Iframe 401 Unauthorized NGINX 3CX - nginx

I would like to use an iframe of the 3CX webclient in my website. This iframe works fine on Firefox and Internet Explorer but doesn't work on Chrome (the iframe appears but I can't login). When I go to the console on Chrome the error is:
"Failed to load ressource: the server responded with a statuts of 401
(Unautorized)".
When I go in the Network tab, a xhr file is red, here is the capture of file header error :
I own every files of this 3CX server. As you can see 3CX use Nginx, this is the configuration file of Nginx :
#user nobody;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 10240;
}
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' $http_connection;
}
include mime.types;
default_type application/octet-stream;
#limit_req_zone $binary_remote_addr zone=perip:50m rate=1000r/s;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
add_header X-Frame-Options "SAMEORIGIN";
listen 5000;
listen [::]:5000;
server_name gesika.3cx.fr;
server_tokens off;
access_log off;
error_log nul crit;
allow 192.168.0.0/16;
allow 172.16.0.0/12;
allow 10.0.0.0/8;
allow 127.0.0.1;
allow ::0/0;
deny all;
client_max_body_size 300m;
location /user_images {
expires 1y;
add_header Pragma public;
add_header Cache-Control "public";
root "C:/ProgramData/3CX/Data/Http/wwwroot";
}
location ~ /webclient/.*\.(js|css|woff|woff2|json|mp3)$ {
expires 1y;
add_header Pragma public;
add_header Cache-Control "public";
root "C:/ProgramData/3CX/Data/Http/wwwroot";
}
location ~ index\.html {
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma no-cache;
expires 0;
root "C:/ProgramData/3CX/Data/Http/wwwroot";
}
location / {
index index.html;
root C:/ProgramData/3CX/Data/Http/wwwroot;
try_files $uri $uri/ #proxy;
}
location /MyPhone {
alias C:/ProgramData/3CX/Instance1/Data/Http/Interface/MyPhone;
try_files $uri $uri/ #proxy;
}
location #proxy {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:5004;
proxy_buffering off;
}
location /management/Reports {
alias "C:/ProgramData/3CX/Instance1/Data/Http/Reports";
}
}
server {
add_header X-Frame-Options "SAMEORIGIN";
listen 5001 ssl;
listen [::]:5001 ssl;
server_name gesika.3cx.fr;
server_tokens off;
access_log off;
error_log nul crit;
ssl_dhparam Instance1/dhparam.pem;
ssl_session_cache shared:SSL:60m;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
ssl_certificate Instance1/gesika.3cx.fr-crt.pem;
ssl_certificate_key Instance1/gesika.3cx.fr-key.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-ECDSA-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
client_max_body_size 300m;
location /user_images {
expires 1y;
add_header Pragma public;
add_header Cache-Control "public";
root "C:/ProgramData/3CX/Data/Http/wwwroot";
}
location ~ /webclient/.*\.(js|css|woff|woff2|json|mp3)$ {
expires 1y;
add_header Pragma public;
add_header Cache-Control "public";
root "C:/ProgramData/3CX/Data/Http/wwwroot";
}
location ~ index\.html {
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma no-cache;
expires 0;
root "C:/ProgramData/3CX/Data/Http/wwwroot";
}
location / {
index index.html;
root "C:/ProgramData/3CX/Data/Http/wwwroot";
try_files $uri $uri/ #proxy;
}
location /MyPhone {
alias "C:/ProgramData/3CX/Instance1/Data/Http/Interface/MyPhone";
try_files $uri $uri/ #proxy;
}
location #proxy {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:5004;
proxy_buffering off;
}
location /management/Reports {
alias "C:/ProgramData/3CX/Instance1/Data/Http/Reports";
}
}
}
As you can see there is add_header X-Frame-Options "SAMEORIGIN";. I have deleted this line. I also tried to replace it with this add_header X-Frame-Options "ALLOW-FROM *"; but it still doesn't work. I didn't forget to reload my server.
I tried to add this in the config file :
location ~* \.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
}
My iframe works on Chrome when I create a page in the same domain of the 3CX Server. So the problem is all about cross domain origin (CORS).
Thank you in advance to any one who may be able to help me to fix this problem.

change shared header files setting in 3cx nginx conf folder
You have few paramter like x-frame and some ancestor settings either put your website domain or remove them so that it will allow all to access.

Related

wordpress url without /<file>.php redirect to local proxy_pass docker container hostname on nginx

I have successfully setup a wordpress site running on a dockerized nginx. When the wordpress site is up and running, I can go to the home page: https://my_domain.com or links at wp-admin/...(after logged in at /wp-login.php which is accessible) without any problem.
But when I go to https://my_domain.com/sample-page or https://my_domain.com/post-id or /wp-admin(if not logged in) it immediately redirects to the proxy_pass http://wordpress_host:80(set in nginx config file) which cannot be right, it should the https://my_domain.com/post-id in client's browser.
with route /wp-admin/ before logged in, if I append index.php to /wp-admin/index.php it works while without it doesn't
Here is my nginx config:
server {
listen 80;
listen [::]:80;
server_name my_domain.com www.my_domain.com;
location / {
return 301 https://my_domain.com$request_uri;
}
}
server {
listen 443 ssl http2;
server_name my_domain.com www.my_domain.com;
ssl on;
server_tokens off;
ssl_certificate /etc/nginx/ssl/live/my_domain.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/my_domain.com/privkey.pem;
ssl_dhparam /etc/nginx/dhparam/dhparam-2048.pem;
ssl_buffer_size 8k;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# enable strict transport security only if you understand the implications
location / {
try_files $uri $uri/ /index.php$is_args$args;
proxy_pass http://wordpress_host:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://wordpress_host:80 https://my_domain.com/;
proxy_cookie_domain http://wordpress_host:80 my_domain.com;
proxy_set_header X-Forwarded-Proto https;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
proxy_pass http://wordpress_host:80;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://wordpress_host:80 https://my_domain.com/;
proxy_cookie_domain http://wordpress_host:80 my_domain.com;
proxy_set_header X-Forwarded-Proto https;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}
I also config at wp-config.php:
define('FORCE_SSL_ADMIN', true);
if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';
define('WP_SITEURL', 'https://www.my_domain.com/');
define('WP_HOME', 'https://www.my_domain.com/');

How to cache NextJS 10.0 images using NGINX

We would like to launch a NextJS 10 app using NGINX so we use a configuration similar to:
location /_next/static/ {
alias /home/ec2-user/my-app/.next/static/;
expires 1y;
access_log on;
}
It works great, it caches for a year our statics but as we use NextJS images I'm failing to add an expires tag on on-the-fly resized images.
If I do:
location /_next/image/ {
alias /home/ec2-user/my-app/.next/image;
expires 1y;
access_log on;
}
It just returns a 404 on images.
Here is my server part NGINX config :
server {
listen 80;
server_name *.my-website.com;
# root /usr/share/nginx/html;
# root /home/ec2-user/my-app;
charset utf-8;
client_max_body_size 20M;
client_body_buffer_size 20M;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
underscores_in_headers on;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "same-origin" always;
location = /robots.txt {
proxy_pass https://api.my-website.com/robots.txt;
}
location /_next/static/ {
alias /home/ec2-user/my-app/.next/static/;
expires 1y;
access_log on;
}
location / {
# reverse proxy for merchant next server
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass_request_headers on;
proxy_cache_bypass $http_upgrade;
proxy_buffering off;
}
}
Here is an example how you can rely of upstream Content-Type header to set up the Expires and Cache-Control headers:
map $upstream_http_content_type $expire {
~^image/ 1y; # 'image/*' content type
default off;
}
server {
...
location / {
# reverse proxy for merchant next server
proxy_pass http://localhost:3000;
...
expires $expire;
}
}
The same way you can tune cache control headers for any other content type of proxied response. The $upstream_http_<name> nginx variable is described here.
Update
To add cache control headers only by specific URIs you can use two chained map blocks:
map $uri $expire_by_uri {
~^/_next/image/ 1y;
default off;
}
map $upstream_http_content_type $expire {
~^image/ $expire_by_uri;
default off;
}
And if you don't expect anything but the images from /_next/image/... URIs, you can just use the
map $uri $expire {
~^/_next/image/ 1y;
default off;
}

Set reverse proxy for multiple websites with same ip and different ports on nginx

I have 2 webistes running on the same ip but different ports.
1st website : xxx.yy.zz.aaa:8443
2nd website : xxx.yy.zz.aaa:8444
I am setting a reverse proxy on nginx but that doesn't seem to work correctly.
Any idea how to fix my configuration?
My conf file /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name website1.com;
# Load configuration files for the default server block.
#include /etc/nginx/nginx.conf.default;
#include snippets/letsencrypt.conf;
location ^~/.well-known/acme-challenge/ {
#allow all;
root /usr/local/tomcat/webapps/ROOT;
}
location / {
return 301 https://website1.com$request_uri;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server{
listen 80;
server_name website2.com;
location / {
return 301 https://website2.com$request_uri;
}
}
# Settings for a TLS enabled server.
#
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name website1.com;
root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/live/website1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/website1.com/privkey.pem;
location / {
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Headers Content-Type,Authorization,X-Requested-With,X-HTTP-Method-Override,X-Simplicite-Authorization;
add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,HEAD,OPTIONS;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type text/plain;
add_header Content-Length 0;
return 204;
}
if ($request_method = 'GET') {
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Expose-Headers X-Simplicite-SessionID;
}
if ($request_method = 'POST') {
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Credentials true always; add_header Access-Control-Expose-Headers X-Simplicite-SessionID; } proxy_redirect off;
proxy_buffering off;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://localhost:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server{
listen 443 ssl http2;
server_name website2.com;
location / {
proxy_pass http://localhost:8444;
}
}
}

Reverse proxy to port 8069 on Engintron issues while it works on standard NGINX setup

I have an Odoo app running on port 8069, and while this setup worked fine in my old server, my new server is using Engintron which seems to have a different method of working with vhosts. The standout issue is that under common_http.conf, this line becomes a duplicate of the vhost needed to run the app but is included in the automatically generated config that gets overridden whenever a new cpanel account is created, deleted, or when Engintron is updated.
What would be the correct way of setting this up properly within Engintron?
common_http.conf
location / {
try_files $uri $uri/ #backend;
}
# This location / ends up getting included in the custom
# vhost which is needed for all of the sites except this Odoo app.
custom_vhost.com.conf
upstream example{
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream example-chat {
server 127.0.0.1:8072 weight=1 fail_timeout=0;
}
server {
listen [::]:80;
server_name delegates.example.com;
return 301 https://delegates.example.com$request_uri;
}
server {
listen [::]:80;
server_name vendors.example.com;
return 301 https://vendors.example.com$request_uri;
}
server {
listen [::]:80;
server_name example.com;
return 301 https://example.com;
}
server {
listen [::]:80;
server_name *.example.com;
return 301 https://example.com;
}
server {
listen [::]:443 ssl;
server_name pgadmin.example.com;
# well-known_start
location ^~ /.well-known {
add_header Host-Header 192fc2e7e50945beb8231a492d6a8024;
root /home/example/public_html;
}
# well-known_end
ssl_certificate /var/cpanel/ssl/apache_tls/*.example.com/combined;
ssl_certificate_key /var/cpanel/ssl/apache_tls/*.example.com/combined;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header X-Content-Type-Options nosniff;
add_header Cache-Control public;
location / {
deny all;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:5050;
}
}
server {
listen [::]:443 ssl;
server_name example.com www.example.com;
return 301 https://example.com;
}
server {
listen [::]:443 ssl http2;
server_name vendors.example.com delegates.example.com;
client_max_body_size 200m;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-NginX-Proxy true;
#proxy_set_header X-Odoo-dbfilter ^%d\Z;
proxy_redirect off;
proxy_buffering off;
# well-known_start
location ^~ /.well-known {
add_header Host-Header 192fc2e7e50945beb8231a492d6a8024;
root /home/example/public_html;
}
# well-known_end
ssl_certificate /var/cpanel/ssl/apache_tls/*.example.com/combined;
ssl_certificate_key /var/cpanel/ssl/apache_tls/*.example.com/combined;
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# adds gzip options
gzip on;
gzip_types text/css text/plain text/xml application/xml application/javascript application/x-javascript text/javascript application/json text/x-json;
gzip_proxied no-store no-cache private expired auth;
#gzip_min_length 1000;
gzip_disable "MSIE [1-6]\.";
location /longpolling {
proxy_pass http://example-chat;
}
location ~* /web/static/ {
gzip_static on;
proxy_cache_valid 200 90m;
proxy_buffering on;
expires 864000;
add_header Cache-Control public;
proxy_pass http://example;
}
location / {
error_page 403 = https://example.com;
proxy_pass http://example;
proxy_redirect off;
gzip_static on;
}
# The above location becomes a duplicate of the previous default location - which in turn fails the validity of the configuration.
location ~* /web/content/ {
gzip_static on;
proxy_cache_valid 200 90m;
proxy_buffering on;
expires 864000;
add_header Cache-Control public;
proxy_pass http://example;
}
location /web/database/manager {
deny all;
error_page 403 https://example.com;
proxy_pass http://example;
}
}
Since the conf files are added in alphabetical order, and any conflicting or duplicate settings are ignored - I ended up changing the name of the file so that it's included before the other ones. Also made the file immutable with the following command:
chattr +ai 1_custom_vhost.com.conf
I'm quite sure this is not a graceful solution, but it does the job for now.

Trying to add another location directive in an nginx server with proxy cache

I have a website with a couple of pages and images and I have setup an nginx server to handle the website. When I add a location directive to handle the images, the entire website does not show up and look broken.
The website looks perfect when the bottom of my nginx file looks like this:
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
allow all;
access_log off;
log_not_found off;
}
location ~ /\. {
deny all;
}
#location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
# proxy_cache sinuscache;
# add_header Pragma public;
# add_header Cache-Control "public";
# expires 1d;
# log_not_found off;
#}
location ~* (\.bak|\.off|\.config|\.exe|\.sql|\.fla|\.psd|\.ini|\.log|\.sh|\.inc|\.swp|\.dist)$ {
deny all;
add_header Pragma public;
add_header Cache-Control "public";
expires -1d;
access_log off;
}
location / {
include /etc/nginx/sites-settings/denyips.conf;
proxy_pass http://127.0.0.1:9099;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_cache sinuscache;
}
}
When I un-comment
#location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
# proxy_cache sinuscache;
# add_header Pragma public;
# add_header Cache-Control "public";
# expires 1d;
# log_not_found off;
#}
The website breaks. If I do a
service nginx configtest
I receive no errors.
The new location block is incomplete - as a minimum you will want to include proxy_pass http://127.0.0.1:9099; and probably many of the other statements from the location / block. See how nginx processes a request.
Some of the statements can be placed into the server block to avoid replication. For example:
proxy_set_header X-Forwarded-For $remote_addr;
proxy_cache sinuscache;
location / {
include /etc/nginx/sites-settings/denyips.conf;
proxy_pass http://127.0.0.1:9099;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
include /etc/nginx/sites-settings/denyips.conf;
proxy_pass http://127.0.0.1:9099;
add_header Pragma public;
add_header Cache-Control "public";
expires 1d;
log_not_found off;
}

Resources