Develop Reference

How to make nginx not return the response body when performing redirection?

An example configuration is as follows:
server {
listen 80;
server_name www.example.com;
rewrite ^/(.*)$ https://www.example.com/$1 permanent;
}
nginx returns a response body when performing a redirect.
$ curl -v http://www.example.com
* Trying 121.5.221.184:80...
* Connected to www.example.com (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: www.example.com
> User-Agent: curl/7.84.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Tue, 02 Aug 2022 16:13:04 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< Location: https://www.example.com/
<
{ [162 bytes data]
* Connection #0 to host www.example.com left intact
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
I don't think this response body is useful, and instead wastes server bandwidth. Is it possible to make nginx not return any response body when performing redirection?

How to forward request from one NGINX to another but keeping the domain of the first NGINX

I have a sub-domain (foo.domain.com) that is maintained by my organization and in which I don't have control.
The organization configured that domain to point to a Route 53 service and from there I created a policy that sends the request to an ALB which then finally sends it to an EC2 running NGINX.
NGINX will be responsible for URL rewrites to many other services I have running in different EC2 instances.
What I want is, for example:
request is sent to foo.domain.com/service1
goes to Route53 then to an ALB and then to the EC2 running NGINX
in NGIX, I have the following config
...
location = /service1/
{
proxy_redirect off;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_pass https://public_ip_of_service1_ec2_instance$request_uri;
}
This request goes to the EC2 instance running service1, which is another NGINX proxy running a node.js application (npm build kinda thing)
The NGINX service1 conf file is:
server {
listen 443 ssl;
listen [::]:443 ssl;
include snippets/self-signed.conf;
server_name public_ip_of_service1_ec2_instance;
root /app; #this is where the static files are hosted
location ~* \.html?$ {
expires -1;
add_header Pragma "no-cache";
add_header Cache-Control "no-store, must-revalidate";
}
location / {
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
index index.html;
try_files $uri $uri/ /index.html;
# kill cache
# expires -1;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
If I hit the NGINX URL of service1, it works just fine, but the problem is when I call the NGINX proxy from step 3.
When I hit the URL foo.domain.com/service1 on the browser, I see this:
Basically, it says that foo.domain.com/js/chunk....js can't be found. This is correct since this file is being served in the EC2 that is running that node.js application (that is, it can be found at http://public_ip_of_service1_ec2_instance/js/chunk....js)
What is the configuration that I am missing in order to be able to keep the domain foo.domain.com/service1 for my users at all times and never to see the public_ip_of_service1_ec2_instance
Thank you
EDIT 1
The issue reported here seems to be exactly like mine: https://serverfault.com/questions/805836/reverse-proxy-application-and-its-static-files-with-nginx
I followed the suggestion there and as well as #anemyte suggestion but it is not working.
It seems like Proxy1 is trying to serve the static files that are hosted in Proxy2 as you can see here:
proxy | 2021/01/04 10:16:22 [error] 29#29: *4 open() "/etc/nginx/html/js/app.53272292.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/app.53272292.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [04/Jan/2021:10:16:22 +0000] "GET /css/app.0988b263.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | ( - - ) 172.19.0.1 - - [04/Jan/2021:10:16:22 +0000] "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/04 10:16:22 [error] 29#29: *4 open() "/etc/nginx/html/css/app.0988b263.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/app.0988b263.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/04 10:16:22 [error] 29#29: *6 open() "/etc/nginx/html/css/chunk-vendors.e78a06e5.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/04 10:16:23 [error] 29#29: *6 open() "/etc/nginx/html/js/chunk-vendors.7b27d7ff.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [04/Jan/2021:10:16:23 +0000] "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/04 10:16:23 [error] 29#29: *6 open() "/etc/nginx/html/js/app.53272292.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/app.53272292.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [04/Jan/2021:10:16:23 +0000] "GET /js/app.53272292.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
My proxy 1 conf file looks like this now:
worker_processes 1;
events { worker_connections 1024; }
http {
log_format main '( $proxy_host $upstream_addr ) $remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
rewrite_log on;
access_log /var/log/nginx/access.log main;
server {
listen 80;
server_name apacbsa.com;
location /auspost/ {
# proxy_redirect off;
# proxy_read_timeout 1m;
# proxy_connect_timeout 1m;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# proxy_buffering off;
#proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-Host $server_name;
proxy_pass https://192.168.1.113/;
}
}
}
EDIT2
Still no luck. This is what I am seeing in NGINX1 logs:
proxy | ( 192.168.1.113 192.168.1.113:443 ) 172.19.0.1 - - [05/Jan/2021:00:00:37 +0000] "GET /auspost/ HTTP/1.1" 200 2111 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:37 +0000] "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/05 00:00:37 [error] 21#21: *9 open() "/etc/nginx/html/css/chunk-vendors.e78a06e5.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:37 +0000] "GET /js/app.54337cb4.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:37 +0000] "GET /css/app.0988b263.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/05 00:00:37 [error] 21#21: *12 open() "/etc/nginx/html/js/app.54337cb4.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/app.54337cb4.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/05 00:00:37 [error] 21#21: *11 open() "/etc/nginx/html/css/app.0988b263.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/app.0988b263.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/05 00:00:37 [error] 21#21: *13 open() "/etc/nginx/html/js/chunk-vendors.7b27d7ff.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:37 +0000] "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:38 +0000] "GET /css/app.0988b263.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:38 +0000] "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/05 00:00:38 [error] 21#21: *12 open() "/etc/nginx/html/css/app.0988b263.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/app.0988b263.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/05 00:00:38 [error] 21#21: *11 open() "/etc/nginx/html/css/chunk-vendors.e78a06e5.css" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /css/chunk-vendors.e78a06e5.css HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:39 +0000] "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
proxy | 2021/01/05 00:00:39 [error] 21#21: *13 open() "/etc/nginx/html/js/chunk-vendors.7b27d7ff.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/chunk-vendors.7b27d7ff.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | 2021/01/05 00:00:39 [error] 21#21: *11 open() "/etc/nginx/html/js/app.54337cb4.js" failed (2: No such file or directory), client: 172.19.0.1, server: apacbsa.com, request: "GET /js/app.54337cb4.js HTTP/1.1", host: "localhost", referrer: "http://localhost/auspost/"
proxy | ( - - ) 172.19.0.1 - - [05/Jan/2021:00:00:39 +0000] "GET /js/app.54337cb4.js HTTP/1.1" 404 153 "http://localhost/auspost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
And this is what I see in the NGINX2 (serving static files) logs (just 1 line):
frontend | 172.21.0.1 - - [05/Jan/2021:11:04:17 +1100] "GET / HTTP/1.0" 200 2111 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:80.0) Gecko/20100101 Firefox/80.0" "172.19.0.1"
This is the full nginx conf file for NGINX2:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 10m;
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
fastcgi_send_timeout 600s;
fastcgi_read_timeout 600s;
resolver_timeout 600s;
# for DDOS protection - 3 requests per second
limit_req_zone $binary_remote_addr zone=one:10m rate=3r/s;
# limiting the number of connections one client can make
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
listen 80;
listen [::]:80;
server_name apacbsa.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
include snippets/self-signed.conf;
server_name apacbsa.com;
root /app;
location ~* \.html?$ {
expires -1;
add_header Pragma "no-cache";
add_header Cache-Control "no-store, must-revalidate";
}
location /auspost/ {
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
index index.html;
try_files $uri $uri/ /index.html;
# kill cache
# expires -1;
}
location /api {
# limiting the number of api calls
limit_req zone=one burst=2 nodelay;
# only one connection per client to the api
limit_conn addr 1;
proxy_pass https://backend:5001/api;
proxy_redirect off;
proxy_connect_timeout 1m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}
Everything is running in docker containers, but that shouldn't be the problem I don't think.
So I issue the request from my browser in my Mac laptop and in that laptop I am running the NGINX1 proxy. That then forwards to my Windows machine running NGINX2 static files.

When you declare a location like that:
location = /service1/
It means that you want exact URL match. So it will only work for foo.domain.com/service1/ while foo.domain.com/service1/something won't match this location. Looking at the URL of your request (/js/chunk) this isn't what you want, so remove = from the location:
location /service1/
Next is the server_name. Your first proxy passes Host header which NGINX uses to determine which vhost configuration to use. The Host header value should be foo.domain.com but your server_name on the second NGINX is public_ip_of_service1_ec2_instance. It doesn't matter if the vhost is a default one but I don't see that in your configuration.
You can add foo.domain.com after public_ip_of_service1_ec2_instance or just replace one with the other. What's best in this case you should decide yourself and if you wish to learn more about server names I recommend you reading these great articles: How nginx processes a request and Server names
UPD: About missing static files.
You need to change base URL or base path of your service1 application from / to /service1/. This is not related to NGINX, unless your application is made of just static files.
Why did that happen? Well you've told first NGINX that you want all requests with URL starting with /service1/ to be forwarded to service1. When a client hits service1, the page refers some static, /js/chunk-vendors.7b27d7ff.js for example. Client's browser makes an additional request to the first NGINX asking to provide /js/chunk-vendors.7b27d7ff.js. Since the URL does not begin with /service1/ NGINX does not forward the request to /service1/ and it uses another piece of config for this request (/ most likely).
If you change all absolute URLs at service1 to begin with /service1/ the problem should go. A dangerous alternative to that would be removing first slash from absolute links. This way URLs will be relative to current location and not website root. Think twice before going second option.

I have done some testing lately and here's what I found out:
In your nginx proxy config, remove the line:
proxy_set_header Host $http_host;
Which will result in your final configuration nginx file to be:
location = /
{
proxy_redirect off;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_pass https://public_ip_of_service1_ec2_instance;
}

You could configure something like this in the first nginx server
server {
listen 80;
listen [::]:80;
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name domain1;
if ($request_method ~* OPTIONS|GET|HEAD) {
return 301 https://domain2$request_uri;
}
location ~* api {
proxy_pass https://domain2$request_uri;
}
}

nginx HTTP 400 Bad Request - Invalid Hostname

I've configured nginx as a front-end load-balancer across three nodes of a web application I've constructed. nginx continually returns 400/bad request - invalid hostname errors regardless of the values i use in upstream.server and server.server_name. I've tried localhost and 127.0.0.1 for both of those values and issued requests using matching cURL/Postman requests to no avail.
I've also tried setting the value for server.server_name including the port number to better match the incoming HTTP HOST header to no avail.
nginx.conf
events {
worker_connections 1024;
}
http {
upstream myapp {
server 127.0.0.1:8001;
server 127.0.0.1:8002;
server 127.0.0.1:8003;
}
server {
listen 8000;
server_name 127.0.0.1;
location / {
proxy_pass http://myapp;
}
}
}
cURL requests result in the following (no difference between using localhost and 127.0.0.1).
C:\>curl -v http://127.0.0.1:8000/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.17.1
< Date: Mon, 22 Jul 2019 14:29:22 GMT
< Content-Type: text/html; charset=us-ascii
< Content-Length: 334
< Connection: keep-alive
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>
* Connection #0 to host 127.0.0.1 left intact

The solution was to add proxy_set_header Host <hostname> in the server.location section of the config used by nginx.
Thank you to Michael Hampton on serverfault.
events {
worker_connections 1024;
}
http {
upstream myapp {
server 127.0.0.1:8001;
server 127.0.0.1:8002;
server 127.0.0.1:8003;
}
server {
listen 8000;
server_name 127.0.0.1;
location / {
proxy_pass http://myapp;
proxy_set_header Host $host;
}
}
}

nginx proxy_pass over https_proxy

I am trying to set up nginx with this config. To access backend.mygreat.server.com I have to go through my corporate proxy, which is myproxy.server.com:80.
Hence, I have added this in /etc/environment
https_proxy=myproxy.server.com:80
Yet, nginx is unable to reach https://backend.mygreat.server.com:443. I'm seeing 504 as HTTP status in nginx logs.
I could use wget or curl to load the page (goes via corporate proxy)
server {
listen 443;
server_name mygreat.server.com;
ssl on;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
ssl_certificate /etc/nginx/ssl/mygreat.server.com.pem;
ssl_certificate_key /etc/nginx/ssl/mygreat.server.com.key;
access_log /var/log/nginx/access.ssl.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host-Real-IP $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-Pcol http;
proxy_intercept_errors on;
error_page 301 302 307 = #handle_redirects;
proxy_pass https://backend.mygreat.server.com:443;
}
location #handle_redirects {
set $saved_redirect_location '$upstream_http_location';
proxy_pass $saved_redirect_location;
}
}
Any help is greatly appreciated.
Thanks
Update :
Here is the sample error log from nginx
2017/10/18 06:55:51 [warn] 34604#34604: *1 upstream server temporarily disabled while connecting to upstream, client: <ip-address>, server: mygreat.server.com, request: "GET / HTTP/1.1", upstream: "https://<ip-of-backend>:443/", host: "mygreat.server.com"
If I run curl -v https://backend.mygreat.server.com/ below is the response
* About to connect() to proxy corp-proxy.server.com port 80 (#0)
* Trying <some-ip-address>...
* Connected to corp-proxy.server.com (<ip-of-proxy>) port 80 (#0)
* Establish HTTP proxy tunnel to backend.mygreat.server.com:443
> CONNECT backend.mygreat.server.com:443 HTTP/1.1
> Host: backend.mygreat.server.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=backend.mygreat.server.com,OU=Technology Operations,O=MyCompany.,L=San Diego,ST=California,C=US
* start date: Mar 15 00:00:00 2017 GMT
* expire date: Mar 15 23:59:59 2020 GMT
* common name: backend.mygreat.server.com
* issuer: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: backend.mygreat.server.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: openresty/1.11.2.5
< Date: Wed, 18 Oct 2017 14:03:10 GMT
< Content-Type: text/html;charset=UTF-8
< Content-Length: 5642
< Connection: keep-alive
< X-XSS-Protection: 1; mode=block
< Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
< Expires: 0
< P3P: policyref="http://backend.mygreat.server.com/w3c/p3p.xml" CP="CURa OUR STP UNI INT"
< Content-Language: en
< Set-Cookie: qboeuid=127.0.0.1.1508335390550307; path=/; expires=Thu, 18-Oct-18 14:03:10 GMT; domain=.server.com
< Set-Cookie: JSESSIONID=784529AA39C10C3DB4B0ED0D61CC8F31.c23-pe2ec23uw2apu012031; Path=/; Secure; HttpOnly
< Set-Cookie: something.blah_blah=testme; Domain=.server.com; Path=/; Secure
< Vary: Accept-Encoding
<
<!DOCTYPE html>
<html>
....
</html>

So first of all I am not sure if Nginx is suppose to respect http_proxy and https_proxy variables. I didn't find any documentation on the same. So I assume your issues is related to nginx not using proxy at a all
So now you have an option to use something which actually uses proxy. This is where socat comes to rescue.
Running socat forwarder
If you have a transparent proxy then run
socat TCP4-LISTEN:8443,reuseaddr,fork TCP:<proxysever>:<proxyport>
And if you have CONNECT proxy then use below
socat TCP4-LISTEN:8443,reuseaddr,fork PROXY:yourproxy:backendserver:443,proxyport=<yourproxyport>
Then in your nginx config use
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host-Real-IP $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-Pcol http;
proxy_intercept_errors on;
proxy_set_header Host backend.mygreat.server.com;
proxy_pass https://127.0.0.1:8443;
proxy_redirect https://backend.mygreat.server.com https://mygreat.server.com;
}
You probably want to use Systemd service to launch the socat, so it runs on startup and is handled as a service

Nginx's proxy_pass does not support https proxy.
http proxy can be supported, but the request url only supports http.
this is a example:
server {
listen 8880;
server_name localhost;
location / {
rewrite ^(.*)$ "://developer.android.com$1";
rewrite ^(.*)$ "http$1" break;
proxy_set_header Proxy-Connection Keep-Alive;
proxy_set_header Host developer.android.com;
proxy_pass http://127.0.0.1:1080;
proxy_redirect ~^https?://developer\.android\.com(.*)$ http://$host:8080$1;
}
}
see: https://serverfault.com/a/683955/418613

Odoo10 - Missing CSS and JS files after using reverse proxy Error 111 connection refused

We're migrating from old server to a new one, so I've installed Odoo V10.0 on Ubuntu 16.04LTS hosted on Digitalocean.
Everything works just fine, but when I used reverse proxy to access Odoo from port 80 instead of the default 8069 according to this book and upload the old db, all the JS and CSS/LESS files give 404 not found on the website and I get Error 111 connection refused when the server tries to redirect to the online payment gateway.
Here's a screenshot of the error I receive in console
Here's my Nginx configuration in /etc/nginx/sites-available/odoo:
upstream backend-odoo {
server 127.0.0.1:8069;
}
upstream backend-odoo-im {
server 127.0.0.1:8072;
}
server {
listen 80;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}
server {
listen 443 default;
# ssl settings
ssl on;
ssl_certificate
/etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
keepalive_timeout 60;
#increase the upload file size limit
client_max_body_size 30M;
# proxy header and settings
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
# odoo log files
access_log /var/log/nginx/odoo-access.log;
error_log /var/log/nginx/odoo-error.log;
# increase proxy buffer size
proxy_buffers 16 64k;
proxy_buffer_size 128k;
# force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500
http_502 http_503;
# enable data compression
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/xml text/css;
gzip_vary on;
location / {
proxy_pass http://backend-odoo;
}
location ~* /web/static/ {
# cache static data
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://backend-odoo;
}
location /longpolling {
proxy_pass http://backend-odoo-im;
}
}
Here's Odoo conf file:
[options]
addons_path = /odoo/enterprise/addons,/odoo/odoo-server/addons,/odoo/custom/addons,/odoo/server-tools
admin_passwd = xxxxxxxxxxx
csv_internal_sep = ,
data_dir = /odoo/.local/share/Odoo
db_host = False
db_maxconn = 64
db_name = False
db_password = False
db_port = False
db_template = template1
db_user = xxxx
dbfilter = .*
demo = {}
email_from = False
geoip_database = /usr/share/GeoIP/GeoLiteCity.dat
import_partial =
limit_memory_hard = 2684354560
limit_memory_soft = 2147483648
limit_request = 8192
limit_time_cpu = 60
limit_time_real = 120
limit_time_real_cron = -1
list_db = True
log_db = False
log_db_level = warning
log_handler = :INFO
log_level = info
logfile = /var/log/odoo/odoo-server.log
logrotate = False
longpolling_port = 8072
max_cron_threads = 2
osv_memory_age_limit = 1.0
osv_memory_count_limit = False
pg_path = None
pidfile = None
proxy_mode = True
reportgz = False
server_wide_modules = web,web_kanban
smtp_password = False
smtp_port = 25
smtp_server = localhost
smtp_ssl = False
smtp_user = False
syslog = False
test_commit = False
test_enable = False
test_file = False
test_report_directory = False
translate_modules = ['all']
unaccent = False
without_demo = False
workers = 0
xmlrpc = True
netrpc_interface = 127.0.0.1
xmlrpc_interface = 127.0.0.1
xmlrpc_port = 8069
Here's the output of log file in /var/log/nginx/odoo-error.log
2017/04/01 06:55:24 [error] 24333#24333: *3196 connect() failed (111: Connection refused) while connecting to upstream, client: xx.xx.xxx.xxx, server: , request: "GET /web_planner/static/src/img/odoo_logo.png HTTP/1.1", upstream: "http://127.0.0.1:8069/web_planner/static/src/img/odoo_logo.png", host: "yyy.yy.yyy.yy", referrer: "https://yyy.yy.yyy.yy/?debug=1"
2017/04/01 06:55:25 [error] 24333#24333: *3495 upstream prematurely closed connection while reading response header from upstream, client: xx.xx.xxx.xxx, server: , request: "POST /longpolling/poll HTTP/1.1", upstream: "http://127.0.0.1:8069/longpolling/poll", host: "yyy.yy.yyy.yy", referrer: "https://yyy.yy.yyy.yy/web?debug="
2017/04/01 07:01:29 [error] 24333#24333: *4263 upstream prematurely closed connection while reading response header from upstream, client: xx.xx.xxx.xxx, server: , request: "POST /longpolling/poll HTTP/1.1", upstream: "http://127.0.0.1:8069/longpolling/poll", host: "yyy.yy.yyy.yy", referrer: "https://yyy.yy.yyy.yy/web?"
2017/04/01 08:03:12 [error] 30741#30741: *5413 upstream prematurely closed connection while reading response header from upstream, client: xx.xx.xxx.xxx, server: , request: "POST /longpolling/poll HTTP/1.1", upstream: "http://127.0.0.1:8069/longpolling/poll", host: "yyy.yy.yyy.yy", referrer: "https://yyy.yy.yyy.yy/web?debug=1"
2017/04/01 08:17:38 [error] 30741#30741: *5491 upstream prematurely closed connection while reading response header from upstream, client: xx.xx.xxx.xxx, server: , request: "POST /longpolling/poll HTTP/1.1", upstream: "http://127.0.0.1:8069/longpolling/poll", host: "yyy.yy.yyy.yy", referrer: "https://yyy.yy.yyy.yy/web?debug=1"
2017/04/01 08:35:15 [error] 30741#30741: *6308 upstream timed out (110: Connection timed out) while reading response header from upstream, client: xx.xx.xxx.xxx, server: , request: "POST /longpolling/poll HTTP/1.1", upstream: "http://127.0.0.1:8069/longpolling/poll", host: "yyy.yy.yyy.yy", referrer: "https://yyy.yy.yyy.yy/web?debug="
2017/04/01 08:46:38 [error] 30741#30741: *6897 upstream prematurely closed connection while reading response header from upstream, client: xx.xx.xxx.xxx, server: , request: "POST /longpolling/poll HTTP/1.1", upstream: "http://127.0.0.1:8069/longpolling/poll", host: "yyy.yy.yyy.yy", referrer: "https://yyy.yy.yyy.yy/web?debug="
the output of $netstat -ntlp | grep LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8069 0.0.0.0:* LISTEN -
Lastly the output of $telnet 127.0.0.1 8069
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
the output of $telnet 127.0.0.1 8072
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
the output of $telnet 127.0.0.1
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
PS. I didn't apply the SSL certificate yet or the domain name.

Comment below lines and try like that.
netrpc_interface = 127.0.0.1
xmlrpc_interface = 127.0.0.1