NGINX: too many redirects - nginx

I'm hosting a meteor app behind an nginx proxy. We were using https (and thus 301 redirecting all http connections to 443). However, we've now gone back to http (and thus 301 redirecting all https connections to 80).
When I try to visit my site, I get an error saying, "The page isn’t redirecting properly". However, if I visit in incognito or after clearing my browser cache and cookies, everything works again.
Can I change anything in my nginx conf file (below) to fix this? I really don't want all of my visitors to have to clear their browsing data. Thanks!
server_tokens off; # for security-by-obscurity: stop displaying nginx version
# this section is needed to proxy web-socket connections
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# HTTP
server {
listen 80;
server_name [REDACTED];
# redirect to meteor
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # allow websockets
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP
}
}
# HTTPS server
server {
listen 443 ssl spdy; # we enable SPDY here
server_name [REDACTED];
root html; # irrelevant
index index.html; # irrelevant
# redirect to http
return 301 http://$host$request_uri;
ssl_certificate /etc/[REDACTED].pem;
ssl_certificate_key /etc/[REDACTED].pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers '[REDACTED]'
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
# If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
# This works because IE 11 does not present itself as MSIE anymore
if ($http_user_agent ~ "MSIE" ) {
return 303 https://browser-update.org/update.html;
}
location ~ /.well-known {
allow all;
}
}

Related

NGINX routing question - I've spent some hours on this to no luck yet

I've spent hours on multiple message boards and forums looking for this config pattern in NGINX. I want a subdomain to get redirected to port 8080 before the catch-all grabs everything else that comes into the domain, including all other subdomains, and points it at 443.
The 443 redirect already works perfectly. Any and all help would be appreciated thank you.
I have adminer.server.app that I want to goto HTTP://adminer.server.app (it really goes to 8080 after NGINX would do it's thing)
Again, all other traffic is taken care of so far.
Here is a snippet of my conf file:
server {
listen 80;
listen [::]:80;
server_name server.app www.server.app;
location / {
return 301 https://$host$request_uri;
}
#for certbot challenges (renewal process)
location ~ /.well-known/acme-challenge {
allow all;
root /data/letsencrypt;
}
}
#https://adminer.server.app
server {
listen 8080;
server_name adminer.server.app;
server_tokens off;
resolver 8.8.8.8;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
#https://server.app
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name server.app;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/certs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/certs/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
return 301 https://www.server.app$request_uri;
}
I can bring the phpmyadmin up by using my IP:8080, so at the moment this isn't critical. I'm not going to expose it after I'm done configuring the MySQL anyway. Closing request for help.

Newbie - how do I configure NGINX to only serve request from a specific domain? [duplicate]

Is it possible to allow only users typing in xxxxxx.com (fictive), so they should make a DNS-lookup and connect. And block users who uses my public ip to connect ?
Configuration:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name xxxxxxx.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://10.0.11.32:80;
proxy_read_tenter code hereimeout 360;
proxy_redirect http://10.0.11.32:80 https://xxxxxxx.com;
}
}
The $http_host parameter is set to the value of the Host request header. nginx uses that value to select a server block. If a server block is not found, the default server is used, which is either marked as default_server or is the first server block encountered. See this documentation.
To force nginx to only accept named requests, use a catch all server block to reject anything else, for example:
server {
listen 80 default_server;
return 403;
}
server {
listen 80;
server_name www.example.com;
...
}
With the SSL protocol, it depends on whether or not you have SNI enabled. If you are not using SNI, then all SSL requests pass through the same server block, in which case you will need to use an if directive to test the value of the $http_host value. See this and this for details.

trying to set nginx with https configuration returns Invalid Host header

I'm trying to configure nginx with https so i can browse into it (www.oidctest.com -- (configured to localhost at hosts file) and it will redirect to my application resides at: www.oidctest.com:3000
my nginx configuration is:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.oidctest.com;
return 301 http://$server_name:3000$request_uri;
# certs sent to the client in SERVER HELLO are concatenated in
ssl_certificate
ssl_certificate /nginx-1.14.1/conf/server.crt;
ssl_certificate_key /nginx-1.14.1/conf/server.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE....HA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver 8.8.8.8;
location / {
proxy_pass http://localhost:3000;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
}
but when i'm browsing into "www.oidctest.com" i get: "Invalid Host header"
can u suggest for solution?
in the nginx.conf, I would replace
proxy_pass http://localhost:3000;
With
proxy_pass http://127.0.0.1:3000;
But more importantly, the error is related to you ReactJS app (I guess it is one of those?). You can add allowedHosts under devServer in your webpack.config.js:
devServer: {
compress: true,
inline: true,
port: '8080',
allowedHosts: [
'.amazonaws.com'
]
},

TFS behind Nginx reverse proxy

Trying to configure Team Foundation Server behind Nginx reverse proxy.
Also, I'm using a self-signed SSL Certificate.
Getting ERR_TOO_MANY_REDIRECTS
Here is my nginx configuration:
server {
listen 80 default;
server_name tfs.domain.com;
return 301 https://$host$request_uri;
}
upstream tfs.domain.com {
server 12.34.56.78:80; #local tfs address
keepalive 16;
}
server {
listen 443 ssl;
server_name tfs.domain.com;
ssl_certificate /etc/nginx/ssl/tfs.domain.com.pem;
ssl_certificate_key /etc/nginx/ssl/tfs.domain.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://12.34.56.78:80; #local tfs address
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect http:// $scheme://;
}
access_log /var/log/nginx/tfs.domain.com/443-access.log;
error_log /var/log/nginx/tfs.domain.com/443-error.log;
}
What I'm doing wrong?
Just try to set the proxy_redirect explicitly:
e.g.:
proxy_redirect http://localhost:8080 https://tfs.domain.com;
You can reference below article to configure the nginx (It should be similar with TFS):
How To Configure Nginx with SSL as a Reverse Proxy for Jenkins
And this thread may helps: https://serverfault.com/questions/754351/what-is-a-correct-ways-to-allow-login-to-an-iis-site-through-a-reverse-proxy
Besides, you can reference below articles to troubleshoot the ERR_TOO_MANY_REDIRECTS issue:
How to Fix ERR_TOO_MANY_REDIRECTS on Your WordPress Site
How to Fix Err Too Many Redirects Error

Nginx reverse proxy, only allow connection from hostname not ip

Is it possible to allow only users typing in xxxxxx.com (fictive), so they should make a DNS-lookup and connect. And block users who uses my public ip to connect ?
Configuration:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name xxxxxxx.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://10.0.11.32:80;
proxy_read_tenter code hereimeout 360;
proxy_redirect http://10.0.11.32:80 https://xxxxxxx.com;
}
}
The $http_host parameter is set to the value of the Host request header. nginx uses that value to select a server block. If a server block is not found, the default server is used, which is either marked as default_server or is the first server block encountered. See this documentation.
To force nginx to only accept named requests, use a catch all server block to reject anything else, for example:
server {
listen 80 default_server;
return 403;
}
server {
listen 80;
server_name www.example.com;
...
}
With the SSL protocol, it depends on whether or not you have SNI enabled. If you are not using SNI, then all SSL requests pass through the same server block, in which case you will need to use an if directive to test the value of the $http_host value. See this and this for details.

Resources