Nginx - location block misconfigured? - nginx

I have a location block inside of my sites-enabled example.conf that should be routing /testing to a 503 error html page but instead for some reason its hitting my app instead of nginx
[2020-06-30T20:36:13.821768 #6059] FATAL -- : [fc9cb972-f314-4a87-89d9-8334521767b3] ActionController::RoutingError (No route matches [GET] "/testing"):
that is a log line from my actual rails app - why is it even getting this far vs nginx routing to where I thought I told it to???
my nginx .conf
server { listen 443 ssl;
server_name status.* www.status.*;
# SSL
ssl_certificate_key /etc/nginx/ssl/server_example.com.key;
# logging
access_log /var/log/nginx/status.access.log;
error_log /var/log/nginx/status.error.log;
# security
include security.conf;
# reverse proxy
location / {
if (-f /opt/staytus/staytus/maint.on) {
return 503;
}
port_in_redirect off;
proxy_pass http://example.com:8787/;
}
error_page 503 #maintenance;
location #maintenance {
root /usr/share/nginx/html
rewrite ^(.*)$ /Performing-Maintenace.html;
}
location = /testing/ {
return 500;
}
}
server {
listen 80;
server_name www.status.* status.* 11.22.123.456;
root /opt/staytus/staytus/public;
client_max_body_size 50M;
# SSL
ssl_certificate_key /etc/nginx/ssl/example.com.key;
port_in_redirect off;
return 301 https://example.com$request_uri;
location #puma {
proxy_intercept_errors on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://example.com:8787;
}
}

Related

the redirect from http to https does not work in nginx

I am trying to redirect all the http traffic to https and my nginx conf looks like this:
upstream upstreamServer {
server upstream_serv:80;
}
server {
listen 80;
server_name ~^(([a-zA-Z0-9]+)|)test\.xy\.abc\.io$ ;
access_log /var/log/nginx/access.log backend;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name ~^(([a-zA-Z0-9]+)|)test\.xy\.abc\.io$ ;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate /path/to/cert_chain.pem;
ssl_certificate_key /path/to/cert_key.pem;
ssl_trusted_certificate /path/to/cert_chain.pem;
access_log /var/log/nginx/access.log backend;
# Redirect all traffic in /.well-known/ to lets encrypt
location /.well-known/acme-challenge/ {
root /var/tmp;
index index.html index.htm;
}
location / {
proxy_pass http://upstreamServer;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_buffering off;
if ($uri ~* ".(js|png|jpg|jpeg|svg|gif|avi|mp3|mp4)$" ){
expires 1d;
add_header Cache-Control public;
}
proxy_pass_request_headers on;
}
}
But for some reason it doesn't work. I read about how the nginx chooses the server block and location block. The setup looks correct to me according to what I understand but still the site keeps loading on http when I hit the url http://test.xy.abc.io instead of redirecting me to https.
I also tried using only
return 301 https://$host$request_uri;
instead of
location / {
return 301 https://$host$request_uri;
}
but it doesn't work either.
Did I get right that your page is still loading the unencrypted http version? Did you reaload the service to load the changed config file? (sorry to ask that stupid question back)
nginx -t && nginx -s reload
I personally use in all nginx instances I maintain something like this:
server {
listen 80 default_server;
# no server_name means all
# For let's encrypt domains: .well-known/acme-challenge
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/certbot;
}
# Redirect http -> https.
location / {
return 301 https://$host$request_uri$is_args$args;
}
}
The problem was there is a GCP loadbalancer before my nginx proxy. Which was forwarding all the requests on https to my nginx proxy no matter if the orignal reuquest was http or https. After searching the internet I found that loadbalancer can not force https on clients. So this what I had to do in my nginx location block.
if ($http_x_forwarded_proto = http) {
return 301 https://$host$request_uri;
}
and the complete solution looks like this:
server {
listen 80;
listen 443 ssl;
server_name ~^(([a-zA-Z0-9]+)|)test\.xy\.abc\.io$ ;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate /path/to/cert_chain.pem;
ssl_certificate_key /path/to/cert_key.pem;
ssl_trusted_certificate /path/to/cert_chain.pem;
access_log /var/log/nginx/access.log backend;
# Redirect all traffic in /.well-known/ to lets encrypt
location /.well-known/acme-challenge/ {
root /var/tmp;
index index.html index.htm;
}
location / {
if ($http_x_forwarded_proto = http) {
return 301 https://$host$request_uri;
}
proxy_pass http://upstreamServer;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_buffering off;
if ($uri ~* ".(js|png|jpg|jpeg|svg|gif|avi|mp3|mp4)$" ){
expires 1d;
add_header Cache-Control public;
}
proxy_pass_request_headers on;
}
}

Nginx configuratie redirect http to https for only one domain

In the beginning of my Nginx .conf file I have added the following redirect:
server {
listen 80;
listen [::]:80;
server_name *.a-domain.nl;
return 301 https://$host$request_uri;
}
server {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
listen 443;
listen [::]:443 ipv6only=on;
server_name *.a-domain.nl;
ssl on;
ssl_certificate /etc/ssl/b-domain.crt;
ssl_certificate_key /etc/ssl/b-domain.key;
location ~* \.(ogg|ogv|svgz|mp4|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|html|txt|htm)$ {
root /var/www/html/mtcore/web;
try_files $uri $uri/ $uri.html =404;
}
location / {
proxy_pass http://127.0.0.1;
proxy_http_version 1.1;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
}
}
server {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
listen 80;
listen [::]:80 ipv6only=on;
server_name _;
location ~* \.(ogg|ogv|svgz|mp4|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|html|txt|htm)$ {
root /var/www/html/mtcore/web;
try_files $uri $uri/ $uri.html =404;
}
location / {
proxy_pass http://127.0.0.1;
proxy_http_version 1.1;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
}
}
Only when I open in an browser the following domain www.b-domain.nl that is served on the same server, the Nginx also redirects it to https. I would expect that Nginx only redirects www.a-domain.nl?
The first server block is the implicit default server for port 80, so it gets to process all http requests irrespective of server name. The third server block would only match the server name _, which is either illegal or unlikely.
To make another server block the default, use default_server option on the listen directive.
See this document for more.

nginx proxy_pass static assets

I have the following nginx configuration
rewrite_log on;
server {
server_name greymarmita.no-ip.org;
listen 80;
rewrite ^(.*) https://$host$1 permanent;
}
server {
server_name greymarmita.no-ip.org;
listen 443 ssl;
error_log /var/log/nginx/main.error;
access_log /var/log/nginx/main.access;
ssl on;
ssl_certificate /etc/ssl/localcerts/autosigned.crt;
ssl_certificate_key /etc/ssl/localcerts/autosigned.key;
root /srv/www;
index index.html /index.html;
location /rasp/ {
proxy_pass http://192.168.2.6:81/;
}
location /cam/ {
proxy_pass http://192.168.2.4:8081;
}
location ^~ /router/ {
proxy_pass http://192.168.2.1/;
}
location /nas/ {
proxy_pass http://192.168.2.13/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
However when I try to access http://192.168.2.6/nas although the html files are served correctly, files under /web/ are not
GET https://greymarmita.no-ip.org/web/images/login.png 404 (Not Found)
The correct path for these assets should be https://greymarmita.no-ip.org/nas/web/images/login.png
You don't have a location to match that file, try adding this
location / {
try_files $uri $uri/;
}

nginx try_files from proxy'd app, then nginx

I'm attempting to have nginx reverse proxy static files from an application if the application is serving them, else serve them itself. Currently, I have this configuration:
upstream app_server {
server unix:/tmp/gunicorn.sock fail_timeout=0;
}
server {
listen 8080;
server_name example.com;
access_log /var/log/nginx.access.log;
error_log /var/log/nginx.error.log;
keepalive_timeout 5;
location /static {
try_files $uri #proxy_to_app;
alias /path/to/__static;
sendfile off;
}
location / {
try_files $uri #proxy_to_app;
}
location #proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
}
This works if the files don't exist in /path/to/__static; it sends the request to the application server. However, if the files also exist in /path/to/__static, nginx serves the files itself.
Reversing the try_files line (try_files #proxy_to_app $uri) fails in both cases. If the client requests /static/css/test.css, the application receives a request for /css/test.css, and it never seems to try /path/to/__static even though the application returns a 404.
Updated to include full configuration.
location /static/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
proxy_intercept_errors on;
error_page 404 =200 /local$uri;
}
location /local/static/ {
internal;
alias /path/to/__static/;
}

configure subdomain nginx with unicorn

I am using nginx + unicorn in linode.
This is my nginx.conf
upstream unicorn {
server unix:/tmp/unicorn.mydomain.sock fail_timeout=0;
}
server {
listen 80 default;
server_name mydomain.com;
keepalive_timeout 5;
root /home/hyperrjas/mydomain.com/current/public;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# this is required for HTTPS:
# proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
}
location ~ ^/(assets)/ {
root /home/hyperrjas/mydomain.com/current/public;
gzip_static on; # to serve pre-gzipped version
expires max;
add_header Cache-Control public;
}
error_page 500 502 503 504 /500.html;
}
I want to add 4 subdomains:
imagescdn1.mydomain.com
imagescdn2.mydomain.com
imagescdn3.mydomain.com
imagescdn4.mydomain.com
How can I do it?
You should use regex for server_name directive, i.e. something like this:
server {
server_name mydomain.com ~^imagescdn\d+\.mydomain\.com$;
}
Refer to original documentation here and here for more information.

Resources