Nginx redirect with and without port - nginx

we have 2 environments (test and prod) both with nginx.
To access test we use directly the host name: https://myhost:29000
To access prod we have an external LoadBalancer: https://mysite that redirects to https://myprodhost1:29000 and https://myprodhost2:29000
We have the following nginx configuration
location / {
try_files $uri $uri/ =404;
}
location /error-page {
port_in_redirect off;
return 301 /;
}
the /error-page is handled on client side (by React), therefore it does not exists in the backend.
What we want to achieve is: if a user navigate to the error-page and press F5 it should be redirected to / (root)
The problems is that the previous configuration works for prod since the port 29000 will be omitted.
For test it is not working since we need the port:29000
I tried several configuration but I didn't succeeded.

I solved it just using:
absolute_redirect off;

Related

Prevent NGINX from serving local index.html instead of passing to proxied server

Found other similar questions, but none seem to work in my circumstance.
I am attempting to proxy from NGINX to an IIS server which is hosting an archived website in its entirety. The site is coded with some hard index.html links and I don't want to go in and modify the site at all.
Any time the site is called with the /index.html in the URL directly it appears that NGINX is not proxying the location, but instead serving out a local index.html page.
Additionally, I am trying to default instead of to the index.html page when no page is entered (i.e. domain only) instead to pass to a default.htm page (set as default in IIS) which provides a disclaimer page that will require reading before continuing on to the original index.html of the website.
This is my nginx configuration file for the site. I do not want to change my overall structure around because it is what multiple sites use. I need a solution that I can add in.
upstream my_backend {
server 10.10.10.102:1011;
include snippets/shared_upstream_settings.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name server.mydomain.com;
include snippets/shared_server_proxy_settings.conf;
location #proxy {
proxy_pass http://my_backend;
}
location / {
satisfy any;
allow 10.16.0.0/24;
deny all;
auth_basic "Authorized Users Only";
auth_basic_user_file secure/.htpasswd;
auth_request /auth-1;
try_files $uri #proxy;
}
(I don't believe any of the includes should matter for this particular issue)
This configuration works for about 15 other sites I have, but none of them apparently have a hardcoded index.html. Until today I never realized that NGINX will not proxy a direct link to index.html. So I need to either disable or work around that "feature" as well as direct no indicated pages to the disclaimer page.
thanks
The $uri argument in your try_files statement instructs Nginx to test for the existence of a file before branching to the #proxy block. There exists a local index.html file that satisfies that test.
You have two options:
Replace the try_files $uri #proxy; line with proxy_pass http://my_backend; as there is no need for a separate location #proxy block.
Or:
If you want to keep the second location block, change the try_files statement to:
try_files __nonexistent__ #proxy;
try_files requires a minimum of two arguments. All arguments before the final argument are filenames to be tested. __nonexistent__ is just one such name that probably does not exist on your file system (and also helps to document the author's intent).

Nginx: protect all but one url

I have try a few examples but all return almost the same, I want to password protect everything after .com/, problem is there are no "static" files, the server is Tomcat with nginx, the app is build on play framework.
The whole idea is that everything has to be password protected except for one url.
.com/service/contact {has to be protected}
.com/categories/service/contact {protected}
.com/service/jp/ {protected}
.com/service/jp/allo {Public not protected}
server {
...
auth_basic "Restricted Access"
auth_basic_user_file path_to_basic/password_protection
location ~^/service/jp/allo/ {
auth_basic off;
allow all;
satisfy all;
try_files $uri $uri/ =404;
}
}
With that the first part is working which is to protect everything, but not the second part which to leave one url as public, in my case is returning a 404 error, not a custom 404 but an internal default 404.The url's are "virtal" no actual folder exist, the server is using rewrite for seo url.

Securing phpMyAdmin by whitelisting IPs and changing alias

I’m trying to figure out the best way of securing access to my MariaDB database. I have a root non-wordpress site with 2 wordpress sites as directories (/blog and /shop) - each with separate databases - that use phpMyAdmin as a database viewer (accessible at /phpmyadmin). I want to increase the security so that it can’t be hacked so easily. However, I can’t seem to implement any of the recommended security measures.
Creating a .htaccess and in /usr/share/phpmyadmin and adding the following to whitelist IPs and block all other IPs has no effect:
Order Deny,Allow
Deny from All
Allow from 12.34.56.78
Changing the phpMyAdmin url via the config file (so it’s not accessible at /phpmyadmin) also seems to have no effect.
I’m assuming that it’s because apache is not running (I use Nginx to run my main domain and the 2 wordpress sites). I can’t run apache and Nginx simultaneously (presumably because they’re both fighting for port 80), but what I don’t get is that when Nginx is running and apache is supposedly not running, how is the /phpmyadmin link still accessible?
Here’s my .conf file in /etc/nginx/sites-available (also symlinked to sites-enabled):
upstream wp-php-handler-four {
server unix:/var/run/php/php7.4-fpm.sock;
}
server {
listen 1234 default_server;
listen [::]:1234 default_server;
root /var/www/site;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /blog {
try_files $uri $uri/ /blog/index.php?$args;
}
location /shop {
try_files $uri $uri/ /shop/index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass wp-php-handler-four;
}
}
I followed a tutorial to set this up (maybe I’m misunderstanding how it’s fully set up) but is this not actually using apache to access /phpmyadmin or is it using some web socket? How can I make the above security attempts work?
Note: the /usr/share/phpmyadmin/ dir is symlinked to /var/www/site/
Creating a .htaccess in /usr/share/phpmyadmin and adding the following to whitelist IPs and block all other IPs has no effect:
Order Deny,Allow
Deny from All
Allow from 12.34.56.78
Of course it won't have any effect since this file processed only by apache.
I can’t run apache and Nginx simultaneously (presumably because they’re both fighting for port 80)
In an early days of nginx there was a technique to use nginx for static files and apache to process PHP scripts. Apache was running on some other port (for example, 8080) and listening only on local IP (127.0.0.1). Nginx configuration for that was looking like
upstream apache {
server 127.0.0.1:8080;
}
server {
...
location ~ \.php$ {
proxy_pass http://apache;
}
}
Nowadays it is rarely used since using PHP-FPM is more flexible and gives a less server overhead. However it can be used when you have a complex .htaccess configuration and don't want to rewrite it for nginx/PHP-FPM.
but what I don’t get is that when Nginx is running and apache is supposedly not running, how is the /phpmyadmin link still accessible?
...
Is this not actually using apache to access /phpmyadmin or is it using some web socket?
This configuration uses UNIX socket /var/run/php/php7.4-fpm.sock where PHP-FPM daemon is listening for requests (you can read an introduction to this article to get some additional details).
How can I make the above security attempts work?
One of many possible solutions is
Unlink /usr/share/phpmyadmin/ from /var/www/site/
Use the following location block (put it before the location ~ \.php$ { ... } one:
location ~ ^/phpmyadmin(?<subpath>/.*)? {
allow 12.34.56.78;
# add other IPs here
deny all;
alias /usr/share/phpmyadmin/;
index index.php;
try_files $subpath $subpath/ =404;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$subpath;
fastcgi_pass wp-php-handler-four;
}
}
To add to the otherwise quite thorough answer:
Since Nginx doesn't use .htaccess files or the same syntax as Apache, you aren't being restricted as Apache would do. You may wish to find some other solution, or you could use what's built in to phpMyAdmin: there is a allow/deny functionality built in that you can learn about in the documentation: https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_AllowDeny_order (and https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_AllowDeny_rules); this will let you restrict access based on username and IP address.

Nginx reverse proxy return 502

I'm very new to nginx and server game and i'm trying to setup a reverse proxy. Basically what i need is when i enter my server ip it should open a particular website (Ex: https://example.com).
So for example if i enter my ip (Ex: 45.10.127.942) it should open the website example.com , but the url should remain as http://45.10.127.942.
I tried to set my server configuration as follows but it returns a 502 error.
server {
listen 80;
location / {
proxy_pass http://example.com;
}
}
It returns a 502 error. Can you please explain what i need to do?
You can have something like this in your configuration file:
server {
root /var/www/html;
server_name _;
location / {
try_files $uri $uri/ /index.html;
}
}
Place the index.html file in root folder specified.
Then just restart the NGINX and it should work.
What is the problem with your configuration file is you should not proxy_pass.
If you want to open the other website, you should have DNS record pointing to that IP. What actually happens is the thing you are trying to do is known as CLICKJACKING. For more details, search CLICKJACKING on google and you will find a lot of references.

Nginx - how to proxy_pass particular url to a different host while keeping context?

I have a fairly simple nginx conf for a front-end and backend application:
server {
listen 8080;
server_name nginx_server;
port_in_redirect off;
location / {
root /dir/html;
index index.html index.htm;
}
location /api/ {
proxy_pass http://my-api:8080/;
}
}
My main host is https and this works fine. When I hit https://myapp.com/api/a/b/c, my backend receives /a/b/c, which is what I want.
Now, I want to send the requests to a particular /api context to a different server:
location /api/a/b {
rewrite /api/(.*) /$1 break;
proxy_pass http://another-api:8080;
}
So now, if I hit https://myapp.com/api/a/b?param=1 I want to hit http://another-api:8080/a/b?param=1 and also https://myapp.com/api/a/b/c/d should hit http://another-api:8080/a/b/c/d
This is working when I test using Postman, but for some reason, in Chrome, when my frontend app tries to hit https://myapp.com/api/a/b/c/d I get a console error: (blocked:mixed-content)
How can I fix this?

Resources