Using Nginx as reverse proxy, authentication with facebook is not working as it should.
My proxy_pass is set to origin.example.com and main site is at main.example.com.
proxy_pass https://origin.example.com;
proxy_ssl_server_name on;
proxy_set_header Connection "";
proxy_set_header Host origin.example.com;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Redirection for facebook login happen using Location header which I want to modify and I found that it can be done using proxy_redirect. However, I am not getting an idea how to do that.
I have already used redirect URI main.example.com in Facebook. And I did already requested another change in origin app to make this change, however its not in our control and have to manage this by modifying this header value from nginx only.
Specifically, I want to modify this header value
https://www.facebook.com/v3.1/dialog/oauth?client_id=249911186056401&scope=email&response_type=code&redirect_uri=https%3A%2F%2F**origin.example.com**%2Fsignin-facebook&state=CfDJ8FXKlLU-VLlFryQdHqtwILDwFpBxeh1ZlS5hy7drEOaXtmdjBd8T8m4oyy7LvYttb8Ryyb894ZgCUGPINPQX_jWt-s1J2ZwtJirchyAWfsXXtqC69PYLxJNf84fbK_bXLrpd0eFE7Z0LAwq98gp-54lUwv3rZPNLZ4Jw1q3-3yjjFGTgAvJCDSgiTTxvIpY8E-3WlTlNPMfiFv4USoXHfYeKJaQ52EAAMdhA3dlAoALVsUkOl-0lNUjCP4xa4ZKcRuL1wJI1Gbk7Fg7Nyxzgqu4
to
https://www.facebook.com/v3.1/dialog/oauth?client_id=249911186056401&scope=email&response_type=code&redirect_uri=https%3A%2F%2F**main.example.com**%2Fsignin-facebook&state=CfDJ8FXKlLU-VLlFryQdHqtwILDwFpBxeh1ZlS5hy7drEOaXtmdjBd8T8m4oyy7LvYttb8Ryyb894ZgCUGPINPQX_jWt-s1J2ZwtJirchyAWfsXXtqC69PYLxJNf84fbK_bXLrpd0eFE7Z0LAwq98gp-54lUwv3rZPNLZ4Jw1q3-3yjjFGTgAvJCDSgiTTxvIpY8E-3WlTlNPMfiFv4USoXHfYeKJaQ52EAAMdhA3dlAoALVsUkOl-0lNUjCP4xa4ZKcRuL1wJI1Gbk7Fg7Nyxzgqu4
I want to replace all instances of origin.example.com to main.example.com in Location header.
Here is my server block configurations
server {
listen [::]:80;
listen 80;
server_name main.example.com;
return 301 https://www.$host$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name main.example.com;
proxy_set_header Accept-Encoding "";
sub_filter_types *;
sub_filter_once off;
sub_filter "http:" "https:";
include https.conf;
}
You should reconfigure the OAuth client in Facebook to use a redirect URI of https://main.example.com. In the actual app, do not send https://origin.example.com when performing the OAuth authorization request, but use this one that Facebook is reconfigured to use. This will ensure that Facebook accepts the request, and will effectively hide the origin server. After login and authorization, Facebook will send the callback response to the NGINX proxy, which it can pass through to the hidden origin server.
Related
I have my REST APIs configured to work over https using nginx( java APIs deployed in tomcat and nginx is configured for DNS mapping). Our testing team has managed to access the APIs using burp tool (I assume it allows them to access with SSL verification disabled) and they were able to alter the API response before the client receives it. My nginx server is configured to work on SSL with proxy forward setup for http to https. How can I block the API requests which has SSL verification disabled, so that I can stop them altering the response? Below is my nginx config.
upstream mlljava{
server 172.31.5.222:8090;
}
server {
listen 443 ssl;
server_name mllwebapi.xyz.in www.mllwebapi.xyz.in;
underscores_in_headers on;
client_max_body_size 10M;
ssl_protocols TLSv1.3;
ssl_certificate /home/ubuntu/175e9.crt;
ssl_certificate_key /home/ubuntu/key.key;
location / {
proxy_pass http://mlljava/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
proxy_pass_request_headers on;
}
}
Does adding this to server configuration helps?
# force https-redirects
if ($scheme = http) {
return 401 https://$server_name$request_uri;
Configure Nginx SSL + force HTTP to redirect to HTTPS + force www to non-www on Serverpilot free plan (Using Nginx configuration file only)
Nginx: force SSL on one path, non-SSL on others
I am a newb and i installed jupyterhub with nginx reverse proxy on my ubuntu 18.04 server. I built my own root CA and self signed certificate with openssl. Https connections works very well if my rootCA is installed on my others computers. I want to block access for the computers who don't have my rootCA.
the file /etc/nginx/nginx.conf is untouched and my config file /etc/nginx/sites-available/jupyter.conf is:
# top-level http config for websocket headers If Upgrade is defined,
# Connection = upgrade If Upgrade is empty, Connection = close
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# HTTP server to redirect all 80 traffic to SSL/HTTPS
server {
listen 80;
server_name 192.168.4.70 mlserver.net localhost;
# Tell all requests to port 80 to be 302 redirected to HTTPS
return 302 https://$host$request_uri;
}
# HTTPS server to handle JupyterHub
server {
listen 443;
ssl on;
server_name 192.168.4.70 mlserver.net localhost;
ssl_certificate /etc/ssl/certs/mlserver.net.crt;
ssl_certificate_key /etc/ssl/private/mlserver.net.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
#ssl_stapling on;
# Managing literal requests to the JupyterHub front end
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# websocket headers
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Scheme $scheme;
proxy_buffering off;
}
}
How can i edit this file to block access for computers who dont have certificate ?
What nginx directive add ?
Thanx.
I want to block access for the computers who don't have my rootCA.
This is not possible. The server has no information if the client has successfully validated the server certificate (i.e. clients which have the rootCA) or if a client simply skipped certificate validation (clients which don't have rootCA).
One could try to add a HSTS header so that browsers will not simply allow to ignore certificate problems. But this can also be bypassed on the client side without the server noticing, it just makes it a bit harder.
If you want to control who can access the notebook you would need proper authentication of the clients instead. Knowledge of the rootCA is not client authentication.
Having the following setup: NGINX (Port 443) > Jetty (Port 9090) > Spring Controller
For simplifying the problem I use the following files:
/main.html containing an iframe calling the spring controller /test
spring controller /test doing return "redirect:/iframe.html";
/iframe.html with simple text saying "This is IFrame"
With HTTP there is no problem but after switching the NGINX configuration to HTTPS I get the following error in the browser and the iframe is not displayed:
main.html:7 Mixed Content: The page at 'https://dev/main.html'
was loaded over HTTPS, but requested an insecure frame
'http://dev/iframe.html'. This request has been blocked; the
content must be served over HTTPS.
So the controller redirects to http instead of https, this is my NGINX configuration which from my understanding should let the jetty/controller know that it is running on https:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev;
ssl on;
ssl_certificate ...;
ssl_certificate_key ...;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_ssl_name $host;
proxy_ssl_server_name on;
proxy_pass http://127.0.0.1:9090;
}
}
You need to do a few things ...
On the nginx side, Use the Standard Forwarded header from RFC7239, not the X-Forwarded-* headers. This is because the X-Forwarded-* headers are not a standard and conflict in meaning across their usage. (in your example, you made the port separate, which now conflicts with the "host", "proto", and "for" usages for the port as well)
On the Jetty side, enable the ForwardedRequestCustomizer. This will look for the various Forwarding headers and update the request's authority, protos, and "is secure" flags appropriately.
On the Jetty side, configure the HttpConfiguration.securePort to be the port for your SSL/TLS on your nginx, not the port that Jetty itself uses.
I have to set custom headers for outgoing request using nginx proxy, so basically I started with trying add_header and proxy_set_header directive in the conf file(snippet has been added), but in the outgoing request these headers were not being added using either of them. Please suggest me an approach to solve this problem.
server {
listen 8095;
access_log logs/host.access.log;
location / {
proxy_pass https://www.dummy-site.com/applications/1232;
proxy_set_header Authorization "some_authorisation";
proxy_set_header referer "referer";
proxy_pass_request_headers on;
}
}
I'm setting up a web/app/db stack, and the nginx proxy configuration isn't working the way I thought it would.
so here is an example of the stack...the url of the application is:
https://testapp.com
here is the nginx config:
server {
listen 8886;
server_name _;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
#ELB
if ($http_user_agent = 'ELB-HealthChecker/2.0') {
return 200 working;
}
#HTTP to HTTPS
if ($http_x_forwarded_proto != 'https') {
return 301 https://$host$request_uri;
}
location / {
set $proxy_upstream_name "testapp.com";
port_in_redirect off;
proxy_pass http://internal-alb.amazonaws.com:8083/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Access-Control-Allow-Origin $http_origin;}
The app is proxied to an internal AWS alb, and it forwards it to a single (at this point) application server.
I'm able to get the site to serve. However, the application creates a redirect on login, and I get the following response.
Request URL:https://testapp.com/login
Request Method:POST
Status Code:302
Remote Address:34.192.444.29:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
content-language:en-US
content-length:0
date:Mon, 11 Sep 2017 18:35:34 GMT
location:http://testapp.com:8083/testCode
server:openresty/1.11.2.5
status:302
The redirect fails because it's being served on 443, not 8083.
For some reason the app or the proxy isn't updating the port as it doing it's reverse proxy thing, so that the redirect has the proxied port NOT the actual application port 443.
What do I need to do with nginx config to get it to redirect correctly.
thanks.
myles.
The normal behaviour of the nginx is to rewrite the upstream address to the address the page was served from. It looks like instead of using your upstream address (http://internal-alb.amazonaws.com:8083/), your app is responding using a mixture of the two (http://testapp.com:8083). You can either change the app behaviour, or, to fix it at the nginx level, can use the proxy_redirect directive.
I'm reasonably sure the directive to fix this is proxy_redirect http://testapp.com:8083/ https://testapp.com/;