This is my current Nginx server block:
server {
listen 80;
server_name ~^(?<tenant>.+)\.mysalon\.test$;
gzip on;
gzip_types text/plain application/xml text/css application/javascript;
gzip_min_length 1000;
location / {
expires $expires;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header x-Tenant $tenant;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000/subdomain/;
}
}
It's a reverse proxy for {tenant}.mysalon.test to http://127.0.0.1:3000/subdomain/.
The issue:
It works correctly, but it returns 404's for everything within {tenant}.mysalon.test/_nuxt/, that's because /_nuxt does not live in the /subdomain/ directory, but in the parent http://127.0.0.1:3000/.
So I added the following:
location ^~ /_nuxt/ {
proxy_pass http://127.0.0.1:3000/_nuxt/;
}
So that even on the subdomains, it can access /_nuxt.
However, this new location block makes the first location block inactive for some reason.
When visiting {tenant}.mysalon.test it returns http://127.0.0.1:3000 instead of http://127.0.0.1:3000/subdomain/.
I can't tell you why your second location block breaks the workflow, I didn't see any problems with this config, but you can try to use single location block and append the /subdomain prefix to the requested URI inside this block if the requested URI doesn't start with /_nuxt/:
location / {
expires $expires;
rewrite ^(?!/_nuxt)(/.*) /subdomain$1 break;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header x-Tenant $tenant;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000;
}
Related
All zammad functionality is working fine except for login/signup with Microsoft
Error:
My nginx reverse proxy config is:
# Settings for a TLS enabled server.
upstream backend
{
server 192.168.99.99:443;
}
server
{
ssl on;
listen 9443 ssl http2 default_server;
ssl_certificate "/etc/pki/nginx/bundle.pem";
ssl_certificate_key "/etc/pki/nginx/private/tpsonline.com.key";
location /
{
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Host $host;
proxy_pass https://backend;
}
}
}
My nginx config from zammad-helm is:
server_tokens off;
upstream zammad-railsserver {
server localhost:3000;
}
upstream zammad-websocket {
server localhost:6042;
}
server {
listen 8080;
server_name _;
root /opt/zammad/public;
access_log /dev/stdout;
error_log /dev/stderr;
client_max_body_size 50M;
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
expires max;
}
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 86400;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_pass http://zammad-websocket;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 180;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_pass http://zammad-railsserver;
gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
}
}
What could be the reason that only functionality that's not working is sign up with microsoft?
p.s. i did follow these carefully: https://admin-docs.zammad.org/en/3.6/settings/security/third-party/microsoft.html
I did set headers as described in previous zammad issue https://github.com/zammad/zammad/issues/2758#issuecomment-536465142 but still no luck.
I have below configuration. I only want to authorize / because the only one that has a UI. Other URLs are already apis like /report/, /group/, /delete/ and so on.
upstream gofastdfs{
server localhost:8081;
keepalive 32;
}
server {
listen 8080;
server_name localhost;
gzip on;
gzip_types '*';
location / {
auth_basic "Caution";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
keepalive_timeout 620;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://gofastdfs;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
But my configuration authorizes every URL, I only want to limit to /
location / matches any URI that is not handled by some other location block - i.e. it is the default location.
location = / only matches the single URI /.
See this document for details.
You can split your configuration into two location blocks using one with authentication and the other without. Some statements will need to be duplicated between both location blocks, but most can be moved into the outer context.
For example:
keepalive_timeout 620;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location = / {
auth_basic "Caution";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
proxy_pass http://gofastdfs;
}
location / {
proxy_pass http://gofastdfs;
}
The following Nginx config correctly returns /pages/subdomain/index.vue when visiting {tenant}.mysalon.test.
However (!), after 0.5s it automatically changes the view to /pages/index.vue, why?!
The issue dissapears when I remove the second location block location /_nuxt/ {}, but without that block I'm not able to access anything within {tenant}.mysalon.test/_nuxt/, because the _nuxt folder isn't located within /pages/subdomain/ obviously.
How to solve?
GIF: https://imgur.com/a/WfIBYmK
server {
listen 80;
server_name ~^(?<tenant>.+)\.mysalon\.test$;
gzip on;
gzip_types text/plain application/xml text/css application/javascript;
gzip_min_length 1000;
location / {
expires $expires;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header x-Tenant $tenant;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000/subdomain/;
}
location /_nuxt/ {
expires $expires;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header x-Tenant $tenant;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000/_nuxt/;
}
}
We have 10 Microservices-based applications. Each of them has about 15 services. So, we have 150 different service URLs for our product.
My question: How to design the Nginx location?
1) One location per application
2) One location per URL
3) Other way
I thinks there are something to trade off.
a. config complexity
b. conflict location issue
c. affection when micro-service refactor
d. nginx.conf size
Could someone give me some guidance or the best practice?
Just to give you an example of one of my own configuration. I cannot say this is the best way to do it, but I did refer/read a lot of blogs before making this up.
worker_processes 1;
events { worker_connections 10000; }
http {
sendfile on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 999;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/xml text/css
text/comma-separated-values
text/javascript
application/x-javascript;
# List of application servers
upstream company_api_servers {
server company.xxxx.xxxx:port_number;
}
upstream community_api_servers {
server community.xxxx.xxxx:port_number;
}
upstream devices_api_servers {
server devices.xxxx.xxxx:port_number;
}
# Configuration for the server
server {
# Running port
listen 80;
# Proxying the Companies API
location /companies {
proxy_pass http://company_api_servers;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
# Proxying the Communities API
location /communities {
proxy_pass http://community_api_servers;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
# Proxying the Devices API
location /devices {
proxy_pass http://devices_api_servers;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
I have a NGINX server as front-end cache server and I'd like to disable cache on specific urls.
Here is the configuration on NGINX:
proxy_cache_path /tmp/nginx levels=1:2 keys_zone=my_zone:10m inactive=120m max_size=1000m;
proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args";
server {
listen 10.0.0.45:80 default_server;
server_name proxy2.jjd;
include /etc/nginx/default.d/*.conf;
location / {
client_max_body_size 20m;
proxy_cache my_zone;
proxy_cache_bypass $http_cache_control;
proxy_no_cache $http_pragma $http_authorization $cookie_nocache $arg_nocache;
add_header X-Proxy-Cache-NGINX $upstream_cache_status;
add_header X-Real-IP $remote_addr;
add_header Cache-Control "public";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
}
}
Add the following location to avoid an url:
location ^~ /your-url/ {
add_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
}
It just assigns this location to the proxy and doesn't enable caching for it.
As I get it, you just need a nested location with a single string proxy_cache off; inside to disable caching for nested URLs. Like this:
location / {
proxy_cache my_zone;
proxy_cache_bypass $http_cache_control;
// other stuff related to proxying or other processing
location /do/not/cache/this/url/ {
proxy_cache off;
}
}
you can just specify location do proxy_pass only for disable cache
location /will/not/cache {
proxy_pass http://127.0.0.1:8080;
..set_header ..
}