SSL Pass-Through in Nginx Reverse proxy? - nginx

Is it possible to use Nginx reverse proxy with SSL Pass-through so that it can pass request to a server who require certificate authentication for client.
It means server will need to have certificate of client server and will not need certificate of Nginx reverse proxy server.

Not sure how much it can work in your situation, but newer (1.9.3+) versions of Nginx can pass (encrypted) TLS packets directly to an upstream server, using the stream block :
stream {
server {
listen 443;
proxy_pass backend.example.com:443;
}
}
If you want to target multiple upstream servers, distinguished by their hostnames, this is possible by using the nginx modules ngx_stream_ssl_preread and ngx_stream_map. The concept behind this is TLS Server Name Indication.
Dave T. outlines a solution nicely. See his answer on this network.

From the moment that we want to do ssl pass-through, the ssl termination will take place to the backend nginx server. Also i haven't seen an answer that takes care of the http connections as well.
The optimal solution will be a Nginx that is acting as a Layer 7 + Layer4 proxy at the same time. Something else that is rarely a subject of discussion is the IP Address redirection. When we use a proxy, this must be configured on the proxy, and not to the backend server like usually.
Lastly, the client ip address must be preserved, hence we must use the proxy protocol to do this correctly.
Sounds confusing? It's not much.
I came up with a solution that i currently using in production is works flawlessly.
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
variables_hash_bucket_size 1024;
variables_hash_max_size 1024;
map_hash_max_size 1024;
map_hash_bucket_size 512;
types_hash_bucket_size 512;
server_names_hash_bucket_size 512;
sendfile on;
tcp_nodelay on;
tcp_nopush on;
autoindex off;
server_tokens off;
keepalive_timeout 15;
client_max_body_size 100m;
upstream production_server {
server backend1:3080;
}
upstream staging_server {
server backend2:3080;
}
upstream ip_address {
server backend1:3080; #or backend2:3080 depending on your preference.
}
server {
server_name server1.tld;
listen 80;
listen [::]:80;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Connection "";
#add_header X-Upstream $upstream_addr;
proxy_redirect off;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_buffers 16 16k;
proxy_buffer_size 64k;
proxy_cache_background_update on;
proxy_pass http://production_server$request_uri;
}
}
server {
server_name server2.tld;
listen 80;
listen [::]:80;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Connection "";
#add_header X-Upstream $upstream_addr;
proxy_redirect off;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_buffers 16 16k;
proxy_buffer_size 16k;
proxy_cache_background_update on;
proxy_pass http://staging_server$request_uri;
}
}
server {
server_name 192.168.1.1; #replace with your own main ip address
listen 80;
listen [::]:80;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Connection "";
#add_header X-Upstream $upstream_addr;
proxy_redirect off;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_buffers 16 16k;
proxy_buffer_size 16k;
proxy_cache_background_update on;
proxy_pass http://ip_address$request_uri;
}
}
}
stream {
map $ssl_preread_server_name $domain {
server1.tld production_server_https;
server2.tld staging_server_https;
192.168.1.1 ip_address_https;
default staging_server_https;
}
upstream production_server_https {
server backend1:3443;
}
upstream staging_server_https {
server backend2:3443;
}
upstream ip_address_https {
server backend1:3443;
}
server {
ssl_preread on;
proxy_protocol on;
tcp_nodelay on;
listen 443;
listen [::]:443;
proxy_pass $domain;
}
log_format proxy '$protocol $status $bytes_sent $bytes_received $session_time';
access_log /var/log/nginx/access.log proxy;
error_log /var/log/nginx/error.log debug;
}
Now the only thing is yet to be done is to enable proxy protocol to the backend servers. The example below will get you going:
server {
real_ip_header proxy_protocol;
set_real_ip_from proxy;
server_name www.server1.tld;
listen 3080;
listen 3443 ssl http2;
listen [::]:3080;
listen [::]:3443 ssl http2;
include ssl_config;
# Non-www redirect
return 301 https://server1.tld$request_uri;
}
server {
real_ip_header proxy_protocol;
set_real_ip_from 1.2.3.4; # <--- proxy ip address, or proxy container hostname for docker
server_name server1.tld;
listen 3443 ssl http2 proxy_protocol; #<--- proxy protocol to the listen directive
listen [::]:3443 ssl http2 proxy_protocol; # <--- proxy protocol to the listen directive
root /var/www/html;
charset UTF-8;
include ssl_config;
#access_log logs/host.access.log main;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
default_type "text/plain";
}
location / {
index index.php;
try_files $uri $uri/ =404;
}
error_page 404 /404.php;
# place rest of the location stuff here
}
Now everything should work like a charm.

Related

Nginx proxy_pass config leaves insecure access to location path open

The nginx snippet below works for https access of our web application. However several end users of the app are instead using ip access in browser to the same app with no certificate protection.
Ways to block this access?
server {
listen 80;
server_name ourserver.com;
return 301 https://ourserver.com$request_uri;
}
server {
listen 443;
server_name ourserver.com;
### SSL details removed
ssl_certificate "//";
ssl_certificate_key "//";
ssl_session_cache
ssl_session_timeout
ssl_ciphers
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 1200;
proxy_send_timeout 1200;
proxy_connect_timeout 75;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}

Odoo 11 Nginx Reverse Proxy Index of /

I have a odoo 11 installation behind a Nginx proxy. Its been working for a while but now when you access it, its showing index of / instead of Odoo login page (see screenshot).
Here is my Nginx configuration:
#odoo server
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name businessapps.enone.tech;
#server_name odoo;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443;
server_name businessapps.enone.tech;
#server_name odoo;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl on;
ssl_certificate /etc/letsencrypt/live/businessapps.enone.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/businessapps.enone.tech/privkey.pem;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers '<replaced cipher>';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect longpoll requests to odoo longpolling port
location /longpolling {
proxy_pass http://odoochat;
}
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# common gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
Can someone point out what could be the issue. Sometimes I can access the login page, other times I get the index of / page. The installation is on Ubuntu 16.0
You need to specify the directory in the nginx config, and I had this error previously and found that even once changing my config I had weird errors with odoo, so I recommend you do what I did and that is completely re install Nginx and ensure you reboot your server after having done so!
Add location block inside server {} (block)
I have used below nginx configuration
upstream odooapp {
server odoo:8069;
keepalive 8;
}
upstream longpolling {
server odoo:8072;
keepalive 8;
}
server {
listen 80;
listen [::]:80;
server_name businessapps.enone.tech;
access_log /var/log/nginx/access.log mainlog;
error_log /var/log/nginx/error.log;
return 301 https://businessapps.enone.tech:443/web/login;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name businessapps.enone.tech;
access_log /var/log/nginx/access.log mainlog;
error_log /var/log/nginx/error.log;
ssl_ciphers ALL:!ADH:!MD5:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate <PATH_TO_CERT>;
ssl_certificate_key <PATH_TO_KEY>;
add_header Strict-Transport-Security "max-age=2592000; preload;" always;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 20M;
proxy_pass http://odooapp/;
proxy_redirect off;
}
location /longpolling {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://longpolling/longpolling;
proxy_redirect off;
}

Nginx Reverse Proxy Not Redirecting to Wordpress site running on non standard http port

So I am trying to setup a nginx reverse proxy in my network to only have 2 external ports out to the world. I am taking in both http and https traffic and using HSTS to force https. I am able to reverse proxy to applications running on the standard port 80/443, but when I try to reverse proxy to a application running on a docker host it gets weird. In the address bar it changes from fireampersand.ca/website to fireampersand.ca:8050/website. Im not sure why. Im still fairly new to nginx so maybe it is something obvious. Any help would be appreciated.
nginx.conf
events {
}
http {
server {
listen 80 default_server;
server_name fireampersand.ca;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
return 301 https://$host;
}
server {
listen 443 ssl http2 default_server;
server_name fireampersand.ca;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate "/etc/letsencrypt/live/fireampersand.ca-0001/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/fireampersand.ca-0001/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
location ~* ^/owa { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/ecp { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/rpc { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/portainer { proxy_pass http://docker.fireampersand.ca:9000; }
location ~* ^/foodbank { proxy_pass https://docker.fireampersand.ca:8002; }
location ~* ^/website/ { proxy_pass http://docker.fireampersand.ca:8050; }
location / { root /usr/share/nginx/html;}
}
}

conflicting server name "localhost" warning on nginx

I am trying to set up nginx for my localhost on a linux cntainer
Here is the config
## server configuration
server {
listen 443 ssl;
listen 80 ;
## add ssl entries when https has been set in config
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
server_name localhost;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
## access_log /var/log/nginx/localhost-access.log timing;
## error_log /var/log/nginx/localhost-error.log;
rewrite ^/$ /artifactory/webapp/ redirect;
rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect;
location /artifactory/ {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_pass http://localhost:8081/artifactory/;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
## server configuration
server {
listen 6555 ssl;
server_name localhost;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
## access_log /var/log/nginx/localhost-access.log timing;
## error_log /var/log/nginx/localhost-error.log;
rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/docker-virtual/$1/$2;
client_max_body_size 0;
chunked_transfer_encoding on;
location /artifactory/ {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_pass http://localhost:8081/artifactory/;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
After I retsrat nginx I get the following error
nginx: [warn]nginx: [warn] conflicting server name "localhost" on 0.0.0.0:80, ignored
"localhost" on 0.0.0.0:80, ignored
Also when I navigate to the browser I get a connection refused on localhost:443
What might be wrong?
your server can't resolve your domain name localhost as one IP address
you may have a duplicate entry of your local virtual host name in hosts file
lines should be seen in host file
127.0.0.1 localhost
0.0.0.0 localhost
delete or modify second one
This problem could be caused also by running virtual DNS service like unbound
if you are running so, be sure to configure it correctly

Preserve response headers in nginx

I have a reverse-proxy setup(I think), for gunicorn running a falcon app. I was also able to setup SSL on the nginx server. The /etc/nginx/nginx.conf:
worker_processes 1;
user nobody nogroup;
pid /tmp/nginx.pid;
error_log /tmp/nginx.error.log;
events {
worker_connections 1024; # increase if you have lots of clients
accept_mutex off; # set to 'on' if nginx worker_processes > 1
}
http {
include mime.types;
# fallback in case we can't determine a type
default_type application/json;
access_log /tmp/nginx.access.log combined;
sendfile on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disable "MSIE [1-6]\.";
gzip_types application/json;
upstream app_server {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response
server 127.0.0.1:6789 fail_timeout=0;
}
server {
# if no Host match, close the connection to prevent host spoofing
listen 80 default_server;
return 444;
}
server {
listen 443 ssl;
client_max_body_size 4G;
# set the correct host(s) for your site
server_name 0.0.0.0;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
keepalive_timeout 2;
location / {
proxy_bind $server_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_redirect off;
proxy_pass http://app_server;
}
}
}
What do I need to change so that the response headers from gunicorn are preserved? Also, I am completely new to this. So is there anything that I should change?

Resources