I have an Nginx proxy server that proxy passes to a variety of backend servers. I have been asked to set up a proxy pass to an Nginx WordPress server that I have no control over.
The issue is: the URL that we're listening on is www.customerdomain.com, but the WordPress server listens on someinternaldomain.host.com.
Is there a way to pass a different host header to the WordPress server without screwing up the www.customerdomain.com in the browser address bar?
My sample config below:
server {
listen *:443 ssl;
server_name www.customerdomain.com;
ssl on;
ssl_certificate /etc/nginx/ssl/somecert.crt;
ssl_certificate_key /etc/nginx/ssl/somecert.key;
include includes/ssl.conf;
index index.html index.htm index.php;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
proxy_pass https://wordpress-upstream;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $host;
}
}
Related
I installed Appwrite on an debian-server.
The https-port for Appwrite is 444 (443 was already used). Nginx redirects my subdomain to this port.
I have a custom SSL-certificate which is working for this domain and subdomains. I can open the appwrite via the subdomain but when I click "Sign Up" to create a root account for appwrite, I get the following Error:
Invalid Origin. Register your new client (appwrite.domain.de) as a
new Web platform on your project console dashboard
First I thought I have to set proxy_set_header Host $host; in the server-config, but then I am not able to open Appwrite... instead I get the Error
{"message":"Error: Server Error","code":500,"version":"1.0.1"}
Does someone has another idea or already fixed the same problem?
This is my Server-configuration in Nginx:
server {
server_name appwrite.domain.de;
location / {
proxy_pass https://localhost:444;
}
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/domain.de_ssl_certificate.cer;
ssl_certificate_key /etc/nginx/ssl/domain.de_private_key.key;
}
server {
listen 80;
server_name domain.de
www.domain.de
;
return 301 https://$host$request_uri;
}
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/domain.de_ssl_certificate.cer;
ssl_certificate_key /etc/nginx/ssl/domain.de_private_key.key;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name domain.de
www.domain.de
;
location / {
try_files $uri $uri/ =404;
}
Thanks for the help ;)
You're right, you need to include the proxy_set_header Host $host; directive. You might also want to include the following under server:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
and the following under location:
add_header X-Served-By $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass $forward_scheme://$server:$port$request_uri;
If you're seeing a 500 error, it would be best to check the docker logs for the appwrite container to see what the problem is.
On a side note, if you're looking for an easier way to manage Nginx, I highly recommend Nginx Proxy Manager (NPM). I use NPM in front of my Appwrite.
We have been trying for days (we tested hundreds of setups) to make a Nginx Reverse Proxy successfully reverse proxy a web application that needs FQDNs (this is mandatory for this web application to work).
Using the configuration below for the Nginx Reverse Proxy together with a local DNS service (see resolver attribute) that knows the FQDN we can successfully make these http calls...
server {
access_log /var/log/nginx/apps.mbr.domain.abc-access.log;
error_log /var/log/nginx/apps.mbr.domain.abc-error.log;
server_name *.apps.mbr.domain.abc;
location / {
proxy_pass https://$host$request_uri;
resolver 127.0.0.1:53;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.domain.abc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.domain.abc/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
... , however if I change the proxy_pass attribute to using an IP as shown here...
server {
access_log /var/log/nginx/apps.mbr.domain.abc-access.log;
error_log /var/log/nginx/apps.mbr.domain.abc-error.log;
server_name *.apps.mbr.domain.abc;
location / {
proxy_pass https://10.2.0.18:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.domain.abc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.domain.abc/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
... the web application reports not knowing the URL (error). In other words, clearly there is some parameter/data (we don't know what it is) that is added by the DNS service to the http call.
QUESTION: What is the local DNS service provided parameter/data that Nginx Reverse Proxy is not providing?
NOTE: We are asking this because we believe this is something that can be provided by the Nginx Reverse Proxy itself so that we will not need to use the local DNS service.
Thanks! =D
I have a problem with nginx and proxy_pass. I try to secure connection to old server without option to upgrade apache there. I can't establish there ssl connection with tls 1.2. So i Tried to secure it by reverse proxy in nginx with some success. when i open website like http://example.com or https://example.com connection is secure and it works well. But there are other sites whitch have links like https://example.com/login https://example.com/investitions (basicly every uri example.com/foo/bar/ ect.)and those connections are insecure. my nginx config looks like this:
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate ssl.crt;
ssl_certificate_key ssl.key;
ssl_client_certificate ca.crt;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
location / {
proxy_set_header X-Scheme https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr
proxy_pass http://baza.example.com/;
}
Please help me.
I'm using wso2am version 3.2.0 and trying to configure reverse proxy using NginX following the below mentioned documentation.
https://apim.docs.wso2.com/en/latest/install-and-setup/setup/setting-up-proxy-server-and-the-load-balancer/configuring-the-proxy-server-and-the-load-balancer/
I want to access the devportal and publisher with a new url context like https://{domain-name}/wso2am/devportal and https://{domain-name}/wso2am/publisher. My nginx configuration file is as below.
server {
listen 443 ssl;
server_name {domain-name};
proxy_set_header X-Forwarded-Port 443;
ssl_certificate /etc/nginx/ssl/{cert_name};
ssl_certificate_key /etc/nginx/ssl/{key_name};
location /wso2am/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://<server-ip>:9443;
}
access_log /etc/nginx/log/am/https/access.log;
error_log /etc/nginx/log/am/https/error.log;
}
with this configuration, when I try to access https://{domain-name}/wso2am/devportal it is redirected to the carbon login url (https://{domain-name}/carbon/admin/login.jsp) with a 404 not found error. Should I change any values in carbon.xml or in some other files for get this working?
Note: I tried to change the <WebContextRoot> in carbon.xml file with /wso2am as its value. When I restarted the server the value is overwritten again to the default /.
Where should I add the /wso2am context path in carbon configurations?
I have the following config:
js_include /etc/nginx/scripts/encode_request.js;
js_set $encoded_request re_encode_url;
log_format logEncoded $encoded_request;
server {
listen 443 ssl;
listen [::]:443;
server_name myfirst-domain.com;
ssl on;
ssl_certificate /etc/ssl/certs/cert.cer;
ssl_certificate_key /etc/ssl/private/cert.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
if ($request_uri ~ ^/lool/https%3A/alf.mydomain.com/(.*)$){
access_log /var/log/nginx/access.log logEncoded; #Output the encoded url to the logs. (For debugging purposes)
rewrite ^/lool/https%3A/alf.mydomain.com/(.*)$ $encoded_request;
}
proxy_pass https://localhost:9980;
}
}
The purpose of which is to filter a URL request that that contains a decoded URL that's required by the backend service. The problem is whilst the request URL has been successfully encoded, it is not being proxied to the backend service and instead I get the original decoded URL which in turn causes an error, though I do get the correctly encoded URL output in the access.log.
Not by far an NGINX or web server saavy person so I'd appreciate some pointers as to what I'm doing wrong / missing.
Another thing that might be of note is that the request upgrades to websocket communication between the client and the sever and I am proxying that.
I'm using NGINX 1.13.6 on Debian Jessie.
I solved the issue using nginScript in the end.
I tossed the conditional and just did everything in nginScript, so the virtual host file (or server block) is simplified thus:
server {
listen 443 ssl;
listen [::]:443;
server_name myfirst-domain.com;
ssl on;
ssl_certificate /path/to/ssl/certificate;
ssl_certificate_key /path/to/ssl/certificate/key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
#Optional
access_log /var/log/nginx/ll_access.log;
error_log /var/log/nginx/ll_error.log;
proxy_pass https://127.0.0.1:9980$encoded_request;
}
}