I am playing around with Nginx and I successfully set up a simple (for now HTTP only) reverse proxy. As a newbie, I am wondering what would I need to modify to make this production ready. Which leads me to the following questions:
Is there a way to unify the proxy_set_header directive so that I don't need to repeat myself for every virtual host?
Am I missing any other important host header modifications than X-Forwarded-Proto, X-Url-Scheme, X-Forwarded-For and Host?
nginx.conf:
worker_processes 1;
events {
worker_connections 1024;
}
http {
sendfile on;
gzip on;
# skip log_format/access_log
server {
listen 80;
server_name server1.company.com;
location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://server1; # IP or FQDN would be better here
}
}
server {
listen 80;
server_name server2.company.com;
location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://server2; # IP or FQDN would be better here
}
}
}
Any feedback/point to a direction would be appreciated.
If you place all of your proxy_set_header statements in the http block, they will be inherited into the server blocks and then into the location blocks. The inheritance only happens into blocks without another proxy_set_header statement. See this document for details.
Alternatively, place common statements into a separate file and pull them into any part of your configuration by using an include directive. See this document for details.
Which headers you should set is dependent on your application. But this article discusses preventing certain headers from being passed to the proxied server, e.g.
proxy_set_header Accept-Encoding "";
And this article mitigates the HTTPoxy vulnerability with:
proxy_set_header Proxy "";
Related
I have 1 frontend Nginx server and 2 backend nginx servers.
Frontend server does proxy pass to the backend server. Previously there was only 1 backend server so all my queries were going to the single backend server, but as the traffic increased, I have added 1 more backend server just for search queries.
But I can not make only search queries to go to the 2nd backend server.
my current configuration is like this.
server {
listen 80;
server_name example.com;
location /search/ {
proxy_pass https://search.example.com/;
proxy_set_header Host search.example.com;
#set custom headers for upstream server
proxy_set_header Accept-Encoding "";
proxy_set_header CF-Connecting-IP "";
proxy_ssl_verify off;
proxy_ssl_server_name on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_pass https://box1.example.com/;
proxy_set_header Host box1.example.com;
#set custom headers for upstream server
proxy_set_header Accept-Encoding "";
proxy_set_header CF-Connecting-IP "";
proxy_ssl_verify off;
proxy_ssl_server_name on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
What I want to do is.
If URL is
https://example.com/search/test/1/8/0
then reverse proxy to search.example.com
else reverse proxy all other requests to box1.example.com
my current configuration gives 404 not found errors for search queries.
How can I fix it?
new to NGINX.
Currently running a local reverse proxy using Nginx.
Just wondering how I can change the Referer in the request header from http://localhost:8080 to say a different server_name like me.example.com
Finding it difficult to find clear documentation on this subject.
have tried setting this value using:
proxy_set_header Referer "me.example.com";
Doesn't seem to do anything.
Any help on this greatly appreciated.
server {
listen 8080;
server_name localhost;
# test APi
location /test/api {
# Edit this line only:
proxy_pass https://test.com/test/api;
proxy_set_header Host $http_host;
break;
}
location / {
proxy_pass http://localhost:4567;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Referer "me.example.com";
}
}
The proxy_set_header directive sends headers to the backend. If you want nginx to return headers to the client, then the add_header directive is what you're looking for.
http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
I'd like to route all requests sent to my nginx server to my backend application by default, but selectively send API requests with GET HTTP verbs to a OpenResty Lua based REST API backed by a content_by_lua nginx directive.
I'm successfully able to route all API requests to the Lua API based on their URL prefix using the following configuration (note that this does not take into account the HTTP Verb):
http {
upstream backend {
server localhost:8080;
}
server {
listen 80;
location / {
# Send all requests to the backend application
proxy_pass http://backend;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header HTTP_CLIENT_IP $remote_addr;
proxy_redirect off;
}
location /api {
# Send any URL with the /api prefix to the nginx Lua API application
content_by_lua '
require("lapis").serve("app")
';
}
}
}
But, as I stated above, I'd like to further restrict API requests such that any requests with HTTP Verbs other than GET (like POST, PUT, DELETE, etc) are still routed to the backend, while the GET requests alone are routed to the Lua API location.
Based on some other posts, blogs, and documentation (and hearing that the if directive is frowned upon), I tried using a limit_except directive, but then the nginx server crashed upon startup as it seems the content_by_lua directive was not designed for limit_except blocks. Here was my attempt:
http {
upstream backend {
server localhost:8080;
}
server {
listen 80;
location / {
proxy_pass http://backend;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header HTTP_CLIENT_IP $remote_addr;
proxy_redirect off;
}
location /api {
# Default the non-get API requests back to the backend server
proxy_pass http://backend;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header HTTP_CLIENT_IP $remote_addr;
proxy_redirect off;
# Select requests that *aren't* a PUT, POST, or DELETE, and pass those to the Lapis REST API
limit_except PUT POST DELETE {
content_by_lua '
require("lapis").serve("app")
';
}
}
}
}
which promptly crashed with
nginx: [emerg] "content_by_lua" directive is not allowed here in nginx.conf:46
What is the best way to selectively route in nginx based on both URL prefix and HTTP verb when delegating to the content_by_lua directive?
I implemented conditional routing of particular URL GET actions by using the if directive, even though it's evil according to the nginx devs. It does seem like this might one of the few desirable use cases for the if directive, but if it's not or someone has a better approach, please let me know (which is why I haven't accepted my own answer).
Here is the nginx configuration file that currently implements the solution:
http {
upstream backend {
server localhost:3000;
}
server {
listen 80;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header HTTP_CLIENT_IP $remote_addr;
proxy_redirect off;
# By default pass all the requests to the Rails app backend
location / {
proxy_pass http://backend;
}
# Delegate certain API calls to our special OpenResty Endpoints
location /api {
# Makes sure all POSTs, PUTs, and DELETE actions still get handed off to the backend
if ($request_method ~ POST|PUT|DELETE) {
proxy_pass http://backend;
}
# All that should remain are the GET and OPTIONS endpoints so send them to the OpenResty Lua backend!)
content_by_lua 'require("lapis").serve("app")';
}
}
}
I have configured nginx as reverse proxy tool. I have come across a problem which I have not been able to deal with. Following are the rules I have set in my .conf file.
server {
listen 80;
server_name rp.mydomain.com;
return 301 https://$host/myapp1/;
location / {
proxy_pass <local ip address>;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect http://$host https://$host;
proxy_set_header Host $host;
}
}
server {
listen 443 ssl;
server_name rp.mydomain.com;
location / {
proxy_pass <local ip address>;
proxy_redirect http:// https://;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
proxy_ssl_session_reuse on;
}
}
My application resides on /myapp1/ . The reason why I am not writing /myapp1/ in the proxy_pass [I tried] is because the redirection is not working properly WHEN I try to login on the page. I get the error page not found.
But after this rule in listen 80 block, return 301 https://$host/myapp1/; its working like charm, but only if I go open the http page.
When I open the link, rp.mydomain.com. The redirection is working perfectly and the application works fine too. The http request is redirected to https and I can log in through my app.
But, when I go through https://rp.mydomain.com, I end up at the blank page of <local ip address>, because of the proxy_pass rule in listen 443.
My requirement is whenever the specific request of the page is generated, which is, https://rp.mydomain.com, its redirected to https://rp.mydomain.com/myapp1/ (like when it does when the user accesses the page through http://rp.mydomain.com) but the other requests, like https://rp.mydomain.com/myapp1/ or https://rp.mydomain.com/myapp1/profile [etc etc] are not affected.
Just one specific page https://rp.mydomain.com gets redirected automatically.
Is it possible to do so? Please help me in this issue.
Thank you.
Try:
server {
listen 80;
server_name rp.mydomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name rp.mydomain.com;
location = / {
rewrite ^ /myapp1/ last;
}
location / {
proxy_pass <local ip address>;
proxy_redirect http:// https://;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
proxy_ssl_session_reuse on;
}
}
The location = / block has been added to create the mapping from / to /myapp1/. To change the URL in the browser, use permanent instead of last. See this document for details.
You will need to add additional proxy_redirect statements to prevent your local ip address leaking out when the application performs a redirect. See this document for details.
It is assumed that your SSL certificates are defined in an outer block and inherited.
How to proxy all subdomain to other domain path?
For example
SUBDOMAIN.abcxyz123.com
To be proxied to
myapp.otherdomain.com/SUBDOMAIN
Making sure that all header/path and query parameters in the request is kept.
Update:
I've tried and have a working config but still not the one I need:
server {
listen 80;
server_name ~^(?<subdomain>.+)\.abcxyz123\.com$;
location / {
proxy_set_header Host "myapp.otherdomain.com";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
# this worked:
proxy_pass http://myapp.otherdomain.com/somepath/;
# this does not work:
#proxy_pass http://myapp.otherdomain.com/$subdomain$request_uri;
}
}
Try this
server {
server_name ~^(?<subdomain>.*)\.abcxyz123\.com$;
resolver 8.8.8.8;
rewrite ^/(.*)$ /$subdomain/$1;
location / {
proxy_set_header Host "myapp.otherdomain.com";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_pass http://myapp.otherdomain.com;
}
}
This should proxy all your traffic with original query parameters(query strings, request body, request method, etc), I changed the host header to the proxied "myapp.otherdomain.com" incase the server of 'myapp.otherdomain.com' has more than one virtual hosts. If you don't want the change, use $host instead.
This answer might need another edit since your question isn't very clear. If you have further question, comment and i will edit in my answer.