I have an Nginx with Docker for my development environment with HTTP and HTTPS, here's the configuration:
listen 80;
listen 443 ssl;
set_real_ip_from 10.0.0.0/8;
real_ip_header X-Real-IP;
real_ip_recursive on;
location / {
try_files $uri #rewriteapp;
}
location #rewriteapp {
rewrite ^(.*)$ /app.php/$1 last;
}
location ~ ^/(app|app_dev|app_test|config)\.php(/|$) {
fastcgi_pass php-upstream;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS $https;
}
I want to test HTTP and HTTPS in my local environment but in production, I have an Nginx reverse proxy in front with:
upstream app_upstream {
server app:80;
}
server {
server_name $APP_DOMAIN;
listen 443 ssl;
ssl_certificate /run/secrets/app_cert.pem;
ssl_certificate_key /run/secrets/app_key.pem;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://app_upstream;
}
}
I want the reverse proxy to accept the only HTTPS and forward to the application nginx but my PHP application behind is receiving $_SERVER['HTTPS'] = ""
I also want to keep the SSL certificate only on the reverse proxy, how do I pass HTTPS from reverse proxy to Nginx to PHP?
The HTTPS variable is set to $https (which is set according to the connection to the backend server, which will always be HTTP), but you want it to be set according to the forwarded connection.
You can use the X-Forwarded-Proto header to set the HTTPS variable using a map. For example:
map $http_x_forwarded_proto $https_flag {
default off;
https on;
}
server {
...
location ~ ^/(app|app_dev|app_test|config)\.php(/|$) {
...
fastcgi_param HTTPS $https_flag;
...
}
}
See this document for more.
Related
I have a simple Symfony application, using Webpack Encore.
I also have a nginx server, with this below configuration to access to my Symfony app:
server {
listen 8080;
server_name localhost;
root D:/Projects/SampleApp/public;
location / {
root D:/Projects/SampleApp/;
try_files /public/$uri /public/$uri /assets/$uri /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass php_farm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
}
}
When I access to http://localhost:8080, my Symfony app works well.
I would like to add another nginx as a reverse proxy, that point http://localhost/SampleApp to http://localhost:8080.
I create this nginx configuration file :
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate D:/Projects/certificate.crt;
ssl_certificate_key D:/Projects/certificate.key;
server_name localhost;
location /SampleApp/ {
rewrite ^/SampleApp(/.*)$ $1 break;
proxy_pass http://localhost:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
When I access to http://localhost/SampleApp/login, my Symfony login page works. But :
Assets are not loaded because the base doesn't contains the "SampleApp" prefix (it call http://localhost/assets/app.css instead of http://localhost/SampleApp/assets/app.css)
Links and redirections doesn't works too for the same problem
Do you have any ideas to resolve this problem please ?
Thanks
Im trying to not redirect http to https....
I tried to research but found nothing...
BTW I DID BOTH THIS COMMANDS TO MAKE NEW FILE INSTEAD OF USING DEFAULT FILE ON SITES ENABLED:
sudo touch /etc/nginx/sites-available/imallbd
sudo nano /etc/nginx/sites-available/imallbd
then:
sudo ln -s /etc/nginx/sites-available/imallbd /etc/nginx/sites-enabled/imallbd
This is my sites-enabled file
server {
server_name imallbd.com;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# For API
location /api {
alias /var/www/imallbd/api/public;
try_files $uri $uri/ #api;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
}
location #api {
rewrite /api/(.*)$ /api/index.php?/$1 last;
}
# For FrontEnd -> GraphQL
location /{
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /admin{
proxy_pass http://localhost:3000/admin;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/imallbd.com/fullchain.pem; # managed >
ssl_certificate_key /etc/letsencrypt/live/imallbd.com/privkey.pem; # manage>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = imallbd.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name imallbd.com;
return 404; # managed by Certbot
}
pls help!!! btw when i go to my website it gives me 502 bad gateway... ik thats not the question im asking but if you can give me some help tips or the answer i would be so grateful :)
when i run:
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
If you want more details or information i can give, just tell me on the comments!
THANKS IN ADVANCE!!!
first of all why do you want to remove the https redirect ?
Either way you can remove this part:
if ($host = imallbd.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
This will remove the http -> https redirect.
Also, if you make any changes in nginx you need to restart te service.
assuming you are using a linux based os run:
systemctl restart nginx
The problem of your 502 error of nginx has to do with php.
The php process is not running, has crashed or nginx cannot communicate with it.
What kind of php instalation do you have ? php-fpm ? If that's the case run
systemctl restart php-fpm
If not. Let me know in the comments (not enough rep to say this in the comments)
I've installed and set up senaite.lims, which is a Plone extension, running on Plone 4.3.18 installed by the Unified Installer, and adding senaite.lims to the buildout.cfg eggs.
It's running fine on port 8080, and I can get Nginx to work redirecting / to :8080, but when I start using https, suddenly the css of the site doesn't work anymore.
I looked at the source, and the produced html page shows a link to the stylesheet with http://.... which I don't know if may cause problems, but if I actually try to open the .css file in the browser it works fine.
I set up and tried both with port 80 redirecting the https, and serving both a version of http and https, but neither one would get the page to render using .css. If anyone has any tips, or sees something wrongly configured in the nginx below, any help would be greatly appreciated.
Here is my nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
default_type application/octet-stream;
include /etc/nginx/mime.types;
sendfile on;
keepalive_timeout 75;
upstream plone {
server 127.0.0.1:8080;
}
server {
listen 80;
listen 443 ssl http2;
server_name 99.99.99.99; # changed for posting on SO
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
proxy_pass http://localhost:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffer_size 128k;
proxy_buffers 8 128k;
proxy_busy_buffers_size 256k;
}
}
}
You missed to rewrite the URL, e.g:
rewrite ^(.*)$ /VirtualHostBase/$scheme/$host/senaite/VirtualHostRoot/$1 break;
Here is a complete working config for SENAITE:
server {
listen 80;
server_name senaite.mydomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name senaite.mydomain.com;
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
include snippets/ssl-senaite.mydomain.com.conf;
include snippets/ssl-params.conf;
include snippets/well-known.conf;
access_log /var/log/nginx/senaite.access.log;
error_log /var/log/nginx/senaite.error.log error;
# Allow Cross-Origin Resource Sharing from our HTTP domain
add_header "Access-Control-Allow-Origin" "http://senaite.ridingbytes.com";
add_header "Access-Control-Allow-Credentials" "true";
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS";
add_header "X-Frame-Options" "SAMEORIGIN";
if ($http_cookie ~* "__ac=([^;]+)(?:;|$)" ) {
# prevent infinite recursions between http and https
break;
}
# rewrite ^(.*)(/logged_out)(.*) http://$server_name$1$2$3 redirect;
location / {
set $backend http://haproxy;
# API calls take a different backend w/o caching
if ($uri ~* "##API") {
set $backend http://api;
}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
rewrite ^(.*)$ /VirtualHostBase/$scheme/$host/senaite/VirtualHostRoot/$1 break;
# proxy_pass $backend;
proxy_pass http://plone;
}
}
I used the instructions on the following link:
"Hosting Clojure Web Apps in 7 Easy Steps"
I know the uberjar works because i tested it both on my dev machine and the VPS.
It's just that Nginx doesn't seem to be able to find it.
I suspect that it has something to do with this site code:
# Web sockets
location /chsk {
proxy_pass http://backend/chsk;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
...but I don't know how to correct it...thanks for the help!
One other thing: on the "upstream backend" in the site file i tried both 127.0.0.1:3000 AND 0.0.0.0:3000 with no success.
Here's the default site config:
server {
# Replace this port with the right one for your requirements
listen [::]:80 ipv6only=off;
# Multiple hostnames separated by spaces. Replace these as well.
server_name clmitchell.net www.clmitchell.net main.clmitchell.net
books.clmitchell.net dna.clmitchell.net help.clmitchell.net
history.clmitchell.net svcs.clmitchell.net;
server_name_in_redirect off;
root /data/nginx/www/$host;
error_page 401 /error/401.shtml;
error_page 402 /error/402.shtml;
error_page 403 /error/403.shtml;
error_page 404 /error/404.shtml;
error_page 500 501 502 503 504 /error/500.shtml;
location ^~ /error/ {
internal;
root /data/nginx/www/www.clmitchell.net;
}
access_log /var/log/nginx/$host-access.log;
error_log /var/log/nginx/error.log;
index index.php index.html index.htm default.html default.htm;
# Support Clean (aka Search Engine Friendly) URLs
location / {
try_files $uri $uri/ /index.php?$args;
}
# serve static files directly
location ~* \.(jpg|jpeg|gif|css|png|js|ico)$ {
access_log off;
expires max;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ \.scm$ {
include fastcgi_params;
fastcgi_intercept_errors on;
# By all means use a different server for the fcgi processes if you need to
fastcgi_pass 127.0.0.1:9981;
}
location ~ /\.ht {
deny all;
}
}
I removed history.clmitchell.net from the list of server names.
Here's the current history site config:
upstream backend {
server 104.131.29.212:3000 fail_timeout=0;
}
server{
listen [::]:80 ipv6only=off;
server_name localhost history.clmitchell.net;
access_log /var/log/hist_access.log;
error_log /var/log/hist_error.log;
root /var//resources/public;
# Web sockets
location /chsk {
proxy_pass http://backend/chsk;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Static assets
location / {
try_files $uri #backend;
}
# The backend server
location #backend {
proxy_pass http://backend;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
}
there was a duplicate "listen" directive on the history site config, which i removed...but for some reason I'm still getting the error: '
sudo nginx -t
nginx: [emerg] duplicate listen options for [::]:80 in /etc/nginx/sites-enabled/hist:6
nginx: configuration file /etc/nginx/nginx.conf test failed
Please try
proxy_pass http://backend;
And make sure you can access http://127.0.0.1:3000/chsk if your upstream is defined as below
upstream backend {
server 127.0.0.1:3000;
}
Or if we has only one backend server we can just use proxy_pass without upstream backend defined. e.g.
proxy_pass http://127.0.0.1:3000;
I learned a new lesson today: no two sites on a Nginx web server can have the same listen port!
I moved the new site to a new port and updated all the links...PROBLEM SOLVED!
I am developing a new project that uses forced HTTPS navigation where we need to display an iframe with content that is not HTTPS.
Issue comes that in Nginx I am forcing the usage of HTTPS with a redirect for any request.
I want to add an "exception" in the rewrite for the URL demo.html, I have no clue how to do this properly, any help much appreciated. Thanks
This is our Nginx config file:
server {
listen 80;
listen [::]:80;
server_name
www.domain.com
domain.com
;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
server_name
www.domain.com
domain.com
;
### redirect www to no www with client code 301 ###
if ($host = 'www.domain.com') {
rewrite ^/(.*)$ https://domain.com/$1 permanent;
}
root /srv/users/public;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto $scheme;
}
index index.php;
# Don't serve hidden files.
location ~ /\. {
deny all;
}
location /
{
try_files $uri /index.php?$args;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param KOHANA_ENV PRODUCTION;
fastcgi_pass 127.0.0.1:2222;
try_files $uri =404;
}
At the end I will disable the HTTPS redirect for all and allow browsing also without the HTTPS.
So what I did is to force the homepage to be HTTPS and the rest of link I print they are always HTTPS except that one I need that doesnt use HTTPS. I did this: ## we only force the HTTPS to the home page but we allow to browse without HTTPS if they want to.
## we only force the HTTPS to the home page but we allow to browse without HTTPS if they want to.
if ($request_uri = /) {
set $test A;
}
if ($scheme = 'http') {
set $test "${test}B";
}
if ($test = AB) {
rewrite ^/(.*)$ https://yclas.com/$1 permanent;
}
## END if Hack