I have a vps running nginx, with ngx_stream_ssl_preread_module I have made SSL and Non-SSL protocols work on the same port.
When I checked the access.log, I found a lot of lines starting with 127.0.0.1. Obviously this is not a real client IP.
I tried to modify my nginx.conf, such as proxy_set_header, real_ip_header, set_real_ip_from 127.0.0.1, etc.,they have no effect.
This is my origianl stream configuration in nginx.conf.
stream {
server {
listen 443;
ssl_preread on;
proxy_pass $upstream;
}
map $ssl_preread_protocol $upstream {
default shadowsocks;
"TLSv1.1" https;
"TLSv1.2" https;
"TLSv1.3" https;
}
upstream shadowsocks {
server 127.0.0.1:7890;
}
upstream https {
server 127.0.0.1:8888;
}
}
I would try setting the proxy headers as follows:
server {
listen 443 ssl default_server;
ssl_preread on;
proxy_redirect off;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_pass $upstream;
}
}
Related
What I am trying to achive; is when the request coming from http://<ip>/vault/ui/ (referer in the request header) and it includes the http://<ip>/v1/* endpoint, to be rewriten or redirected to http://<ip>/vault/v1/
can someone please help me to solve this issue?
/etc/nginx/sites-enabled/reverse-proxy.conf
upstream command_center_vault {
server command-center-0.blinchik.io:28200;
}
server {
listen 80;
listen [::]:80;
location /vault/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_pass "http://command_center_vault/vault/";
proxy_redirect /ui/ /vault/ui/;
}
location /vault/v1/ {
proxy_pass "http://command_center_vault/v1/";
}
}
Headers
Update
A little bit more context, the overarching architecture looks as in the picture below.
the configuration of nginx server in the private subnet looks like this:
private subnet nginx
upstream consul_server {
server brain-consul-server-0.blinchik.io:8500;
server brain-consul-server-1.blinchik.io:8500;
server brain-consul-server-2.blinchik.io:8500;
}
upstream vault_server {
server brain-vault-server-0.blinchik.io:8200;
server brain-vault-server-1.blinchik.io:8200;
}
server {
listen 28500;
listen [::]:28500;
location /consul/ {
proxy_pass "http://consul_server";
sub_filter_once off;
sub_filter_types application/javascript text/html;
sub_filter "/v1/" "/consul_v1/";
}
location /consul_v1/ {
proxy_pass "http://consul_server/v1/";
}
}
server {
listen 28200;
listen [::]:28200;
location /vault/ {
proxy_pass "http://vault_server/";
port_in_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_redirect /ui/ /vault/ui/;
sub_filter_once off;
sub_filter '<head>' '<head><base href="/vault/">';
sub_filter '"/ui/' '"ui/';
#inspired by this repo https://github.com/Folcky/hashicorp-vault-and-nginx
}
location /v1/ {
proxy_pass "http://vault_server/v1/";
}
}
public subnet nginx
upstream command_center_vault {
server command-center-0.blinchik.io:28200;
}
server {
listen 80;
listen [::]:80;
location /vault/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_pass "http://command_center_vault/vault/";
proxy_redirect /ui/ /vault/ui/;
}
location /vault/v1/ {
proxy_pass "http://command_center_vault/v1/";
}
}
the consul part works fine. if I change in the public subnet configuration the location of /vault/v1/ to /v1/ then it works as well. But the problem that other products that I intend to add it to the reverse proxy (like Nomad) also uses the /v1/ path and in this case there will be a conflict.
I think this one should work (must be placed at the server context outside any locations:
if ($http_referer ~ /vault/ui) {
rewrite ^/v1(/.*) /vault/v1$1 last;
}
You can make regex pattern more strict including //<ip> or https?://<ip> parts.
I have a Flask API and a Swagger UI generated with Flask Restplus. The API runs in a Docker container behind an Nginx container which serves it over HTTP.
Here is a health check endpoint which confirms the API is running:https://mobydq.net/mobydq/api/v1/health
{"message":"MobyDQ API running in production mode"}
However, the Swagger which is supposed to load at the following URL does not load at all: https://mobydq.net/mobydq/api/doc
Here is the Nginx configuration:
http {
upstream api {
server api:5434;
}
upstream app {
server app:3000;
}
# Server for https
server {
listen 443 ssl http2;
server_name mobydq.net;
ssl_certificate /etc/letsencrypt/live/mobydq.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mobydq.net/privkey.pem;
# Location for MobyDQ Flask API
location /mobydq {
limit_req zone=default burst=20;
proxy_pass http://api;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Location for MobyDQ Web App
location / {
limit_req zone=default burst=20;
proxy_pass http://app;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Default server to redirect http requests to https
server {
listen 80 default_server;
server_name mobydq.net;
listen [::]:80 default_server;
location ~ /.well-known {
root /var/www/letsencrypt;
}
location / {
return 301 https://$host$request_uri;
}
}
}
Any idea why the Swagger is not loading? I looked into the http requests sent when loading the page but it did not help much. I can only see the favicon loading:
I also looked at the console and saw an error but I'm not able to tell what it means:
The problem was that Nginx did not properly redirect the http requests when trying to get the resources from Swagger (the JSON configuration file in particular).
The issue has been fixed by changing the Nginx configuration as follow:
[...]
# Location for MobyDQ Flask API
location ~ ^/(mobydq|swaggerui) {
limit_req zone=default burst=20;
proxy_pass http://api;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
[...]
I've installed a sonarqube and a Jenkins server in one machine, with ports 9000 and 8080 respectively. I'd like to make urls like test_hub.mysite.com/sonar and /jenkins and redirect to machine and port correctly, but maintaining original address test_hub.mysite.com/sonar.
My configuration with nginx is pretty simple:
server {
listen 80;
server_name sonar.mysite.com;
location /sonar/ {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://52.29.xx.xx:9000;
}
}
server {
listen 80;
server_name test_hub.mysite.com;
location / {
# you can use regular exp also
if ($request_uri = /sonar) {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://52.29.xx.xx:9000;
}
if ($request_uri = /jenkins) {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://52.29.xx.xx:8000;
}
}
}
NOTE: Check this link before trying
Is it possible to pass requests for a specific path to a different upstream server?
Here is my nginx site configuration:
upstream example.org {
server 127.0.0.1:8070;
keepalive 8;
}
server {
listen 0.0.0.0:80;
server_name example.org www.example.org;
access_log /var/log/nginx/example.org.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://example.org;
proxy_redirect off;
}
}
Currently, requests to this site are redirected to a Node.js instance running on port 8070.
I would like requests to this site that have a path starting with /services to be redirected to another Node.js instance running on port 8080.
Is this possible? And of course -- how so?
Yes, just add another location block:
upstream example.org {
server 127.0.0.1:8070;
keepalive 8;
}
upstream other.example.org {
server 127.0.0.1:8080;
keepalive 8;
}
server {
listen 0.0.0.0:80;
server_name example.org www.example.org;
access_log /var/log/nginx/example.org.log;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_redirect off;
location / {
proxy_pass http://example.org;
}
location /services {
proxy_pass http://other.example.org;
}
}
Note: I extracted all shared proxy directives into the server block so that they are not repeated in each location block. If they would differ between different locations, you would have to move them again into the location blocks...
I'd like to serve several applications from the same server, reversed-proxied through nginx. I'd like these applications to be available through a single domain name with sub-uris.
e.g.
www.mydomain.com/nodejs
=> caught by nginx listening to port 80 and served through to a node.js app running on port 3001
www.mydomain.com/rails
=> caught by nginx listening to port 80 and served through to a rails app running on port 3002
My first stab is to start with two upstreams:
# /etc/nginx/sites-available/mydomain.com
upstream nodejs {
server 127.0.0.1:3001;
}
upstream rails {
server 127.0.0.1:3002;
}
server {
listen 80 default deferred;
# What do I put here so that
# mydomain.com/nodejs is proxied to the nodejs upstream and
# mydomain.com/rails is proxied to the rails upstream ???
}
Does anyone know this or point me in the right direction?
How about:
upstream nodejs {
server 127.0.0.1:3001;
}
upstream rails {
server 127.0.0.1:3002;
}
server {
listen 80;
location /nodejs {
proxy_pass http://nodejs;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /rails {
proxy_pass http://rails;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
or shortly:
server {
listen 80;
location /nodejs {
proxy_pass http://127.0.0.1:3001;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /rails {
proxy_pass http://127.0.0.1:3002;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
?
Most of the proxy directives are optional (you probably just need proxy_pass and proxy_redirect) but useful.
About the question ,css、js、images files are missed , you can do like this,
if you use express framework。
you need add this code line
app.enable('trust proxy');
this value 'trust proxy' default value is disable.