How to create an reverse proxy behind an CDN (another reverse proxy) - nginx

I have the www.site.com and I have the blog.site.com.
On site.com server I have a nginx reverse proxy pointing from www.site.com/blog to www.blog.com and everything works fine, here's the code:
location /blog {
proxy_read_timeout 30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
proxy_pass http://blog.site.com;
proxy_redirect off;
}
But when I add the CloudFlare CDN i got the error 1000 because it's another reverse proxy. (https://support.cloudflare.com/hc/en-us/articles/200171976-Error-1000-DNS-points-to-prohibited-IP)
How can I solve that?

This is because cloudflare detected that the site at blog.site.com is hosted at cloudflare too and there is a chance that allowing you to do this will create a request loop.
Possible solutions:
Take one of the hosts off cloudflare;
Proxy directly to the IP address of the host inside nginx.
Code:
location /blog {
proxy_read_timeout 30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
proxy_pass http://{Your-Host-IP-Address};
proxy_redirect off;
}

Related

StreamLit behind Nginx behind reverse proxy (load balancer)

I have a Docker app running on an Nginx webserver, that works fine connecting directly to the webserver. However, the webserver is behind a separate Nginx reverse proxy server (functioning as WAF, load balancer, and in some cases directs path specific requests to different servers - as in this specific case).
The internal server config, which works if I connect directly to this server, look like:
# redirect without the trailing slash because the author did not include the full path in the Docker app
location /apppath/editor {
return 302 /apppath/editor/;
}
location /apppath/editor/ {
proxy_redirect off;
proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://0.0.0.0:8501/editor/;
}
location /apppath {
alias /var/www/dockerapp;
try_files $uri $uri/ =404;
}
I could not find examples of multiple levels of reverse proxy for a websocket app, so I have tried countless variations, but the public (LB/WAF) config currently looks like:
location /apppath {
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_headers_hash_bucket_size 128;
#proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_set_header Host $host;
proxy_http_version 1.1;
#proxy_buffering off;
#proxy_set_header Forwarded "for=$proxy_add_x_forwarded_for;proto=$scheme";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
#proxy_set_header Referer $http_referer;
proxy_pass https://10.0.6.13:443;
}
From the public location, requests to /apppath/pages.html work fine, but when I attempt to hit /apppath/editor/ I see only "Please wait..." with the "Made with Streamlit" tag at the bottom.
My browser shows repeated requests for /apppath/editor/healthz and the console is full of:
WebsocketConnection WebSocket onerror
Uncaught Error: Unsupported state transition
State: PINGING_SERVER
Event: CONNECTION_TIMED_OUT
...

Cookie Rewrite with NGINX

Okay so I've set up a nginx server that proxies to another 2 servers with load balancing. The only thing now missing are the cookies.
I've been searching numerous forums and questions regarding the rewriting of cookies. Can anyone please give me insight as to how to fix this issue?
The web application deployed to the 2 servers are written with Vaadin.
The 2 servers are running TomEE on port 8080 and 8081 for example.
I'm rewriting through nginx from easy.io to server1:8080 and server2:8080.
Refer to image below: when navigating to server1:8080/myapplication all my cookies are available.
https://ibb.co/X86pvCq
https://ibb.co/0M0GjCt
Refer to image below: when navigating to http://worksvdnui.io/ my cookies are not available.
https://ibb.co/qBkBRqb
I've tried using proxy_cookie_path, proxy_set_header Cookie $http_cookie but to no avail.
Here's the code:
upstream worksvdnuiio {
# ip_hash; sticky sessions!
ip_hash;
# server localhost:8080;
server hades:9090;
server loki:9090;
}
server {
listen 80;
listen [::]:80;
server_name worksvdnui.io;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /PUSH {
proxy_pass "http://worksvdnuiio/test.qa.gen/PUSH";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
proxy_ignore_client_abort off;
proxy_read_timeout 84600s;
proxy_send_timeout 84600s;
break;
}
location / {
proxy_pass "http://worksvdnuiio/test.qa.gen/";
proxy_cookie_path /test.qa.gen/ /;
proxy_set_header Cookie $http_cookie;
proxy_pass_request_headers on;
}
}
Any insight would be VALUABLE!
Thanks in advance.

NGINX proxy http://host/jenkins to http://host:8080

I try to use NGINX as a reverse proxy for my Jenkins server. Basically when http://host/jenkins gets opened in the browser NGINX should proxy the request to http://host:8080 where Jenkins is listening.
I tried various different configurations but none really works. Here the location configuration that I use at the moment. It somehow works, but does not show any images, etc..
location /jenkins/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8080/;
proxy_read_timeout 90s;
# Fix potential "It appears that your reverse proxy set up is broken" error.
proxy_redirect http://localhost:8080/ https://host/jenkins/;
}
Make sure to update your Jenkins configuration
JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --prefix=/jenkins"
Taken from https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy

How to set the real ip in a request going from nginx to a backend server

I have my backend servers fronted with nginx. When a user sends a request to my backend, it hits the NginX and then it is routed to the backend server. There, I publish some stats and one of them is the client IP. In my setup, its the Nginx IP which gets published as the client IP. Is there a way and a config to set the real IP of the client?
Following is my config.
server {
listen 8280;
server_name my.server.com;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass http://myserver_http/;
}
access_log /mnt/var/log/nginx/myserver/access.log;
error_log /mnt/var/log/nginx/myserver/error.log;
}
in order to forward the real client IP use inside your location block:
proxy_set_header X-Real-IP $remote_addr;

proxy_pass does not work properly

I need to resolve some Cross Domain Policy issues for our team's project setup (Converse.js,
XMPP, BOSH, ...) by setting up a nginx reverse proxy configuration.
I want to archieve exactly these bindings:
nginx to local gunicorn HTTP server
http://my.nginx.server.com/ should proxy http://localhost:8000/
nginx to remote HTTP-server for BOSH
http://my.nginx.server.com/http-bind should proxy http://some.very.remote.server:5280/http-bind
Currently, only the first binding works. The second one doesn't. nginx delivers every request to the local gunicorn HTTP server and not to the remote server.
This is my nginx.conf:
...
server {
listen 80;
server_name localhost;
# Reverse proxy for remote HTTP server
location ~ ^/http-bind/ {
proxy_pass http://some.very.remote.server:5280;
}
# Reverse proxy for local gunicorn HTTP server
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://$server_name http://$server_name:8000;
}
...
}
I have found this working configuration:
location /http-bind {
proxy_pass http://sapbot.mo.sap.corp:5280/http-bind;
proxy_set_header Host $host;
proxy_buffering off;
tcp_nodelay on;
}
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http://$server_name http://$server_name:8000;
}

Resources