Trying to configure Team Foundation Server behind Nginx reverse proxy.
Also, I'm using a self-signed SSL Certificate.
Getting ERR_TOO_MANY_REDIRECTS
Here is my nginx configuration:
server {
listen 80 default;
server_name tfs.domain.com;
return 301 https://$host$request_uri;
}
upstream tfs.domain.com {
server 12.34.56.78:80; #local tfs address
keepalive 16;
}
server {
listen 443 ssl;
server_name tfs.domain.com;
ssl_certificate /etc/nginx/ssl/tfs.domain.com.pem;
ssl_certificate_key /etc/nginx/ssl/tfs.domain.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://12.34.56.78:80; #local tfs address
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect http:// $scheme://;
}
access_log /var/log/nginx/tfs.domain.com/443-access.log;
error_log /var/log/nginx/tfs.domain.com/443-error.log;
}
What I'm doing wrong?
Just try to set the proxy_redirect explicitly:
e.g.:
proxy_redirect http://localhost:8080 https://tfs.domain.com;
You can reference below article to configure the nginx (It should be similar with TFS):
How To Configure Nginx with SSL as a Reverse Proxy for Jenkins
And this thread may helps: https://serverfault.com/questions/754351/what-is-a-correct-ways-to-allow-login-to-an-iis-site-through-a-reverse-proxy
Besides, you can reference below articles to troubleshoot the ERR_TOO_MANY_REDIRECTS issue:
How to Fix ERR_TOO_MANY_REDIRECTS on Your WordPress Site
How to Fix Err Too Many Redirects Error
Related
Is it possible to allow only users typing in xxxxxx.com (fictive), so they should make a DNS-lookup and connect. And block users who uses my public ip to connect ?
Configuration:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name xxxxxxx.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://10.0.11.32:80;
proxy_read_tenter code hereimeout 360;
proxy_redirect http://10.0.11.32:80 https://xxxxxxx.com;
}
}
The $http_host parameter is set to the value of the Host request header. nginx uses that value to select a server block. If a server block is not found, the default server is used, which is either marked as default_server or is the first server block encountered. See this documentation.
To force nginx to only accept named requests, use a catch all server block to reject anything else, for example:
server {
listen 80 default_server;
return 403;
}
server {
listen 80;
server_name www.example.com;
...
}
With the SSL protocol, it depends on whether or not you have SNI enabled. If you are not using SNI, then all SSL requests pass through the same server block, in which case you will need to use an if directive to test the value of the $http_host value. See this and this for details.
I have installed nginx and jenkins server in centos. I want to connect my jenkins server with https. so I have configured reverse-proxy. But its not working, I'm getting the following error
Below are the my configuration values
File - /etc/nginx/sites-enabled/default
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name 134.68.44.235;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://localhost:8080;
proxy_read_timeout 90;
proxy_redirect http://localhost:8080 https://134.68.44.235;
}
}
File /etc/default/jenkins
JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpListenAddress=127.0.0.1 --httpPort=$HTTP_PORT -ajp13Port=$AJP_PORT"
Note : I can able to access the jenkins site using http://134.68.44.235:8080
But I can't able access it using https, I installed certificates and followed the steps from this article
I'm not sure what I'm missing, Anyone kindly advise me on this.
This snippet below should work well, you'll have to edit the content sections to match the FQDN or IP you want Jenkins to serve the web UI, together with the valid SSL CERT path and SSL KEY path if you want to provide https.
upstream app_server {
server 127.0.0.1:8080 fail_timeout=3;
}
server {
listen 80;
server_name <FQDN OR IP>;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name <FQDN OR IP>;
ssl on;
ssl_certificate /<PATH>/<TO>/<YOUR SSL CERT>;
ssl_certificate_key /<PATH>/<TO>/<YOUR SSL KEY>;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Redirect any /* request to port 8080
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Headers' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range,Location';
}
proxy_redirect http:// https://;
proxy_pass http://app_server;
}
}
Nginx noob. Trying to configure Nginx to act as an SSL proxy server in front of another web server running at http://localhost:8082. That is, I want all requests to http://localhost to be redirected to https://localhost. That part is working just fine.
Problem is, the app on port 8082 also uses WebSocket connections at ws://localhost:8082/public-api/repossession-requests-socket. I'm trying to redirect any connections to ws://localhost/public-api/repossession-requests-socket to wss://localhost/public-api/repossession-requests-socket and have Nginx proxy those WebSocket requests to ws://localhost:8082/public-api/repossession-requests-socket.
Instead, the WebSocket connections are failing because Nginx is returning a 301 for both ws://localhost/public-api/repossession-requests-socket & wss://localhost/public-api/repossession-requests-socket. My configuration is below; I'm using the Docker image nginx:alpine in my tests ($PWD is mapped to /app).
How do I need to change this so that I no longer see 301s?
events {
worker_connections 1024;
}
http {
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name localhost;
ssl_certificate /app/docker/public.pem;
ssl_certificate_key /app/docker/private.pem;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /app/access-443.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8082;
proxy_read_timeout 90;
proxy_redirect http://localhost:8082 https://localhost;
}
location /public-api/repossession-requests-socket/ {
proxy_pass http://localhost:8082;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}
Found the problem. The trailing slash on the end of the location stanza.
location /public-api/repossession-reqeuests-socket/ should have been location /public-api/repossession-reqeuests-socket.
Is it possible to allow only users typing in xxxxxx.com (fictive), so they should make a DNS-lookup and connect. And block users who uses my public ip to connect ?
Configuration:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name xxxxxxx.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://10.0.11.32:80;
proxy_read_tenter code hereimeout 360;
proxy_redirect http://10.0.11.32:80 https://xxxxxxx.com;
}
}
The $http_host parameter is set to the value of the Host request header. nginx uses that value to select a server block. If a server block is not found, the default server is used, which is either marked as default_server or is the first server block encountered. See this documentation.
To force nginx to only accept named requests, use a catch all server block to reject anything else, for example:
server {
listen 80 default_server;
return 403;
}
server {
listen 80;
server_name www.example.com;
...
}
With the SSL protocol, it depends on whether or not you have SNI enabled. If you are not using SNI, then all SSL requests pass through the same server block, in which case you will need to use an if directive to test the value of the $http_host value. See this and this for details.
I'm trying to use Nginx as a reverse-proxy for my pages at github pages. Based on info from here: https://pascal.io/github-pages-https/, and others, my config looks like this:
server {
listen 80 default_server;
server_name leepope.com www.leepope.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name leepope.com;
ssl on;
ssl_certificate <my cert>;
ssl_certificate_key <my key>;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
location / {
proxy_pass https://leepope.github.io;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_intercept_errors on;
expires off;
}
}
When I make a request to the server root, I get a github page, but it's a 404.
I've enabled nginx debugging, but I can't see what the request going to github looks like - their headers are in the log, but there's no info about what's going out.
Can anyone help me troubleshoot this?
Thanks.