I'm trying to use Nginx as a reverse proxy in and centos 6.9_64 environment where clients connects to my server (http://www.51ti.vip).
Nginx will forward all requests to other backend server. The communication is working on port 80.
However, once proxy_set_header XXXXX is set, it will appear 403 when accessed.
There is no relevant error information in /var/log/nginx/error.log.
Where's the problem?
Page 403 Forbidden
You don't have permission to access the URL on this server.
Note:
OS System: CentOS 6.9_64
Nginx version 1.10.2
Config:
/etc/nginx/nginx.conf as follows:
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
/etc/nginx/conf.d/default.conf as follows:
server {
listen 80 default_server;
server_name 47.75.249.199 "";
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://sq.otherserver.com;
#Proxy Settings
proxy_redirect off;
#proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
The original problem was caused by "proxy_set_header Host $host",
there's no problem whith proxy_set_header X-Real-IP and proxy_set_header X-Forwarded-For.
But still don't understand why?
Nginx: when to use proxy_set_header Host $host vs $proxy_host
Module ngx_http_proxy_module
Related
I am very newbie on NGINX.
In my project, the server is defined in both etc/nginx/nginx.conf and etc/nginx/conf.d/proxy.conf. And etc/nginx/conf.d/proxy.conf is included in nginx.conf
I am not understand the relationship the server's setting in these two files. ex. In nginx.conf, server's setting is listen 80 ; listen [::]:80 ; and in proxy.conf, server's setting is listen 80 proxy_protocol.
In above example, which setting will be used in real communication?
Does the server's setting of proxy.conf overwrite the server's setting of nginx.conf?
or the server's setting of proxy.conf will be merged into server's setting of nginx.conf?
Please find the full conf files as below:
etc/nginx/conf.d/proxy.conf
content: |
client_max_body_size 500M;
server_names_hash_bucket_size 128;
upstream backend {
server unix:///var/run/puma/my_app.sock;
}
server {
listen 80 proxy_protocol;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
large_client_header_buffers 8 32k;
set_real_ip_from 10.0.0.0/8;
real_ip_header proxy_protocol;
location / {
proxy_http_version 1.1;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_buffers 8 32k;
proxy_buffer_size 64k;
proxy_pass http://backend;
proxy_redirect off;
Enables WebSocket support
location /v1/cable {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade";
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
}
}
}
etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 ;
listen [::]:80 ;
server_name localhost;
root /usr/share/nginx/html;
location / {
}
}
}
Nginx selects a server block to process a request based on the values of the listen and server_name directives.
If a matching server name cannot be found, the default server for that port will be used.
In the configuration in your question, the server block in proxy.conf is encountered first, so it becomes the de-facto default server for port 80.
The server block in nginx.conf will only match requests which use the correct host name, i.e. http://localhost
See this document for details.
I have an html web server running on my EC2 instance on port 80 (HTTP). I'm using Nginx as a reverse proxy (which is also installed on the instance) to redirect requests from port 8080 based on the path ('/blue') to my HTML web server. So I'm requesting HTTP://ec2_instance_dns:8080/blue and expect to redirect to HTTP://ec2_instance_dns:80.
However, I'm having issues redirecting the request based on the path variable. My /etc/nginx/conf.d/deafult.conf attached below:
server {
listen 8080;
server_name default;
client_max_body_size 32M;
underscores_in_headers on;
root /var/www/html/index.html;
location /blue {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_read_timeout 120;
proxy_next_upstream error timeout invalid_header http_500;
proxy_connect_timeout 90;
proxy_pass http://localhost:80;
}
}
My /etc/nginx/nginx.conf attached bellow:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 8080;
listen [::]:8080;
server_name localhost;
root /var/www/html/index.html;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
When trying to request HTTP://ec2_instance_dns:8080/blue I'm getting the above error:
What further configuration should I do? Thank you.
My frontend is a static site served at location /, while my backend is a REST API at location /core/. I've configured nginx.conf to reverse proxy the backend, but according to the logs, it's attempting to serve it as a static site.
2018/12/17 08:47:32 [error] 6#6: *12 open() "/usr/share/nginx/html/core/v1/api/user/login" failed (2: No such file or directory)
Here is my nginx.conf:
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name _;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
root /usr/share/nginx/html;
location ^~ /core/ {
proxy_pass http://my-named-backend:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Real-IP $remote_addr;
}
location / {
# Nothing to put here since the dist/ files are
# /usr/share/nginx/html is automatically served.
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
What's happening, and how can this be fixed?
I am trying to make nginx have two functions like fiddler does:
1、Redirect requests from data.abc.com to 127.0.0.1:9000
2、Pass all other requests to their original servers
my nginx.conf is:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 8008;
server_name data.abc.com;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass https://127.0.0.1:9000/;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
However, right now every request via port 8008 is redirected, it seems like server_name doesn't work, how to make other requests go to original server?
Your configuration is to redirect all request to https://127.0.0.1:9000
Add 2 different server block like follows
1) Redirect data.abc.com to https://127.0.0.1:9000
server {
listen 8008;
server_name data.abc.com;
return 301 https://127.0.0.1:9000$request_uri
}
2) Serve request for another website:
server {
listen 8008 default_server;;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
}
I need to install a uWSGI app and Kibana4 / elastic search stack on the same server. The uwsgi app only needs to be used when a user accesses the server via [server_IP]/charts/ and I'd like Kibana4 to be accessed via [Server_IP].
Both listen on port 80 via their own separate conf files and, predictably, the uwsgi app doesn't allow for Kibana4 to receive requests.
How would I adjust my conf files to allow the access I need? I'm a bit confused as to what I need to use (rewrite, redirect, something else?)
Thanks for your time
nginx_conf_for_uwsgi:
server {
server_name 192.168.250.37;
listen 80;
root /usr/local/wsgi;
access_log /var/log/nginx/graph_server/access.log;
error_log /var/log/nginx/graph_server/error.log;
client_max_body_size 500M;
proxy_read_timeout 600;
location / {
include uwsgi_params;
uwsgi_pass 192.168.250.37:9091;
uwsgi_read_timeout 600;
}
}
kibana4.conf:
server {
listen 80;
server_name 192.168.250.37;
#auth_basic "Restricted Access";
#auth_basic_user_file /etc/nginx/htpasswd.users;
location / {
proxy_pass http://192.168.250.37:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
nginx.conf:
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
index index.html index.htm;
# Increase header buffer size (needed for PHP)
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
# Update the logs to display the real IP address after removing the IP for
# the load balancers
set_real_ip_from redacted; # a
set_real_ip_from redacted; # b
real_ip_header X-Forwarded-For;
real_ip_recursive on;
# Custom logger to display the subdomain folder (if applicable)
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format log_thing '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_x_forwarded_for" sub:"$subdomain"';
log_format i_server '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'filename:"$http_filename"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
server_name localhost;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
One way is to use nginx as a reverse proxy which is effectively what you are doing already. This way you have one nginx virtual host listening on port 80 which forwards different locations to separate nginx vhosts listening on different ports on your system.
You nginx reverse proxy vhost would look something like this, the 3 proxy_set_header lines can be moved to the server block if all locations work with them
server {
listen 80;
server_name 192.168.250.37;
port_in_redirect off
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /charts {
proxy_pass http://127.0.0.1:8082;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Then change you Kibanaconf to listen on port 8081 and uwsgi to listen on 8082
Alternatively you can combine the two vhosts into one and will need to set custom aliases for the root folders under each location and rearrange.
server {
listen 80;
server_name 192.168.250.37;
root /usr/local/wsgi;
client_max_body_size 500M;
proxy_read_timeout 600;
#auth_basic "Restricted Access";
#auth_basic_user_file /etc/nginx/htpasswd.users;
location / {
proxy_pass http://192.168.250.37:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /charts {
include uwsgi_params;
uwsgi_pass 192.168.250.37:9091;
uwsgi_read_timeout 600;
}
}