nginx proxy pass content range - nginx

How can I make nginx to send source server if Range header is passed by user?
Currently I am tried this, but not worked:
server {
location / {
if ($http_range) {
set $var_arg_range $http_range;
}
if ($arg_range) {
set $var_arg_range "bytes=$arg_range";
}
proxy_set_header Range $var_arg_range;
proxy_pass https://content-na.drive.amazonaws.com;
proxy_set_header If-Range "";
proxy_set_header Host content-na.drive.amazonaws.com;
proxy_set_header Range $var_arg_range;
proxy_set_header Accept-Encoding "";
}
}
I need to make html5 videos streamable.

Finally I found it. I need to pass headers to source server with proxy_pass_request_headers. And don't forget to pass your custom Referer header:
server {
postpone_output 0;
resolver 8.8.8.8;
proxy_set_header Referer "https://content-na.drive.amazonaws.com";
proxy_set_header Host "content-na.drive.amazonaws.com";
proxy_pass_request_headers on;
proxy_ssl_verify off;
proxy_method "GET";
proxy_pass https://content-na.drive.amazonaws.com;
}

Related

Conditionally rewrite request url based on referer - Nginx

What I am trying to achive; is when the request coming from http://<ip>/vault/ui/ (referer in the request header) and it includes the http://<ip>/v1/* endpoint, to be rewriten or redirected to http://<ip>/vault/v1/
can someone please help me to solve this issue?
/etc/nginx/sites-enabled/reverse-proxy.conf
upstream command_center_vault {
server command-center-0.blinchik.io:28200;
}
server {
listen 80;
listen [::]:80;
location /vault/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_pass "http://command_center_vault/vault/";
proxy_redirect /ui/ /vault/ui/;
}
location /vault/v1/ {
proxy_pass "http://command_center_vault/v1/";
}
}
Headers
Update
A little bit more context, the overarching architecture looks as in the picture below.
the configuration of nginx server in the private subnet looks like this:
private subnet nginx
upstream consul_server {
server brain-consul-server-0.blinchik.io:8500;
server brain-consul-server-1.blinchik.io:8500;
server brain-consul-server-2.blinchik.io:8500;
}
upstream vault_server {
server brain-vault-server-0.blinchik.io:8200;
server brain-vault-server-1.blinchik.io:8200;
}
server {
listen 28500;
listen [::]:28500;
location /consul/ {
proxy_pass "http://consul_server";
sub_filter_once off;
sub_filter_types application/javascript text/html;
sub_filter "/v1/" "/consul_v1/";
}
location /consul_v1/ {
proxy_pass "http://consul_server/v1/";
}
}
server {
listen 28200;
listen [::]:28200;
location /vault/ {
proxy_pass "http://vault_server/";
port_in_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_redirect /ui/ /vault/ui/;
sub_filter_once off;
sub_filter '<head>' '<head><base href="/vault/">';
sub_filter '"/ui/' '"ui/';
#inspired by this repo https://github.com/Folcky/hashicorp-vault-and-nginx
}
location /v1/ {
proxy_pass "http://vault_server/v1/";
}
}
public subnet nginx
upstream command_center_vault {
server command-center-0.blinchik.io:28200;
}
server {
listen 80;
listen [::]:80;
location /vault/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_pass "http://command_center_vault/vault/";
proxy_redirect /ui/ /vault/ui/;
}
location /vault/v1/ {
proxy_pass "http://command_center_vault/v1/";
}
}
the consul part works fine. if I change in the public subnet configuration the location of /vault/v1/ to /v1/ then it works as well. But the problem that other products that I intend to add it to the reverse proxy (like Nomad) also uses the /v1/ path and in this case there will be a conflict.
I think this one should work (must be placed at the server context outside any locations:
if ($http_referer ~ /vault/ui) {
rewrite ^/v1(/.*) /vault/v1$1 last;
}
You can make regex pattern more strict including //<ip> or https?://<ip> parts.

Issue a custom token from NGINX

I am new to NGINX. I'm wondering if it is possible to, with a single request to NGINX, make two proxy calls that affect the outcome of the response.
Specifically, I'm wanting to add a token to the response of an NGINX request where the token is given as a response header from a separate service.
Theoretically, it might look something like...
location / {
# Call to token service and set the response to a variable, maybe?
# proxy_pass Make the actual call
# Add token from step one to response headers
}
I don't know if this is supported by NGINX, if I need to delve into a custom module, or if this is just a bad idea.
Thanks.
Got it!
location / {
if ($http_x_entry_id = "") {
return 302 /entry;
}
auth_request /token/test-token;
auth_request_set $token $upstream_http_x_test_token;
set $test_ui test-ui;
proxy_pass http://$test_ui;
add_header X-My-Token "$token";
}
location /token/test-token {
internal;
set $token_api token-api;
error_page 500 =401 /error/401;
error_page 400 =401 /error/401;
proxy_method POST;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
rewrite /token/(.*) "/$1/$http_x_entry_id" break;
proxy_pass http://$token_api:8080;
}

nginx conditional proxy pass based on request body content

I am trying to configure nginx to proxy pass the request to another server, only if the $request_body variable matches on a specific regular expression.But it is not working for me.
server{
listen 80 default;
server_name www.applozic.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
if ($request_body ~* (.*)appId(.*)) {
proxy_pass http://apps.applozic.com;
}
}
}
request body is::
{
"applicationId": "appId",
"authenticationTypeId": 1,
"enableEncryption": false,
"notificationMode": 0,
"deviceType": 4,
}
I found the solution.
I did following changes in nginx(open resty) config file
upstream algoapp {
server 127.0.0.0.1:543;
}
upstream main {
server 127.0.0.1:443;
}
location /rest/ws/login {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
if ($request_method = OPTIONS ) {
proxy_pass https://127.0.0.1:543;
}
if ($request_method = POST ) {
set $upstream '';
access_by_lua '
ngx.req.read_body()
local data = ngx.req.get_body_data()
local match = ngx.re.match(ngx.var.request_body, "appId")
if match then
ngx.var.upstream = "algoapp"
else
ngx.var.upstream = "main"
end
';
proxy_pass https://$upstream;
}
}
As best I can tell the issue is that the variable $request_body may not have been read into memory at the time your if statement is executing.
Suggested alternatives would be to use the lua support or compile nginx with the echo modules and run echo_request_body.
That is not so easy when come to using integration , like some circumstances your nginx does not really allow you to do extra proxy stuff to change the whole design, then you can try nginx-if-request-body to achieve the result
http {
....
map "$uri" $forward_status {
default 100; # 100 means nothing return, continue to proxy phase
"~*.+?\.(css|js|bmp|gif|ico|jpeg|jpg|pict|png|svg|swf|tif)$" 418;
}
map "$request_body" $forward_status_by_body {
default 100;
"abc123xxx" 418;
"~*.+?\.(css|js|bmp|gif|ico|jpeg|jpg|pict|png|svg|swf|tif)$" 418;
}
server {
...
error_page 418 =200 #welcome_if_request_body;
location #welcome_if_request_body {
add_header Content-Type text/plain;
return 200 "welcome_if_request_body, you hit it";
}
location = / {
if_request_body on;
return_status_if_body_eq "ASD" 418 on;
return_status_if_body_eq "foo" 418;
return_status_if_body_eq "john" 418;
return_status_if_body_startswith "report" 418;
return_status_if_body_contains "report" 418;
return_status_if_body_regex "^[\d]+?abc" 418;
return_status_if_variable_map_to $forward_status;
return_status_if_variable_map_to $forward_status_by_body;
proxy_pass http://localhost:7777;
}
...
}
}

NGINX frontending Kibana not working with "_plugin/kibana/" URI

I'm running the AWS Managed ElasticSearch to collect some logs and have created some Kibana dashboards to visualise the data, all that works fine.
Unfortunately the Kibana plugin included on with the AWS cluster is pretty much open to the world, so I have setup an NGINX reverse proxy to provide authenticated access. This is also working fine if I simply hit the domain URL and specify the full URI to the Kibana plugin. For example:
http://nginx.domain.com/_plugin/kibana/app/kibana works just fine, here in the nginx configuration I am using to achieve that:
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name localhost;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Auth Required";
proxy_pass https://search-mystuff.ap-southeast-2.es.amazonaws.com/;
proxy_redirect https://search-mystuff.ap-southeast-2.es.amazonaws.com/ /;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
}
Rather than providing the full URL, I would like to simply hit the base domain name of the NGINX server, which would then redirect me to the full Kibana URI. So what I would LIKE to do is this:
http://nginx.domain.com
After entering the above URL, I would like to be redirected to the full Kibana URI, so I would end up with a URL like this
http://nginx.domain.com/_plugin/kibana/app/kibana
Here is the nginx configuration I have tried (in various different permutations) that does not work:
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name localhost;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Auth Required";
proxy_pass https://search-mystuff.ap-southeast-2.es.amazonaws.com/_plugin/kibana/app/kibana;
proxy_redirect https://search-mystuff.ap-southeast-2.es.amazonaws.com/_plugin/kibana/app/kibana /;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
}
With the configuration above, when I browse to http://nginx.mydomain.com the URL is redirected to:
http://nginx.myaws.com.au/_plugin/kibana/app/kibana
This looks like it SHOULD work, however I receive an error in the browser window:
{"statusCode":404,"error":"Not Found"}
I have about 4 hours experience with nginx, so hopefully I'm missing something simple. Any help would be very much appreciated.
Thank you!
Got it, finally!
worker_processes auto;
events {
worker_connections 1024;
}
http {
server {
listen 80 default_server;
server_name localhost;
location / {
proxy_set_header Host https://<endpoint address>.es.amazonaws.com;
proxy_set_header X-Real-IP <nginx ip address>;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_set_header Authorization "";
proxy_pass https://<endpoint address>.es.amazonaws.com/_plugin/kibana/;
proxy_redirect https://<endpoint address>.es.amazonaws.com/_plugin/kibana/ http://<nginx url>/kibana/;
}
location ~ (/app/kibana|/app/timelion|/bundles|/es_admin|/plugins|/api|/ui|/elasticsearch) {
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Auth Required";
proxy_pass https://<endpoint address>.es.amazonaws.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
}

Nginx Reverse Proxy Websocket Authentication - HTTP 403

I'm using Nginx as a reverse proxy of a Spring boot application. I also use Websockets with sockjs and stomp messages.
Here is the context configuration.
<websocket:message-broker application-destination-prefix="/app">
<websocket:stomp-endpoint path="/localization" >
<websocket:sockjs/>
</websocket:stomp-endpoint>
<websocket:simple-broker prefix="/topic" />
</websocket:message-broker>
Here is the client code:
var socket = new SockJS(entryPointUrl);
var stompClient = Stomp.over(socket);
var _this = this;
stompClient.connect({}, function () {
stompClient.subscribe('/app/some-url', function (message) {
// do some stuff
});
});
I also you Spring Security to protect some content.
#Configuration
#Order(4)
public static class FrontendSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/js/**", "/css/**", "/webjars/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll();
}
}
Everything works great, expect when I run this application behind a Nginx reverse proxy. Here is the reverse configuration:
proxy_pass http://testsysten:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
# Max body size
client_max_body_size 10M;
The connection always fails with a HTTP 403 code.
I'm using version 1.9.7.
Do you have any idea, why the client does not gets authenticated?
I know similar questions, like this one but the solutions do not work at all.
Update
I managed to run the application over HTTP. I need to pass the CSRF token in the Nginx configuration. New configuration is:
proxy_pass http://testsysten:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Pass the csrf token (see https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery)
# Default in Spring Boot
proxy_pass_header X-XSRF-TOKEN;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
Only missing is redirect over HTTPS. In the Spring logs is see following entry:
o.s.w.s.s.t.h.DefaultSockJsService - Processing transport request: GET http://testsystem:80/localization/226/3mbmu212/websocket
Seems like Nginx Proxy needs to rewrite the to the right port.
I solved the problem by myself. Basically, Nginx needs to pass some additional header values if you want to use Websocket and Spring Security. The following lines need to be added to location section in your Nginx config:
# Pass the csrf token (see https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery)
# Default in Spring Boot and required. Without it nginx suppresses the value
proxy_pass_header X-XSRF-TOKEN;
# Set origin to the real instance, otherwise a of Spring security check will fail
# Same value as defined in proxy_pass
proxy_set_header Origin "http://testsysten:8080";
The accepted solution did not work for me although I was using a very classical HTTPS configuration:
server {
listen 443 ssl;
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8888;
}
...
The problem is that Spring checks the origin and specifically that code was causing me trouble:
// in org.springframework.web.util.UriComponentsBuilder.adaptFromForwardedHeaders(HttpHeaders):
if ((this.scheme.equals("http") && "80".equals(this.port)) ||
(this.scheme.equals("https") && "443".equals(this.port))) {
this.port = null;
}
In that code the scheme is 'http' and the port is 8888, which is not discarded because it is not the standard port.
The browser however hits https://myserver/ and the 443 port is omitted because it is the default HTTPS one.
Therefore the ports do not match (empty != 8888) and origin check fails.
Either you can disable origin checks in Spring WebSockets:
registry.addHandler( resgisterHandler(), "/ws" ).setAllowedOrigins( "*" );
or (probably safer) you can add the scheme and port to the NGINX proxy configuration:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
If you are interested, those headers are read in
org.springframework.web.util.UriComponentsBuilder.adaptFromForwardedHeaders(HttpHeaders)
For Spring Boot 2.2.2+
Starting with Spring Boot version 2.2.2 you should be adding following setting for these X-Forwarded-* headers to be taken into account:
server.forward-headers-strategy=native
(in application.properties for instance)
I had faced a similar problem. I was unable to use the basic Spring Security authentication with NGINX. Apart from setting the proxy_pass_header X-XSRF-TOKEN;, I also had to set underscores_in_headers on;, since NGINX by default does not allow headers with underscores and the CSRF token is named _csrf.
So my final configuration file looked like this:
server {
underscores_in_headers on;
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name localhost;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
location /example/ {
proxy_pass_header X-XSRF-TOKEN;
proxy_pass http://localhost:8080/;
}
}
I solved this problem without CSRF header in NGINX proxy.
My stack: spring-boot, spring-security (with redis session store), spring-boot-websocket with default STOMP implementation, NGINX to serve frontend and proxied to another services that frontend consume.
In first time I use the default configuration show in the NGINX Blog here and here (copy and paste for history):
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
server 192.168.100.10:8010;
}
server {
listen 8020;
location / {
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
}
But dont work, still 403 Forbidden.
I fixed this issue with the configuration below (the real important part to fix websocket is # WebSocket Proxy):
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 30010;
server_name localhost;
client_max_body_size 10M;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
# Backend API Proxy
location /api {
proxy_pass http://192.168.0.100:30080;
proxy_set_header Host $http_host;
proxy_set_header Access-Control-Allow-Origin 192.168.0.100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
rewrite ^/api/?(.*) /$1 break;
proxy_redirect off;
}
# CDN Proxy
location ~ ^/cdn/(.*) {
proxy_pass http://192.168.0.110:9000;
rewrite ^/cdn/(.*) /$1 break;
}
# This is the configuration that fix the problem with WebSocket
# WebSocket Proxy
location /ws {
proxy_pass http://192.168.0.120:30090;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header Access-Control-Allow-Origin 192.168.0.120;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
}
}
}
In my case (Spring Boot app), in addition to setting the Origin header as specified in the accepted answer, I had to set the Host header to match the ip:port of the Origin header, or to get rid of it altogether.
This is my working vhost config:
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/ssl/certs/<your-cert-file>.pem;
ssl_certificate_key /etc/ssl/private/<your-key-file>.key;
server_name <your-server-fqdn>;
access_log /var/log/nginx/<your-server-fqdn>.access.log;
error_log /var/log/nginx/<your-server-fqdn>.error.log error;
root /srv/www/<your-server-fqdn>;
index index.html index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /api {
proxy_pass http://127.0.0.1:8080/v1;
}
location /async-api {
proxy_pass http://127.0.0.1:8080/stomp;
proxy_http_version 1.1;
# either set Host header as follows or get rid of the directive altogether
#proxy_set_header Host "127.0.0.1:8080";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
# Set origin to the real instance, otherwise a of Spring security check will fail
# Same value as defined in proxy_pass
proxy_set_header Origin "http://127.0.0.1:8080";
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /admin-api {
proxy_pass http://127.0.0.1:8080/api;
}
}

Resources