Nginx Proxy Pass does... nothing? - nginx

Using Ubuntu Server 20.04, nginx/1.18.0 (Ubuntu).
For what it is worth I am trying to set up Jellyfin with remote access. I'm also using a dynamic domain name. I have a nextcloud service completely up and running using a similar ish set up. I also want the server to be accessible remotely.
When I access my domain name it simply takes me to the NGINX welcome page. I have removed it from site-enabled, and I have disabled the default.conf listen tags (and renamed the file default.conf.bak)
In essence what is supposed to happen is that when I type in the domain name it is supposed to automatically redirect to the correct port. It doesn't.
I can access the server using the ip address and jellyfin's port. But using the domain name or the ip address will simply get me the welcome screen. I am using the domain name primarily as I have other services that also use port 80.
I can access the Jellyfin site at it's local ip without the port.
I've tried a number of tips from elsewhere including editing the hosts file to ensure the domain name is linked to 127.0.0.1 but I'm running at a bit of a loss.
There is nothing in the access or error logs.
I've also checked the nginx.conf for any server blocks, there are none. Here's the file I'm using... (it's practically a copy paste from the the Jellyfin site).
server {
listen 80;
listen [::]:80;
server_name (scrambled).ydns.eu;
access_log /var/log/nginx/reverseaccess.log;
error_log /var/log/nginx/reverseerror.log;
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $>
#Security / XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-sr>
location / {
# Proxy main Jellyfin traffic
proxy_pass http://127.0.0.1:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/inde>
# location ~ ^/web/$ {
# # Proxy main Jellyfin traffic
# proxy_pass http://127.0.0.1:8096/web/index.html/;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_set_header X-Forwarded-Host $http_host;
# }
location /socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://127.0.0.1:8096/socket/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}

Okay key thing here is that there are two machines involved. So the forwarding wasn't working as expected. I believe that it needs the redirect rather than a simple pass and the listening on port 80 wasn't going to happen. The router had no idea where it was supposed to send the information.
One key thing with Jellyfin installed it doesn't seem like you need a conf file on the host machine as it is currently supposed to be listening on 8080 but Jellyfin listens on 8096.
If someone want's to come along and give their expert opinion to fill in the blanks would be much appreciated. Thanks all for your help.
At any rate the following is now my config file for reverse proxy...
# Reverse proxy on forwarding machine.
server {
server_name domainname.eu;
# Not sure if this is required, it's purpose was to see where /
# the nginx page was being served from it wasn't the client as thought.
root /usr/share/nginx/test;
location / {
proxy_pass http://192.168.1.2:8096$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://192.168.1.2:8096$request_uri http://domainname.eu;
}
# The certbot action has to be done on the forwarding machine not \
# the hosting machine. Any attempt to run it on the host fails. \
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domainname.eu/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domainname.eu/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/domainname.eu/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = domainname.eu) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name domainname.eu;
root /usr/share/nginx/test;
location / {
proxy_pass http://192.168.1.2:8096$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://192.168.1.2:8096$request_uri http://domainname.eu;
}
}
Here's hoping it'll help someone in the future.

Related

nginx reverse proxy for application

I use nginx for reverse proxy with domain name. I've some application publish on IIS and i want to proxy different location name for each application.
For example;
Domain name on nginx :
example.com.tr
application end points for app:
1.1.1.1:10
1.1.1.2:10
upstream for app in nginx.conf:
upstream app_1 {
least_conn;
server 1.1.1.1:10;
server 1.1.1.2:10;
}
server {
listen 443 ssl;
server_name example.com.tr;
proxy_set_header X-Forwarded-Port 443;
ssl_certificate /etc/cert.crt;
ssl_certificate_key /etc/cert.key;
location /app_1/ {
proxy_pass http://app_1/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-REAL-SCHEME $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
access_log /etc/nginx/log/access.log;
error_log /etc/nginx/log/error.log;
}
}
When I try to access example.com.tr/app_1/ , I can access application but not all data.
I inspected this site and so many requests of application were failed.
All requests sended to example.com.tr/uri instead of example.com.tr/app_1/uri. How can I fix this ?
thanks,
You need a transparent path proxy setup. Means NGINX should use the requested URI without removing the matched location from it.
proxy_pass http://app_1;
Remove the tailing slash to tell NGINX not to do so. Using an upstream definition is great but make sure you apply keepalive.

WSO2 Api Manager url context

I'm using wso2am version 3.2.0 and trying to configure reverse proxy using NginX following the below mentioned documentation.
https://apim.docs.wso2.com/en/latest/install-and-setup/setup/setting-up-proxy-server-and-the-load-balancer/configuring-the-proxy-server-and-the-load-balancer/
I want to access the devportal and publisher with a new url context like https://{domain-name}/wso2am/devportal and https://{domain-name}/wso2am/publisher. My nginx configuration file is as below.
server {
listen 443 ssl;
server_name {domain-name};
proxy_set_header X-Forwarded-Port 443;
ssl_certificate /etc/nginx/ssl/{cert_name};
ssl_certificate_key /etc/nginx/ssl/{key_name};
location /wso2am/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://<server-ip>:9443;
}
access_log /etc/nginx/log/am/https/access.log;
error_log /etc/nginx/log/am/https/error.log;
}
with this configuration, when I try to access https://{domain-name}/wso2am/devportal it is redirected to the carbon login url (https://{domain-name}/carbon/admin/login.jsp) with a 404 not found error. Should I change any values in carbon.xml or in some other files for get this working?
Note: I tried to change the <WebContextRoot> in carbon.xml file with /wso2am as its value. When I restarted the server the value is overwritten again to the default /.
Where should I add the /wso2am context path in carbon configurations?

nginx setting up two subdomains with https and http not working

I have two sites to be used on my server load balancing them using nginx. First one www.something.club and other one is extras.something.club. The first one has https and http setup already, while extras.something.club I'm yet to set up https certs, so just need http.
The problem here is when I hit extras.something.club it opens same page as www.something.club and plus redirects to https://extras.something.club. Here the page should load extra.something.club owns page, and I do not nee https since certificate is of www, it starts giving me warning anyway. Below are the configurations I'm using.
www.something.com has file at /etc/nginx/sites-available/web.conf and has symlink at /etc/nginx/sites-enabled/web.conf. Below is config:
upstream webapp {
server 123.123.0.12:8080;
server 123.234.0.18:8080;
}
server {
listen 80;
server_name www.something.club;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name www.something.club;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.something.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.something.club/privkey.pem;
# skipping some more ssl settings.
access_log /var/log/nginx/web.access.log;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://webapp;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
extras.something.com has file at /etc/nginx/sites-available/extras.conf and has symlink at /etc/nginx/sites-enabled/extras.conf
upstream extraswebapp {
server 123.123.0.12:8081;
server 123.234.0.18:8081;
}
server {
listen 80;
server_name extras.something.club;
access_log /var/log/nginx/web.access.log;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://extraswebapp;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
I have verified this config with many sample available on various websites + documents. I was not able to locate anything wrong in this. Plus there nothing in code which redirects http to https for extra.something.club Plus if I access direct IPs with those port, it works perfectly fine & doesn't redirect to https as Nginx does.
Can somebody please help me to locate the problem?

nginx redirection to subdomain thats a proxy to another domain

I use nginx to act as a proxy between 2 servers. I have a domain aswell as a subdomain attached to an ip. I need to send requests to a third ip via a subdomain for convoluted reasons that I wont bore you with.
An issue im having is communication between servers with rest. Any actions I take in my webapp result in
Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID
Ive been trying to figure it out and I got one login request to pass but after that everything stopped working.
The domain I have setup and everything works fine the subdomain looks like this
server {
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name api.example.com www.api.example.com;
location / {
proxy_pass "http://x.x.x.x:8080$request_uri";
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
}
Im relative new to nginx but to me I think this should work as a proxy. Ive had it call one request but fail there after could it either be a firewall/network issue?

nginx to expose internal http service as https subdomain

I have found several partial answers on this site and similar ones, but I couldn't figure out how to put them together, or maybe the answer is there and I cannot recognise it :-/
What I'm trying to achieve:
I have an http service running in the LAN (I have setup dnsmasq appropriately) as:
http://subdomain1.domain.com:1234/
and I would like to expose it as internet (also the external DNS is working fine):
https://subdomain2.domain.com:443/
with user authentication handled by nginx.
I also want to (must?) keep the URL visible in the browser unmodified.
I have tried several combinations of what I found from similar questions, but something seems to elude me.
This is my last attempt:
ssl_certificate /var/www/domain.com/domain_com.crt;
ssl_certificate_key /var/www/domain.com/domain_com.key;
server {
listen 443 default_server;
server_name subdomain1.domain.com;
location / {
auth_basic "Restricted";
auth_basic_user_file /var/www/domain.com/domain.com.passwords;
proxy_pass http://subdomain1.domain.com:1234/;
proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect https://subdomain2.domain.com/ http://subdomain1.domain.me:1234/;
}
}
What I get is: "Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error."
Update:
I think I found a solution, but review would still be appreciated.
This one also rewrites http access to go through https.
ssl_certificate /var/www/domain.com/domain_com.crt;
ssl_certificate_key /var/www/domain.com/domain_com.key;
server {
listen 80;
server_name subdomain1.domain.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443;
ssl on;
server_name subdomain1.domain.com;
location / {
auth_basic "Restricted";
auth_basic_user_file /var/www/domain.com/domain.com.passwords;
proxy_pass http://subdomain2.domain.com:1234/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
}

Resources