I've been trying to redirect traffic from https://server:443 to internally http://server:8088 using NGINX as a reverse proxy, I can see my service on 8088 is running since I can access to it, by the time I try to access it from https and port 443 it gives me a 502 bad gateway error. The service Im running is Apache Superset.
I have already created my cert.pem and key.pem files. Already tried several combinations on /etc/nginx/conf.d/default.conf on the location section but no luck so far.
server {
listen 443 http2 ssl;
server_name localhost;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
location / {
add_header Front-End-Https on;
add_header Cache-Control "public, must-revalidate";
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";
proxy_pass_header Authorization;
proxy_pass http://localhost:8088;
proxy_redirect off;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "";
}
}
I'd expect to hit https://server:443 and it will display my service which is running at http://server:8088.
Related
I have a problem with nginx and proxy_pass. I try to secure connection to old server without option to upgrade apache there. I can't establish there ssl connection with tls 1.2. So i Tried to secure it by reverse proxy in nginx with some success. when i open website like http://example.com or https://example.com connection is secure and it works well. But there are other sites whitch have links like https://example.com/login https://example.com/investitions (basicly every uri example.com/foo/bar/ ect.)and those connections are insecure. my nginx config looks like this:
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate ssl.crt;
ssl_certificate_key ssl.key;
ssl_client_certificate ca.crt;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
location / {
proxy_set_header X-Scheme https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr
proxy_pass http://baza.example.com/;
}
Please help me.
I am using NGINX as a reverse proxy to connect to an application hosted in Windows Server.
The connection path for the upstream traffic would be something like:
Browser to reverse proxy over https on port 443
Reverse proxy to Windows app server over http on ip 10.1.0.10, port 8080
The relevant configuration in nginx is as follows:
server {
server_name example.com;
listen 443 ssl http2;
location / {
return 301 https://$host/app;
}
location ~ ^/app {
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
add_header X-Content-Type-Options nosniff always;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_intercept_errors on;
proxy_pass http://10.1.0.10:8080;
}
}
I can see that requests to https://example.com/app are initially reaching the server. Problem is, subsequent requests are trying to reach URL http://example.com:8080/app.
It looks like proxy_set_header Host is working as expected (i.e. replacing ip address 10.1.0.10 with example.com), but the protocol and port number are not changing.
I tried adding the following directives:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
but no luck.
How can NGINX be configured to pass incoming traffic to http://10.1.0.10:8080 while using https://example.com (port 443) in the headers?
I need to reverse proxy to an Apache server running on the localhost. The problem is that Apache redirects requests to directories without a trailing forward slash, to the directory with a trailing forward slash, as part of its DirectoryRewrite directive. The below nginx setup works fine when you go to https://myhost/sw/myapp/ but if you forget the trailing forward slash you end up being redirected to http://myhost:8080/sw/myapp. Short of disabling the Apache DirectoryRewrite directive what can I do to make sure that the / is always added to the end of any request so that Apache does not redirect?
server {
client_max_body_size 10240M;
listen 443 ssl;
server_name "";
ssl_certificate ../ssl/server.crt;
ssl_certificate_key ../ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /sw {
proxy_pass http://127.0.0.1:8080/sw;
proxy_redirect ~^http://127.0.0.1:8080/sw/([^.]*[^/])$ https://$host/sw/$1/;
proxy_redirect http://127.0.0.1:8080/ https://$host/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_buffering off;
proxy_set_header HOST $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
error_page 301 302 303 = #handle_redirect;
}
If the upstream server is redirecting to http://example.com:8080/ (rather than http://127.0.0.1:8080/) you will need to change or add another proxy_redirect statement. See this document for details.
For example:
proxy_redirect http://example.com:8080/ https://example.com/;
Or as you stated in comments:
proxy_redirect http://$host:8080/ https://$host/;
The proxy_redirect values need to exactly match the beginning of the Location: header in the 3xx response. You can use curl -I to identify the exact contents of that response header.
I have two droplets on Digital Ocean. One load balancer with nginx and one node/express webserver with nginx reverse proxy. Let's call them load-1 and web-1. load-1 handles SSL termination and forwards requests via nginx upstream module to web-1 via http over private networking provided by Digital Ocean.
When accessing web-1 on it's public IP everything works. When accessing through load-1 I receive only 404s. I have verified that the requests are actually forwarded to web-1, this is what the nginx access log for web-1 shows on every request received from load-1:
load-1.private.ip - [09/Jan/2017:13:14:00 +0000] "GET / HTTP/1.0" 404 580 "-" >"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) >Chrome/55.0.2883.87 Safari/537.36"
Why are forwarded requests not working when direct requests are working? Since web-1 is working when accessed directly there must be something wrong with how I forward requests from load-1 to web-1?
My nginx config on load-1:
upstream web-servers {
server web-1.private.ip;
}
server {
listen 80;
listen 443 ssl;
server_name mydomain.com;
ssl on;
ssl_certificate /etc/ssl/mycert.crt;
ssl_certificate_key /etc/ssl/mykey.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://web-servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
My nginx config on web-1:
server {
listen 80;
server_name web-1.public.ip web-1.private.ip;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_cache_bypass $http_upgrade;
}
}
Simply, Nginx on web-1 doesn't know what configuration to use.
Nginx looks at the host header to determine the server configuration to use. You're setting the host to be mydomain.com in the proxy settings on load-1, But there's no corresponding entry for mydomain.com on web-1.
Either
Set the default_server flag on web-1 (by changing the listen 80; directive to listen 80 default_server;)
Remove any other server blocks so this is the only block (causing Nginx to treat it as the default server)
Add mydomain.com to the server_name list
I have a cluster glassfish instance running in Ubuntu 12.04 server with nginx as the front-end.
I have configured glassfish upstream in nginx conf file and proxy params are all set.
nginx.conf
glassfish_custer ( upstream name )
Now the problem is,
I added a file realm in glassfish with username and password entries to enable basic authentication for one of my applications.
I added necessary login config params in web.xml file, bundled war and deployed in glassfish server and when I fire url,
http://domain.com/application
It falls in redirect loop
https://domain.com/application
It happens only when I enable basic authentication. If I switch off, everything is working as expected.
I think I need to set some proxy header params and change auth settings in glassfish admin console for http listener ?
If anyone experienced this issue before, Please let me know....
In short, How to make basic authentication works in nginx load balancer with glassfish as the upstream
UPDATE 1:
nginx.conf
## http redirects to https ##
server {
#listen [::]:80;
listen 80;
server_name domain.com www.domain.com;
location / {
try_files $uri $uri/ #backend;
}
location #backend {
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header x-forwarded-for $remote_addr;
proxy_pass http://glassfish_servers;
proxy_intercept_errors on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
# Strict Transport Security
# add_header Strict-Transport-Security max-age=2592000;
# rewrite ^/.*$ https://$host$request_uri? permanent;
}
server {
listen 443 ssl;
#listen [::]:443 ssl;
server_name domain.com www.domain.com;
location / {
try_files $uri $uri/ #backend;
}
## default location ##
location #backend {
proxy_buffering off;
proxy_pass http://glassfish_servers;
proxy_intercept_errors on;
#proxy_http_version 1.1;
#proxy_set_header Connection "";
# force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
# set headers
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
#proxy_redirect off;
}
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/domain_com.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!$
}
Answering my own question.
Having this xml configuration in web.xml was the root cause of the redirection loop.
Since I added "CONFIDENTIAL" as the authority value, http request were getting redirected to https when request hit backend glassfish instance.
I changed this value to "NONE" and everything worked like charm.
<security-constraint>
<web-resource-collection>
<web-resource-name>wholesale</web-resource-name>
<url-pattern>/acme/wholesale/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>PARTNER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Make the following changes
Change <transport-guarantee>CONFIDENTIAL</transport-guarantee>
to
<transport-guarantee>NONE</transport-guarantee>
Also, make sure to set proper proxy header values in nginx conf file (or) if you configured sites conf files separately in sites-available folder, pls add the following proxy headers
proxy_set_header x-forwarded-for $remote_addr;
proxy_intercept_errors on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;