nginx internal reverse proxy - nginx

I want the following scenario
Client makes browser request to http://my-domain.com
Nginx A intercepts that request which then forwards it to Nginx B which is hosting my website
I have the current configuration but i am getting ERR_TOO_MANY_REDIRECTS
Nginx A (landing host proxy)
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
server_tokens off;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /my/ssl/my-domain.com.crt;
ssl_certificate_key /my/ssl/my-domain.com.key;
ssl_dhparam /my/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
return 404;
}
upstream client_proxy {
server my_internal_server:80;
}
server {
server_name my-domain.com;
listen 443 ssl;
ssl_certificate /my/ssl/my-domain.com.crt;
ssl_certificate_key /my/ssl/my-domain.com.key;
ssl_dhparam /my/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
location / {
rewrite ^ http://my-domain.com/;
index index.html index.htm;
charset utf-8;
auth_basic off;
allow all;
proxy_pass http://client_proxy/;
proxy_ignore_headers Set-Cookie Cache-Control Expires;
proxy_hide_header "Set-Cookie";
proxy_redirect off;
proxy_set_header Host my-domain.com;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_For;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
send_timeout 90s;
}
}
Nginx B (Web server)
server {
listen 80;
root /my/www;
index index.html;
try_files $uri $uri/ /index.html;
# ... other location blocks which are irrelevant here
}

As stated by Richard Smith in the comment,
remove the rewrite rule and it fixed it

Related

Can't access Nginx server from local network (LAN)

I just installed Nginx and a service on port 8069. I able to access to my service from outside by using odoo.domain.com. But the problem is I can't access from local network (LAN).
If I try to access Nginx's IP then I can see Nginx default page but if I add ip:8069, it still not working.
Below is my Nginx config.
server {
server_name odoo.domain.com;
listen 80;
access_log /var/log/nginx/testing-access.log;
error_log /var/log/nginx/testing-error.log;
#return 301 https://$host$request_uri;
listen 443 ssl http2;
#rewrite ^(.*) https://$host$1 permanent;
ssl_certificate /etc/letsencrypt/live/odoo.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/odoo.domain.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# ssl_prefer_server_ciphers off;
location /longpolling {
proxy_connect_timeout 3600;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
send_timeout 3600;
proxy_pass http://127.0.0.1:8072;
}
location / {
proxy_connect_timeout 3600;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
send_timeout 3600;
proxy_pass http://127.0.0.1:8069/;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
gzip on;
gzip_min_length 1000;
}
upstream odoo {
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream odoo-im {
server 127.0.0.1:8072 weight=1 fail_timeout=0;
}

Nginx location not working after redirecting to https

I have set up Nginx as a reverse proxy as well as using SSL, and everything is working fine except location maping.
When I call /api/public/contact it redirects me to: https://127.0.0.1/api/public/contact
but what I want is: http://127.0.0.3:1337/api/public/contact
I feel like after redirecting to https, the nginx is ignoring locations.
I'm testing on localhost. Below is my configuration. Any help will be appreciated :)
events{}
http {
include /etc/nginx/mime.types;
server {
listen 80;
listen [::]:80;
server_name test.com www.test.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
keepalive_timeout 70;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/keykey.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name test.com www.test.com;
root /usr/share/nginx/html;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /api {
proxy_pass http://127.0.0.3:1337;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_read_timeout 90;
}
}
}

How to restrict access to a site by IP through nGinx?

I have a website that can be accessed by entering the IP address. I want to make it accessible only through the domain. There is little suitable material on the Internet, there is no good explanation of what to replace in the ode of the nginx.conf file.
In my file already has 2 sections named server.
server {
listen 80;
server_name avoe.com;
rewrite ^ https://avoe.com$request_uri? permanent;
}
server {
listen 443 ssl;
server_name avoe.com;
ssl_certificate /etc/ssl/__reksoft_ru.crt;
ssl_certificate_key /etc/ssl/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
client_body_buffer_size 8k;
client_max_body_size 20m;
client_body_in_single_buffer on;
client_header_buffer_size 1m;
large_client_header_buffers 4 8k;
location /Intra/api/thumbor/ {
proxy_pass http://thumbor/;
}
location /solr {
proxy_pass http://solr;
}
location /minio {
proxy_pass http://minio;
}
location /activemq {
proxy_pass http://activemq;
}
location / {
proxy_pass http://wildfly/;
proxy_buffer_size 16k;
proxy_buffers 16 16k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_read_timeout 180s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
if ($request_method !~ ^(GET|HEAD|POST|DELETE|PUT)$ ) {
return 405;
}
}
What to add or replace where so that access is ONLY by domain?
You could ensure the HTTP Host header is set to avoe.com like this:
if ($http_host != 'avoe.com') {
return 301 https://avoe.com$request_uri;
}
use this config as the server that listens on port 80:
server {
listen 80;
server_name avoe.com default_server;
if ($host = avoe.com) {
return 301 https://$host$request_uri;
}
return 404;
}

Ruby on rails app working on http but not on https

I have a RoR app running in Nginx. I deploy the application to server using capistrano and puma. It works well under this nginx configuration:
upstream puma {
server unix:///home/kiui/apps/kiui/shared/tmp/sockets/kiui-puma.sock;
}
server {
listen 80;
keepalive_timeout 70;
server_name kiuiapp.com;
root /home/kiui/apps/kiui/current/public;
access_log /home/kiui/apps/kiui/current/log/nginx.access.log;
error_log /home/kiui/apps/kiui/current/log/nginx.error.log info;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_pass http://puma;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
}
But I need run the rails app with https to use a Facebook app in it. I created a auto signed ssl certificate following this tutorial create autosigned ssl certificate and changed the nginx configuration to that:
upstream puma {
server unix:///home/kiui/apps/kiui/shared/tmp/sockets/kiui-puma.sock;
}
server {
listen 443 ssl;
keepalive_timeout 70;
server_name kiuiapp.com;
ssl on;
ssl_certificate /etc/ssl/kiui.crt;
ssl_certificate_key /etc/ssl/kiui.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
root /home/kiui/apps/kiui/current/public;
access_log /home/kiui/apps/kiui/current/log/nginx.access.log;
error_log /home/kiui/apps/kiui/current/log/nginx.error.log info;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_pass http://puma;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
}
It not work! The browser give me ERR_CONNECTION_TIMED_OUTerror. Someone could help me?
SOLUTION:
upstream puma {
server unix:///home/kiui/apps/kiui/shared/tmp/sockets/kiui-puma.sock;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
keepalive_timeout 70;
server_name kiuiapp.com;
ssl on;
ssl_certificate /root/kiuiapp.com.chain.cer;
ssl_certificate_key /root/kiuiapp.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
root /home/kiui/apps/kiui/current/public;
access_log /home/kiui/apps/kiui/current/log/nginx.access.log;
error_log /home/kiui/apps/kiui/current/log/nginx.error.log info;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://puma;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
}
I think the problem was the ssl certificate chain. It was not well created.

Nginx redirect config issue

I have nginx bitnami container deployed in Openshift that serves my application. The issue that I am facing is that the redirect is not working. In the logs, there are no indications that the request is caught by a proxy_pass location block.
So. the idea is that a request to app.com/backend1/api/something should be forwarded to service1.com/backend1/api/something. The same goes for service2.
worker_processes 1;
events {
worker_connections 1024;
}
http {
upstream service1 {
server service1.com;
}
upstream service2 {
server service2.com;
}
server {
listen 8443 ssl;
listen [::]:8443 http2 ssl;
server_name app.com;
error_log /opt/bitnami/nginx/error.log debug;
ssl on;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
include /opt/bitnami/nginx/conf/mime.types;
root /opt/bitnami/nginx/html;
location ~ ^/backend1/api/(.*)$ {
proxy_pass https://service1/backend1/api/$1;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^/backend2/api/(.*)$ {
proxy_pass https://service2/backend2/api/$1;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
try_files $uri /index.html;
}
}
}
I have also tried moving the order of the location blocks, as well as moving the root directive, but without success.
Any ideas on how to resolve this issue?

Resources