Trouble setting up NGINX behind pfSense Router - nginx

I'm attempting to setup an NGINX reverse proxy on my network, it is currently running on an Ubuntu VM. I'd like to run a website running in IIS, and another site running on Apache in a Linux VM behind the same public IP address. NGINX seemed like the perfect solution.
I've followed several guides and can't seem to get everything working. The NGINX config seems to work locally if I access the NGINX VM's IP directly it serves me the default config, and I can even change it between the IIS site, or the Apache site, and get it to work locally. My problem comes in with any external connection.
Previously my pfSense router was setup to forward port 80 and 443 to the IIS VM, and that was working fine, so I know at a basic level that pfSense was able to forward those ports to that windows client. Once I got NGINX setup I changed my port forwards for 80 and 443 to point to the VM running NGINX. Now none of my websites will work, the ip address for the domains resolves to my public IP, but the requests time out / never reach any web server.
nginx.conf is the default, I made no changes.
default nginx host conf:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
return 404;
}
}
Apache host conf:
server {
listen 80;
server_name domain.com;
location / {
proxy_pass http://0.0.0.0:80; # Apache internal IP
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
pfSense Port 80 Rule:
Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: TCP
Source: Any
Destination: NGINX VM IP
From: 80
To: 80
I'm not getting any error messages in the console, in the NGINX log, etc. I'm honestly at a loss. Any advice would be greatly appreciated.

You have it set up so Apache is forwarding to Nginx. Your Nginx file is not forwarding anything. If Nginxis going to be the reverse proxy, then the location / { ... } components showing in the Apache config file need to be in the Nginx config file. Also, I would change "server name _" to show your domain name in the Nginx file.

Related

Bind SSL certificate to a port number -- Nginx

Sorry for the limited understanding of Nginx and SSL. I have a React and Django app deployed on a server running on Nginx.
The React app is accessible using "example.org"(name is faked for demo purpose) and for the Django app, I have configured it to be accessible with port 3000 ie "example.org:3000".
The domain has SSL certificates installed and certificates are seen in "example.org" but while accessing "example.org:3000", the certificates are not available to this port.
I have been trying to allow ssl certificates to the port as well but couldnt succeed. I changed nginx conf file with listen 3000 ssl without success.
Please help, is there a way or should we need to modify the ssl certificates?
Nginx config at the moment is:
server {
listen 80 default_server;
server_name example.org;
return 301 https://example.org;
}
server {
listen 443 ssl;
server_name example.org;
ssl_certificate /etc/nginx/ssl/ssl_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
location / {
root /home/ubuntu/example/build;
index index.html index.htm;
}
}
The Port has nothing to do with the certs OR TLS Termination in general. IN case my assumptions are correct and your Django app is exposing its port 3000 by itself you need a proxy configuration that terminates the TLS for you.
server {
listen 8080 ssl;
server_name example.org;
ssl_certificate /etc/nginx/ssl/ssl_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
location / {
proxy_pass http://127.0.0.1:3000/;
proxy_set_header Host $host;
.....
}
}
This will terminate the TLS Session for you on Port 8080 and forwards the traffic to your Django app. There are other, more advanced options, proxying traffic to your appserver but this one will do it.
Note: In case you want to proxy the traffic through NGINX make sure Port 3000 is not exposed to the public anymore.

Nginx win server 2012 - Configure proxy pass

I have a node server listening on localhost:8080 and I'd like to use nginx as proxy pass, so i made nginx listen to port 80 incoming connections. However I'm not able to configure nginx config to do the reverse proxying. I do not currently have a domain, only server IP. So I'm guessing server_name has to be set to $host or something?
events{
}
http{
server{
listen 80;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host 127.0.0.1;
}
}
}
If I try to visit my server IP on port 80 I just receive welcome to Nginx page.
You should reload and restart your nginx
sudo service nginx reload
sudo service nginx restart

nginx unable to listen to port 80

I have a web app running on port 8081. I want to use nginx to redirect incoming http traffic to this port. So I have this configuration
server {
listen 80;
server_name myserver.thing.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8081;
}
}
When I try to open the address, I get a ERR_CONNECTION_REFUSED error.
However, if I change the port to, say, 81 and connect there, everything goes smoothly. I don't understand why. There is nothing running on the machine, only nginx and Artifactory. Firewall is turned off for the time being.
Is there a problem with interacting on port 80? What can cause this?
EDIT
I have been using this nginx a few days ago to redirect from 80 to 443 and then from 443 to 8081. (http -> https -> 8081). For debugging purposes now I want to ignore https.
However, for some reason, the port 80 seems to be still redirected to 443, despite no such config being there for nginx.
...
Turns out there must have been a cached redirect in Chrome (originally when the web was visited on port 80 I returned a 301 redirect to port 443. This must've been saved, because when I open an incognito window, it works as expected.

nginx using custom port

I have installed LEMP on Ubuntu. I am using a port 4738 as an nginx listener. Everything works fine. I can access the page as 123.123.123.123:4738.
I do want to get rid of port in the url. How to do it? I have read many answers on SO and tried but didn't work for me. Following is an example:
port_in_redirect off;
location / {
proxy_pass http://123.123.123.123:4738;
}
and
proxy_redirect http://123.123.123.123 http://123.123.123.123:4738;
port_in_redirect off;
If you're not using the default port for the protocol, you have to have the port in the URL. You have to listen on port 80 if you expect to not have the port in your HTTP URL.
Configure your server to listen on port 80.

Can I redirect non-SSL traffic that comes in on an SSL port with Nginx

I have a fairly standard setup with nginx fronting a django app. I want the django app to be SSL only, and so I have two listen blocks in my nginx conf, with the traffic coming in on port 80 (HTTP) being redirected to port 443 (SSL). This is working as expected.
I am running this setup inside a VM that has port forwarding turned on, such that I can browser the site from the host machine by going to port 8080 (HTTP) or 8081 (SSL). Again, this work fine, as expected.
The problem comes when I am redirected internally from the Django app during a registration workflow. Because Django never sees the SSL status (SSL is terminated at nginx, and traffic to the app is forwarded on port 5000 over HTTP), but does see the port, the redirect is getting mangled**.
The net result of all of this is that I have traffic being directed into nginx on the SSL port, that is not SSL, e.g. http://127.0.0.1:443/. Is there any way to configure nginx to handle this?
** NB I am setting the X-Forwarded-Proto header in Nginx, and Django is picking up the correct .is_secure() value, this is a specific problem with an external library not checking is_secure and just redirecting on the incoming URL scheme.
[UPDATE 1]
Attached are the relevant config settings. This is from the Vagrantfile itself, showing the port forwarding:
config.vm.forward_port 80, 8080 # website, via nginx (redirects to SSL:8081)
config.vm.forward_port 443, 8081 # website, via nginx (accepts SSL)
config.vm.forward_port 5000, 8180 # website, via gunicorn (direct)
Using the above port forwarding configuration, if I browse to the site on the host machine on the HTTP port (8080), then the request is accepted, and nginx (see below) redirects this request to HTTPS (running on port 8081). Once I am on HTTPS the site itself works fine:
(host) http://127.0.0.1:8080 -> forwarded to -> (guest vm) http://127.0.0.1:80
(host) https://127.0.0.1:8081 -> forwarded to -> (guest vm) https://127.0.0.1:443
The problem occurs when I get a redirect internally from Django which mixed scheme & protocol, and ends up with a request to http:\\127.0.0.1:8081\..., which fails, as nginx is expecting traffic on 8081 to be SSL.
What I really want is a rule that says 'listen on 443 for both SSL and non-SSL and redirect non-SSL'.
This is the relevant nginx configuration:
# Django app is served by Gunicorn, running under port 5000 (via Foreman)
upstream gunicorn {
server 127.0.0.1:5000 fail_timeout=0;
}
server {
listen 80;
# 8081 is the port I am forwarding to on the host machine
rewrite ^ https://127.0.0.1:8081$request_uri? permanent;
}
server {
listen 443;
ssl on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/self-signed.crt;
ssl_certificate_key /etc/nginx/ssl/self-signed.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /static/ {
alias /app/static/;
}
location /media/ {
alias /app/media/;
}
location / {
# everything else is to be served by the django app (upstream 'gunicorn')
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# this is set to ensure that django is_secure returns True
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_pass http://gunicorn;
}
}
You should check out "Error Processing" section of this document:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html
Non-standard error code 497 may be used to process plain HTTP request which has been sent to HTTPS port.
Something like this should work (untested):
error_page 497 https://$host$request_uri;
Named locations may also be used in error_page, see http://nginx.org/r/error_page for details.

Resources