nginx enable authentication on specific port - nginx

I am trying to protect the URL of my Kibana server with a password.
If I type http://192.168.1.2 in the browser, I am getting prompted for a username/password, but if I query the port 5601 directly via http://192.168.1.2:5601 then I can bypass the nginx proxy auth.
Note that both nginx and Kibana run on the same server.
I tried different combinations of "localhost" "0.0.0.0" or "127.0.0.1" as the listening source address but none of them worked. I can still easily bypass the proxy.
What am I doing wrong?
here's my /etc/nginx/nginx.conf file:
server {
listen 192.168.1.2:80;
server_name 192.168.1.2;
location / {
proxy_pass http://192.168.1.2:5601;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}

NGINX only listens on port 80 and does not prevent access to your application on port 5601. You should instead use a firewall to block access to the port itself. You could:
Place your server behind a firewall such as a router (blocks out all external network requests)
Install a firewall, like UFW, on the server itself.

Related

Basic proxy_pass from nginx from one local ip to another local ip

I am a new user of nginx and I am following a video guide from Linode on youtube (How to Set Up an NGINX Reverse Proxy).
I have a working nginx and apache server both on port 80. I know that because when I type the ip address of both in firefox, it directs me to nginx/apache welcome page.
The youtube video configuration template is as follow (where the server_name is the linode ip) :
server {
listen 80;
listen [..]:80;
server_name 172.105.104.226;
location / {
proxy_pass http://localhost:3000/;
}
On my Proxmox machine, the nginx server is on a VM at 192.168.1.241 and the apache server on another VM at 192.168.1.243.
Looking at nginx documentation we find that this :
location /some/path/ {
proxy_pass http://www.example.com/link/;
}
should proxy all the traffic received on the nginx listening port and redirect it to the address specified by proxy pass.
With all these information, my configuration file is like this :
server {
listen 80;
listen [::]:80;
server_name 192.168.1.241;
location / {
proxy_pass http://192.168.1.243;
}
}
My understanding is that this configuration file should listen at the address 192.168.1.241 on port 80 (nginx server) and redirect it to the specified address 192.168.1.243 (apache server)/
If i understand correctly, Location / should take the request as is received on the nginx server and redirect it to the apache server.
However, when I enter 192.168.1.241 in my browser, it doesn't show the apache welcome message but shows the nginx welcome message. That means that the proxy isn't working.
My nginx understanding is extremely limited as I am just starting to learn, but to me it seems like this should work but doesn't.
Thank you for your help
It turns out that the configuration is correct.
The problem was that the webpage was cached. By forcing a full refresh, 192.168.1.241 redirected to 192.168.1.243 successfully.

How to let the backend api handle https certificate?

I'm new to nginx.
I have a machine, behind my router, that runs a server and handles correctly 80 and 443 request with Https.
Problem is that I want to host a second website on another device but I have only one IP address. I bought a raspberry pi zero to use it as a reverse proxy behind my router. I install nginx and want to redirect all the request to my other machines. Both the RPI 0 and the old machine have local IP.
To redirect requests from my router to RPI 0 and then to my old machine, I used proxy_pass. On port 80 everything works fine, but on port 443 I get a certificate error on my browser.
Is it possible to let the whole request go on the old machine and let the old machine handles the https certificate like before ? Or is it mandatory to have the certificate processed by nginx ?
Diagram of the old but functional installation
Current installation with certificate error
My configuration:
upstream backend_a {
server 192.168.0.20:80;
}
upstream backend_a_s {
server 192.168.0.20:443;
}
server {
listen 80;
server_name mydomain;
location / {
include proxy_params;
proxy_pass http://backend_a;
}
}
server {
listen 443 ssl;
server_name mydomain;
location / {
include proxy_params;
proxy_pass https://backend_a_s;
}
}
I found a solution. I need to use port forwarding. To do this in nginx, I need to use stream keyword.
stream {
server {
listen 443;
proxy_pass 192.168.0.20:443;
}
}
The stream keyword need to be at the same level as http, so I needed to edit /etc/nginx/nginx.conf source. Other solution is to manually compile a version of nginx, with the parameter --with-stream source.

nginx + cloudflare + digitalocean = 521

I'm trying host a website with multiple subdomains (created with Cloudflare, which also provides SSL) hosted on DigitalOcean with Nginx serving as a reverse proxy.
My Cloudflare Configs
DNS setup:
Type ~ Name ~ Value
A ~ api ~ MyDigitalOceanIPv4
A ~ example.com ~ MyDigitalOceanIPv4
A ~ www ~ MyDigitalOceanIPv4
Crypto setup:
SSL: Full (strict)
Always use HTTPS: On
Automatic HTTPS Rewrites: On
I've also used Cloudflare to Create Certificate (and followed their instructions to set it up with Nginx)
My Nginx config:
server {
listen 443;
server_name example.com www.example.com;
ssl on;
ssl_certificate /srv/example.com/cloudflare.pem;
ssl_certificate_key /srv/example.com/cloudflare.key;
location / {
proxy_pass http://localhost:8000;
}
}
server {
listen 443;
server_name api.example.com;
ssl on;
ssl_certificate /srv/example.com/cloudflare.pem;
ssl_certificate_key /srv/example.com/cloudflare.key;
location / {
proxy_pass http://localhost:8080;
}
}
I have opened for all TCP ports on DigitalOcean, and if I try to open MyDigitalOceanIPv4:8000 in my browser then my website (hosted in a Docker container) successfully loads. However, if I try to open my website "example.com" then I get Cloudflare's 521 web server is down message.
I have also verified that the Cloudflare SSL key paths and content are correct, nginx -t shows no errors, and I've made sure to restart nginx after making changes.
I have also tried to whitelist Cloudflare's IPs using my Nginx config file but it didn't work.
If I try to telnet MyDigitalOceanIPv4 443 or 80 then I get telnet: Unable to connect to remote host: Connection refused.
Inside my DigitalOcean instance I have tried to curl http://localhost:8000 which successfully prints my website content.
I suspect there's some DigitalOcean setting I need to configure, or there's something wrong with my Nginx file (even though I've successfully used same Nginx config on a different cloud provider), but feel like I've tried everything..

Nginx Reverse Proxy upstream not working

I'm having trouble figuring out load balancing on Nginx. I'm using:
- Ubuntu 16.04 and
- Nginx 1.10.0.
In short, when I pass my ip address directly into "proxy_pass", the proxy works:
server {
location / {
proxy_pass http://01.02.03.04;
}
}
When I visit my proxy computer, I can see the content from the proxy ip...
but when I use an upstream directive, it doesn't:
upstream backend {
server 01.02.03.04;
}
server {
location / {
proxy_pass http://backend;
}
}
When I visit my proxy computer, I am greeted with the default Nginx server page and not the content from the upstream ip address.
Any further assistance would be appreciated. I've done a ton of research but can't figure out why "upstream" is not working. I don't get any errors. It just doesn't proxy.
Okay, looks like I found the answer...
two things about the backend servers, at least for the above scenario when using IP addressses:
a port must be specified
the port cannot be :80 (according to #karliwsn the port can be 80 it's just that the upstream servers cannot listen to the same port as the reverse proxy. I haven't tested it yet but it's good to note).
backend server block(s) should be configured as following:
server {
# for your reverse_proxy, *do not* listen to port 80
listen 8080;
listen [::]:8080;
server_name 01.02.03.04;
# your other statements below
...
}
and your reverse proxy server block should be configured like below:
upstream backend {
server 01.02.03.04:8080;
}
server {
location / {
proxy_pass http://backend;
}
}
It looks as if a backend server is listening to :80, the reverse proxy server doesn't render it's content. I guess that makes sense, since the server is in fact using default port 80 for the general public.
Thanks #karliwson for nudging me to reconsider the port.
The following example works:
Only thing to mention is that, if the server IP is used as the "server_name", then the IP should be used to access the site, means in the browser you need to type the URL as http://yyy.yyy.yyy.yyy or (http://yyy.yyy.yyy.yyy:80), if you use the domain name as the "server_name", then access the proxy server using the domain name (e.g. http://www.yourdomain.com)
upstream backend {
server xxx.xxx.xxx.xxx:8080;
}
server {
listen 80;
server_name yyy.yyy.yyy.yyy;
location / {
proxy_pass http://backend;
}
}

How to test nginx subdomains on localhost

I want to test nginx subdomains before uploading config to the server. Can i test it on localhost? I try
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://localhost:8080;
}
}
server {
listen 80;
server_name sub.localhost;
location / {
proxy_pass http://localhost:8080/sub;
}
}
And it does not work. Shoulld i change my hosts file in order to make it work? Also, after uploading site to the server should i change DNS records and add sub.mydomain.com?
Yes, add '127.0.0.1 sub.localhost' to your hosts file. That sub has to be resolved somehow. That should work.
Then once you're ready to go to the net, yes, add an a or cname record for the subdomain sub.
When I use proxy_pass I also include the proxy.conf from nginx.
http://wiki.nginx.org/HttpProxyModule
In Linux based OS just to edit as sudo /etc/hosts file and change 127.0.0.1 localhost to 127.0.0.1 *.localhost.
So at /etc/nginx/sites-enabled/<environment>/<your_project_name> edit server_name key as <subdomain>.localhost.
Reload nginx and networking service.
$ sudo service nginx reload
$ sudo service networking reload
And then try http://<subdomain>.localhost at url bar.
It works for me.
UPDATE
In my opinion, a better solution is creating a virtual server that only responds if subdomain doesn’t exist, at /etc/nginx/sites-enabled/development/default, as default server (remember that you can define only one server as default).
server {
listen 80 default_server;
root /var/www/html/errors/404;
server_name *.localhost *.<host-name>;
location / {
index subdomain.html;
}
}
Make sure that in nginx.conf (generally at /etc/nginx/nginx.conf) contain include /etc/nginx/sites-enabled/**/*; to this virtual server work. If not, put it and then run $ sudo service nginx reload.
In this case isn't necessary put *.localhost in /etc/hosts, but only localhost.
For your public webserver with its own domain name, you just need to add a Canonical name using a CNAME record in your DNS configuration:
CNAME * example.com.
Once this is done, set your nginx setting
server_name *.example.com example.com;
In your local setup you can keep the same configuration for nginx but unless you have a local DNS setup, you will have to edit your /etc/hosts file and add each subdomain manually. wildcards don't work in the /etc/hosts file.
127.0.0.1 abc.example.com def.example.com ghi.example.com
It is generally recommended to use .local as the namespace for your local domains.
With an Nginx configuration like shown by the OP, all that is needed is to configure the local DNS resolution. I run Linux containers on a VM with a local DHCP IP but test them on Windows 10 browsers.
The DNS configuration can be done by editing "C:\Windows\System32\drivers\etc\hosts" as Administrator.
192.168.100.50 sub.example.local
192.168.100.50 example.local
Of course, use 127.0.0.1 or other appropriate IP as needed.

Resources