirect to https://jenkins.blog.com/jenkins/login?from=%2Fjenkins%2F
How can I get rid of this /jenkins/ in my url?
Is it possible to achieve it without using multiple jetty instances and deploying apps on webroot?
upstream jetty {
server 127.0.0.1:8080 fail_timeout=0;
}
server {
listen 80;
server_name jenkins.blog.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name jenkins.blog.com;
ssl_certificate /etc/letsencrypt/live/blog.com-0002/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.com-0002/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /jenkins {
rewrite ^/jenkins(/.*)$ $1 last;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the "It appears that your reverse proxy set up is broken" error.
proxy_pass http://jetty/jenkins/;
proxy_read_timeout 90;
#proxy_redirect http://localhost:8080/jenkins https://jenkins.blog.com;
#proxy_redirect http:// https://;
proxy_redirect off;
proxy_buffering off;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
# workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
add_header 'X-SSH-Endpoint' 'jenkins.blog.com:50022' always;
}
}
}
I've installed and set up senaite.lims, which is a Plone extension, running on Plone 4.3.18 installed by the Unified Installer, and adding senaite.lims to the buildout.cfg eggs.
It's running fine on port 8080, and I can get Nginx to work redirecting / to :8080, but when I start using https, suddenly the css of the site doesn't work anymore.
I looked at the source, and the produced html page shows a link to the stylesheet with http://.... which I don't know if may cause problems, but if I actually try to open the .css file in the browser it works fine.
I set up and tried both with port 80 redirecting the https, and serving both a version of http and https, but neither one would get the page to render using .css. If anyone has any tips, or sees something wrongly configured in the nginx below, any help would be greatly appreciated.
Here is my nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
default_type application/octet-stream;
include /etc/nginx/mime.types;
sendfile on;
keepalive_timeout 75;
upstream plone {
server 127.0.0.1:8080;
}
server {
listen 80;
listen 443 ssl http2;
server_name 99.99.99.99; # changed for posting on SO
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
proxy_pass http://localhost:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffer_size 128k;
proxy_buffers 8 128k;
proxy_busy_buffers_size 256k;
}
}
}
You missed to rewrite the URL, e.g:
rewrite ^(.*)$ /VirtualHostBase/$scheme/$host/senaite/VirtualHostRoot/$1 break;
Here is a complete working config for SENAITE:
server {
listen 80;
server_name senaite.mydomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name senaite.mydomain.com;
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
include snippets/ssl-senaite.mydomain.com.conf;
include snippets/ssl-params.conf;
include snippets/well-known.conf;
access_log /var/log/nginx/senaite.access.log;
error_log /var/log/nginx/senaite.error.log error;
# Allow Cross-Origin Resource Sharing from our HTTP domain
add_header "Access-Control-Allow-Origin" "http://senaite.ridingbytes.com";
add_header "Access-Control-Allow-Credentials" "true";
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS";
add_header "X-Frame-Options" "SAMEORIGIN";
if ($http_cookie ~* "__ac=([^;]+)(?:;|$)" ) {
# prevent infinite recursions between http and https
break;
}
# rewrite ^(.*)(/logged_out)(.*) http://$server_name$1$2$3 redirect;
location / {
set $backend http://haproxy;
# API calls take a different backend w/o caching
if ($uri ~* "##API") {
set $backend http://api;
}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
rewrite ^(.*)$ /VirtualHostBase/$scheme/$host/senaite/VirtualHostRoot/$1 break;
# proxy_pass $backend;
proxy_pass http://plone;
}
}
I've installed nginx proxy in a VPS (Ubuntu 12.04 + Nginx 1.1.19) in order to send requests:
A- from (site1.com, site2.com and site3.com) to SERVER_A
B- from (site4.com, site5.com and site6.com) to SERVER_B
I used /etc/nginx/proxy.confg file with content:
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
also in /etc/nginx/sites-enabled I created first file configuration with:
server {
listen 80;
server_name site1.com site2.com site3.com;
access_log /var/log/nginx/access.log;
location / {
proxy_pass http://IP_of_SERVER_A/;
include /etc/nginx/proxy.conf;
}
}
It works fine till here. The problem comes when I try to add second file configuration with:
server {
listen 80;
server_name site4.com site5.com site6.com;
access_log /var/log/nginx/access.log;
location / {
proxy_pass http://IP_of_SERVER_B/;
include /etc/nginx/proxy.conf;
}
}
Now:
sites in second file doesn't works and all requests from (site4.com, site5.com site6.com) goes to server_A too.
Any help to add missing parts?