I need your help to solve an issue i have with OAuth on my MVC5 application. On my development environment everything's fine. I set up Twitter/Google/Facebook/Microsoft providers and it works like a charm for now.
My issue is on a test environment. I'm using nGinx as a front server to holds the certificates and serves some static content through a subdirectory of the domain.
The proxy part is configured as followed :
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
The problem is that all my configured callback URLs for external providers are on the HTTPS scheme but running the application on HTTP makes the callback url having an HTTP protocol (for example, the authorized callback URL is https://example.com/signin-facebook but the effective callback URL sent to provider is http://example.com/signin-facebook).
I saw on other posts that there is a AspNetCore solution with UseForwardedHeaders but as i'm still on normal AspNet, it's not an option.
As a dirty workaround, i temporarly allowed URLs with an HTTP protocol as callback URLs for Twitter/Facebook and Google but Microsoft is strict and only allow HTTPS (This workaround works because my nGinx is configured to perform a 301 Redirect on incoming HTTP requests to the same request over HTTPS)
Does anyone have a solution to change the scheme of the base URL used to build the callback URL ?
Related
I'm configuring reverse proxy server with nginx
Nginx.conf file is like this, location / -> front server address, location /api -> api server address.
Front server fetch from http://${api_addr}/api originally(before setting nginx), but now I changed api URL to http://${nginx_addr}/api for constructing reverse proxy server. I am wondering if it is correct to send the request directly from the front to the api address or if it is correct to send the request to the nginx address?
reverse proxy server structure
So you're configuring a website and you want it to direct traffic to your frontend (html etc) and have an api route going to your api, if I'm reading that correctly?
You'd do it similar to this
server {
listen 80;
server_name yourdomain.com;
set $frontend = "frontend-stuff.com";
set $backend = "backend.com";
location /api {
## if your api backend starts at / rather than /api you'd rewrite away the /api path
# rewrite /api/(.*) /api/$1 break;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $backend;
proxy_pass http://$backend;
break;
}
location / {
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $frontend;
proxy_pass http://$frontend;
break;
}
}
The variables stop nginx hitting an 'emerg' (fatal error) if a host falls down in the background between reloads; it can also be helpful with services where the frontend has a large IP range like cloudfront etc.
In the case of your frontend if you're calling something like CloudFront you'd need to force TLS1.2
proxy_ssl_protocols TLSv1.2;
proxy_ssl_server_name on;
X-Forwarded-Proto https is needed if the backend app is returning paths (.net apps use this to set paths to https etc)
I am wondering if it is correct to send the request directly from the front to the api address or if it is correct to send the request to the nginx address?
Its best to proxy all your requests for an application via the same site config for multiple reasons, such as...
Combined logging (easier to debug)
Simpler to secure (set CSP and unified security headers across site)
Easier to handle CORS for any frontend related activities (ajax/xhrf)
If you provide a bit more info I can probably pad this out
It is best practice to always query the Nginx endpoint and not the specific port. By directly querying the specific api port, you are completely bypassing the server routing service and could therefore accidentally overload your api endpoint if not careful.
By routing everything through the Nginx server, you ensure that your api service remains healthy and works as expected.
My asp.net application redirect me to the logging page whenever I am not authenticated.
The problem is that the response header location is ://mydomain.com/login but I want it to be /login only.
I'm using a reverse proxy and the domain name is rewritten with the machine name. This result is that when you ask for ://mydomain.com/ the redirection is ://machinename/login.
I do not want the machine name to be public.
Is there a setting that I can change to resolve this issue?
Your question is about how to get the real outer host within ASP.NET Core :
Customers only know about ://mydomain.com. And your reverse proxy forwards requests to ://machinename (ASP.NET Core Website).
Not sure how your reverse proxy works. But it's much better to configure your proxy to set the host automatically. e.g. configuration for nginx :
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
and register a middleware to deal with the Forwarded host in your Startup.cs .
app.UseForwardedHeaders(new ForwardedHeadersOptions{
ForwardedHeaders = ForwardedHeaders.XForwardedHost|ForwardedHeaders.XForwardedFor|ForwardedHeaders.XForwardedProto
});
By this way, the ASP.NET Core will be able to realize the the real host/port/scheme etc
I have ASP.NET MVC app on IIS.
When I deploy a new version of code my application don't response to requests from 10 seconds to few minutes. It's bad.
(maybe you know how it decide easier?)
I put nginx before IIS and set proxying all requests to IIS app. Then I made new app with the same code in IIS (1.dev and 2.dev). Nginx set request to both apps by round robin.
All are working, but auth is lost after one correct request. The second response receive with auth error. I check how form auth in mvc make auth cookies and found one that .ASPXAUTH is encrypted login with machineKey as key.
I generated machineKey and set it to both apps. When I set cookie .ASPXAUTH from one app (1.dev.domain.ru) to the second app (2.dev.domain.ru) with expire date - all work well.
But dev.domain.com - not work still.
What I give wrong?
PS: In each IIS app Bindings has:
X.dev.domain.ru
dev.domain.ru
where X - 1 or 2.
nginx config - proxy_pass to upstream and contains these parameters:
location / {
proxy_pass http://dev;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
}
I overcame this problem.
I had WebSecurity.Logout() operation in code if User.UserInRole(..) processed with exception.
I commented this line and all are working well now.
We have a large number of very old legacy servers were trying to put a proxy & firewall in front of. Due to the large number were trying to avoid having to change each server's code and make changes purely from the proxy if at all possible. We have a proxy which routes to a server based off of the url. so a request to http://proxy/server1/... would be sent to http://server1/...
Our problem is that the code on the servers will make a request requests for elements at /style and /image etc. These end up as requests to http://proxy/style instead of http://server1/style. We don't know which server to route this request to since the server1 part of the URL is stripped off.
We have the following location in nginx:
location /foo{
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://server;
proxy_redirect off;
}
We have two types of legacy servers, one using java servlets and doing most work serverside and one doing a combination of javascript and PHP (did I mention these were old?)
Is there a way to properly redirect these requests, including requests for other resources?
I have a MEAN.io application deployed to AWS EC2. Its running via Nginx proxy pass on a 8087 port, config is as follows:
location /myapp/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://0.0.0.0:8087/;
}
The problem I have is that in the browser some POST/PUT requests sent via AJAX are returning 404 errors and default nginx error page. Those requests are not even making it through to Node.js server as I can see in the logs that they are not recorder. There is definately a route provided for those requests, as the app works totally fine on localhost. The same POST/PUT requests seem to work fine when queried directly using 'curl' in the console.
I am not an nginx / AWS expert, so I wanted to ask simple question - is there anyway nginx could be caching those requests and why would they return different HTTP code when queried from 'curl' or via AJAX in the browser?
I think you have a problem with the way you have configured your nginx server, please do check the following rules for nginx.
url rewriting
public folder and
static content