I am using nginx as reverse proxy for my flask API. When I make a http request I still receive the API response , whereas of my understanding I should receive an 400 error.
I have tried all the things I could find for that topic, but I couldn't get it working properly. I just replaced the redirect with the return code.
for example I used this guide
https://serversforhackers.com/c/redirect-http-to-https-nginx
default file
server {
listen 80;
server_name _;
return 400;
}
server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH: !aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
# reverse proxy and serve the app # running on the localhost: 8000 proxy_pass http: //127.0.0.1:8000/;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
The result should be that when you make a http request you should get an error and when you make a https request you should get the JSON respond.
You need to remove ssl on; directive
ssl flag in listen will handle it.
You can also check http://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server
Related
I am deploying InvenioRDM as local.
Here is a gist of the limitations.
InvenioRDM as local instance for prototyping
Application is strictly IP address and port bound
Aim is to link IP to URL in a seamless manner
The work so far:
InvenioRDM local instance exposes application frontend only
Approaches:
i) Mimic production: The Nginx configuration was initially setup that
mirrored the production. The production environment is purely
containers. Very complex so i decided to try a simpler approach.
ii) Transparent Proxy: Use Nginx to pass on everything and replace
the URLs at ingress (proxy_pass) and egress (proxy_redirect). The
benefit is to simplify the web server configuration as the
application does handle http requests.
My default.conf is as follows.
# HTTP server
server {
# Redirects all requests to https. - this is in addition to HAProxy which
# already redirects http to https. This redirect is needed in case you access
# the server directly (e.g. useful for debugging).
listen 80; # IPv4
server_name server.name;
return 301 https://$host$request_uri;
}
#HTTPS Server
server {
listen 443 ssl;
server_name server.name;
charset utf-8;
keepalive_timeout 5;
ssl_certificate /etc/ssl/test.crt;
ssl_certificate_key /etc/ssl/test.key;
ssl_session_cache builtin:1000 shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AE$
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
proxy_request_buffering off;
proxy_http_version 1.1;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://127.0.0.1:5000;
proxy_read_timeout 90;
proxy_redirect https://127.0.0.1:5000 https://server.name;
}
}
My issue is that when accessing publicly on the IP address server.name (hidden for obvious reasons), it returns with the internal Class A IP address (10.X.X.X) of the machine which is offcourse not accessible publicaly. What am I missing here.
I am new to this, and I am at my wits end.
Below is my current nginx config.
server {
listen 80 default_server;
server_name _;
return 307 https://$host$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name localhost;
# Protect against the BEAST attack by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
# SSLv3 to the list of protocols below.
ssl_protocols TLSv1.2;
ssl_certificate /etc/nginx/ssl.crt;
ssl_certificate_key /etc/nginx/ssl.key;
location / {
proxy_pass http://localhost:80; # TODO: replace port if app listens on port other than 80
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
All has been working well, but I recently added the first 'server' block hoping to redirect my url to https:// whenever a http:// version of the URL is visited, but I am getting an 'ERR_TOO_MANY_REDIRECTS' message when visiting the URL in the browser.
My application's port is on 80 within an Azure Container.
Any help would be appreciated!
We have been trying for days (we tested hundreds of setups) to make a Nginx Reverse Proxy successfully reverse proxy a web application that needs FQDNs (this is mandatory for this web application to work).
Using the configuration below for the Nginx Reverse Proxy together with a local DNS service (see resolver attribute) that knows the FQDN we can successfully make these http calls...
server {
access_log /var/log/nginx/apps.mbr.domain.abc-access.log;
error_log /var/log/nginx/apps.mbr.domain.abc-error.log;
server_name *.apps.mbr.domain.abc;
location / {
proxy_pass https://$host$request_uri;
resolver 127.0.0.1:53;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.domain.abc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.domain.abc/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
... , however if I change the proxy_pass attribute to using an IP as shown here...
server {
access_log /var/log/nginx/apps.mbr.domain.abc-access.log;
error_log /var/log/nginx/apps.mbr.domain.abc-error.log;
server_name *.apps.mbr.domain.abc;
location / {
proxy_pass https://10.2.0.18:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.domain.abc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.domain.abc/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
... the web application reports not knowing the URL (error). In other words, clearly there is some parameter/data (we don't know what it is) that is added by the DNS service to the http call.
QUESTION: What is the local DNS service provided parameter/data that Nginx Reverse Proxy is not providing?
NOTE: We are asking this because we believe this is something that can be provided by the Nginx Reverse Proxy itself so that we will not need to use the local DNS service.
Thanks! =D
I have a problem with nginx and proxy_pass. I try to secure connection to old server without option to upgrade apache there. I can't establish there ssl connection with tls 1.2. So i Tried to secure it by reverse proxy in nginx with some success. when i open website like http://example.com or https://example.com connection is secure and it works well. But there are other sites whitch have links like https://example.com/login https://example.com/investitions (basicly every uri example.com/foo/bar/ ect.)and those connections are insecure. my nginx config looks like this:
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate ssl.crt;
ssl_certificate_key ssl.key;
ssl_client_certificate ca.crt;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
location / {
proxy_set_header X-Scheme https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr
proxy_pass http://baza.example.com/;
}
Please help me.
I have configured my nginx based on the documentation provided and articles available from web. It's not completely working specifically http to https.
I tried different changes but still not be able to execute successfully...Please have a look.
Few imp points : My . nodejs app is running on port 3000.
Ghost blog running on 2368.
HTTP — redirect all traffic to HTTPS
server {
listen 80;
server_name domainname.com www.domainname.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.domainname.com;
error_page 497 https://www.domainname.com$request_uri;
ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers KEY_HERE;
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
# ssl_trusted_certificate /etc/ssl/certs/dhparam.pem;
resolver 8.8.8.8;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /blog {
proxy_pass http://localhost:2368;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
This issue is resolved.
Everything is correct with nginx configuration. Issue was with Google console platform. There is a check box in GCP config with name Allow HTTP traffic, which was unchecked by default. I made the change and it started working. Thanks for the reply.
I recommend you to do as below:
location / {
return 301 https://$host$request_uri;
}