Foreword
In the main body of the question, the problem is described incorrectly. The correct explanation is described in the UPDATE block. Old text saved for history.
My project consists of two parts: backend and frontend. The following locations are responsible for redirecting requests:
location / {
root /opt/site/;
try_files $uri $uri/ /index.html;
}
location /adminpanel {
proxy_pass http://192.168.1.4:4567;
}
location /api {
proxy_pass http://192.168.1.4:4567;
}
The challenge is to redirect users to url /auth if there is no user login in the $remote_user header.
I tried to make the following construction:
in http I added:
map $remote_user $var {
default 0;
"" 1;
}
And in location / added:
if ($var) {
return 301 http://$server_name/auth;
}
When I try to enter the site, I get an error in my browser:
ERR_TOO_MANY_REDIRECTS
How do I fix my configuration file?
Thanks in advance!!!
UPDATE
My task is to configure Kerberos authentication on nginx. The backend is django. The idea is that when a request is made to api, nginx should perform kerberos authentication. But in case the user is not in the domain, then a redirect to the /auth authorization page must occur, so that the user can authenticate under an account that is registered in django CMS.
Authentication of domain users is successful. But there is a problem with non-domain users. When you open a site page that makes an api call, a basic authentication window appears. I use the auth_gss_allow_basic_fallback off directive, but this does not help.
How can I disable this and configure redirection to /auth?
My configuration file (I do not specify settings such as gzip, headers, etc.):
server {
listen 80;
server_name srv-01.example.com;
proxy_set_header remote-user $remote_user;
location / {
root /opt/site/;
try_files $uri $uri/ /index.html;
}
location /adminpanel {
proxy_pass http://192.168.1.4:4567;
}
location /api {
proxy_pass http://192.168.1.4:4567;
auth_gss on;
auth_gss_realm EXAMPLE.COM;
auth_gss_keytab /etc/krb5.keytab;
auth_gss_service_name HTTP/srv-01.example.com;
auth_gss_allow_basic_fallback off;
}}
Related
I want to serve a WordPress application from https://example.com/blog. The issue is that https://example.com is hosted on another instance and I am redirecting /blog to other instance. The server I am using is Nginx. This is my Nginx configuration.
server {
server_name example.com;
location / {
try_files $uri $uri /index.html;
}
location ^~ /blog {
proxy_pass http://<IP>/blog;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
allow <IP>;
}
}
As the /blog is running on other instance it is giving me Mixed-content errors because the proxy is passed to http:IP and it is loaded over https. Please help me solveing this issue.
$_SERVER['HTTPS'] needs to be set to on in case you're accessing it through proxy_pass and deliver it via HTTPS. Otherwise, WordPress knows it's forwarded, but cannot check whether it's delivered via HTTP or HTTPS to the outside. Add these lines to your wp-config.php file:
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_SERVER['HTTPS'] = 'on';
}
Please note that if there are multiple proxies and one of those doesn't serve HTTPS, you have to make that condition based on what HTTP_X_FORWARDED_FOR actually contains. For now, we're only checking if it's non-empty and by that we assume it's supposed to be HTTPS.
My nginx config file goes following:
server {
location /mysite {
auth_request /authVerify;
proxy_pass http://localhost:4200;
error_page 401 = /login;
}
location /authVerify {
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_pass http://localhost:3000;
}
location /login {
proxy_cookie_path / "/; HttpOnly";
proxy_pass http://localhost:3000;
}
location / {
root html;
index index.html index.htm;
}
}
log related configs use the default settings.
the auth_request configration works. But when I send request to /mysite, there is only logging of it in access log, there is no logging of /authVerify although it actually proxy through this locatoin. If I send request to /authVerify directly, there will be loggings as well.
So in the redirect cases how to produce logs for all the locations the request running through?
Update
Based on the comment, I set log_subrequest as on in http block level. After this change, the logs of internal rediect was produced, but the log of original mysite location disappear.
Currently after I send one request to /mysite, the log is as following:
I found the following explanation on nginx doc:
Requests are logged in the context of a location where processing ends. It may be different from the original location, if an internal redirect happens during request processing.
http://nginx.org/en/docs/http/ngx_http_log_module.html
Is that because of that? Any more methods to log the request's entire flow?
Have you tried enabling log_subrequest?
log_subrequest
Context: http, server, and location
Enables or disables logging of sub-requests triggered by internal redirects or SSI requests.
Syntax: on or off
Default value: off
I am new to nginx. I try to learn using search www and stackoverflow. Mostly I get help to understand how to build my nginx configuration.
I have my domain as www.mysite.com. Everything; landing page, the error and server error must be redirect to default index.html. I also define my access and error log. All this done (below code) inside the /etc/nginx/conf.d/default.conf.
I need to redirect (proxy_pass) /admin, /user and anything related to them. Example the /admin has also different folder like /admin/login/. I need to everything after /admin must be redirected. The same goes also for the /user as well.
1) Looking at my code am I redirect the location /admin and location /user correctly?
2) I also use try_files $uri $uri/ =404; in redirection. which also redirects the 404 to default index.html. Am I doing right?
3) I am also denying access to some file and folder. Am I doing right?
My main question is How to correct my nginx configuration if it is wrong? So to understand the correct nginx configuration I divide my question to 3 different question above. I hope I didnt brake stackoverflow how to ask question guidelines.
Thank you.
UPDATE:
server {
charset UTF-8;
listen 80;
listen [::]:80;
server_name www.mysite.com;
access_log /var/log/nginx/host.access.log main;
error_log /var/log/nginx/host.error.log main;
# define a root location variable and assign a value
set $rootLocation /usr/share/nginx/html;
# define www.mysite.com landing page to the static index.html page
location / {
root rootLocation;
index index.html index.htm;
}
# define error page to the static index.html page
error_page 404 /index.html;
location = /index.html {
root rootLocation;
internal;
}
# redirect server error pages to the static index.html page
error_page 500 502 503 504 /index.html;
location = /index.html {
root rootLocation;
internal;
}
# redirect www.mysite.com/admin to localhost
# /admin or /admin/ or /admin/**** must be redirect to localhost
location /admin {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass "http://127.0.0.1:3000";
}
# redirect www.mysite.com/user to localhost
# /user or /user/ or /user/**** must be redirect to localhost
location /user {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass "http://127.0.0.1:3001";
}
}
It is usual to place the root statement once in the server block, rather than repeat the same value in multiple location blocks.
You are using proxy_pass to change the URI before passing it upstream. In this case, the location value and the URI part of the proxy_pass value should either both end with / or neither end with /. See this document for details.
Usually you do not want to place try_files and proxy_pass in the same location. This causes Nginx to check for the existence of the file in its document root before allowing the request to pass upstream.
You should not need to deny access to the configuration files, as these file should not be within the document root in the first place.
I have created a directory call library, that requires authentication to access. Upon completing authentication I would like to list all files in library for the user. I have tried autoindex to no avail, and most material I am finding doesn't cover whether or not the authentication will affect anything.
Would appreciate any help, thanks.
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm index.php;
# Make site accessible from http://localhost/
server_name localhost;
location / {
# First attempt to serve request as file, then as
# directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location include
# /etc/nginx/naxsi.rules
}
location /website {
}
location /library {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
Your location /library block will impose the requirement of basic authentication and serve the same static files in /usr/share/nginx/html/library to all users who can successfully authenticate. In short, all users who successfully auth will see the same files in your current config.
To serve different static files to different users, consider that Basic authentication will set the $remote_user variable (see docs) which you can utilise to make your configuration dynamic.
For instance, if you wanted to serve a different folder for each user ID (at the same /library URL), you'd use a block like:
location /library {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
alias /usr/share/nginx/html/$remote_user/;
}
assuming your folders are named with the ID of your users and located at that path.
If a user fails the basic auth, they'll be shown a 403 Forbidden error, which you can handle using the error_page directive to show something more useful than just a basic error. Likewise, if a user can successfully auth and a corresponding folder doesn't exist, they'll see a 404, which you could again handle with an error_page directive.
I'm using the upstream module for balancing my site. For some reason i have to redirect some requests to a specified server.
So in short: i want to redirect domain.com to a specified server, domain.com/anything can be served by the upstream module. So if theres only the domain in the request and nothing else.
location [here_something_i_dont_know]/ {
proxy_pass http://0.0.0.0:9000/;
access_log off;
}
Thanks for ur help!
location = / {
proxy_pass http://0.0.0.0:9000/;
access_log off;
}
location / {
proxy_pass http://another_upstream;
access_log off;
}