I'm deploying Ghost (0.7.6) in a VPS using Nginx (1.8.1). To make the dashboard and sign-in page secure, I force any request to use HTTPS when accessing such pages (such as /ghost page). But, for any request to any other page (such as accessing the Ghost blog itself) I want to force it to use HTTP. Ghost is up listening on 127.0.0.1:2368.
Strangely, the result is not as what I expected: Every time I access my blog (let's say the url is a.b), it says that my site has ERR_TOO_MANY_REDIRECTS and it redirects between http://a.b and https://a.b (or between http://a.b/signin and https://a.b/signin). BUT, when I access the admin dashboard (https://a.b/ghost or http://a.b/ghost), it acts as expected (no error, correctly redirects to use HTTPS).
Any help?
My Nginx configuration:
# Configuration for http://a.b
server {
listen 80;
server_name a.b;
location ^~ /ghost { # /ghost should be accessed securely
return 301 https://$host$request_uri;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:2368;
}
}
# Configuration for http://a.b
server {
listen 443 ssl;
server_name a.b;
ssl_certificate ...;
ssl_certificate_key ...;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers '...';
location ^~ /ghost { # /ghost should be accessed securely
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:2368;
}
location / { # Force to use HTTP
return 301 http://$host$request_uri;
}
}
Any kind of help would be appreciated :')
https://github.com/TryGhost/Ghost/issues/2796
location ^~ /ghost { # /ghost should be accessed securely
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:2368;
}
Related
When I use NGINX to create a reverse proxy for a WordPress Docker container, WordPress specifies WordPress Address (URL) and Site Address (URL) to be https://hiddenurl.com:443. So all my links contain the port 443, and if I delete this port, the website is no longer accessible due to an infinite redirect loop.
I have entered in the wp-config.php that SSL should be activated via $_SERVER['HTTPS'] = 'on';.
NGINX Config:
location ~ /(?<wppath>.*) {
rewrite ^/(.*) /$1 break;
client_max_body_size 100M;
proxy_pass http://127.0.0.1:7676/$wppath$is_args$args;
proxy_http_version 1.1;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-forwarded protocol https;
proxy_set_header upgrade $http_upgrade;
proxy_set_header Connection "upgrade
}
This causes the domain hiddenurl.com to work, but hiddenurl.com/about does redirect to 127.0.0.1/about.
The redirect seems to come from WordPress:
I solved it by using this as an nginx config:
location / {
proxy_pass http://127.0.0.1:7676;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
And append this to the top of wp-config.php
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https')
$_SERVER['HTTPS'] = '1';
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
I too had a WordPress 301 redirect loop using the WordPress container serving over port 80 behind an nginx reverse proxy with the following configuration:
server {
# SSL configuration
#
listen 443 ssl;
listen [::]:443 ssl;
server_name _______.com.au www._______.com.au;
proxy_redirect off;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://192.168.0.0:6080/;
}
ssl_certificate /etc/letsencrypt/live/_______.com.au/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/_______.com.au/privkey.pem; # managed by Certbot
}
server {
if ($host = www._______.com.au) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = _______.com.au) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name _______.com.au www._______.com.au;
return 301 https://_______.com.au$request_uri;
}
My wp_config.php was using the default configuration generated by Official WordPress Docker container. The problem occurred in the canonical.php function because of this line in the nginx config:
proxy_set_header Host $host:$server_port;
When the url is passed into the canonical.php function a 301 redirect loop was setup because https://______.com.au:443 was different from https://______.com.au. Removing $server_port fixed the problem for me:
proxy_set_header Host $host;
I hope that my time consuming investigation saves someone some time!
I have a synology and I want to link a subdomain to one of this application. This is the URL I usually use to access to this service:
192.168.0.17:5001//index.cgi?launchApp=SYNO.SDS.App.FileStation3.Instance&launchParam=openfile%3D%252FOliver%252F
But this is too long and I want to access it directly this mydomaine.com
How should I configure the server ?
I tried this but it doesn't work :
server {
listen 80;
listen [::]:80;
resolver 89.2.0.1;
server_name test.fr;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_intercept_errors on;
proxy_http_version 1.1;
proxy_pass http://192.168.0.17:5000/index.cgi?launchApp=SYNO.SDS.App.FileStation3.Instance&launchParam=openfile%3D%252FOliver%252F;
}
}
Thanks a lot for your help!
I am setting up the nginx for a website. i want to set only for some sublinks to ssl link user login, sign up .i create a lets encrypt ssl and the certificate is working fine. i checked on ssl shopper. I want to configure the ssl only for store not for all the site.so i redirect the store from 80 to 443 and only the store want to work ssl. but after i configure
on nginx some buttons (javascriptvoid) not working. its says mixed content , so when i check on view source its shows the url of the buttons are still http in store page.(it should be https) .
i check with everything, i reconfigure nginx, check the tomcat side, all are oky.i dont knwo what is the issue.
my nginx configuration is here for you
(The(/sub) sub location is the one which i want to work https)
NGINX configuration
upstream backend_front {
ip_hash;
server tomcat_serverip:8080;
}
server {
listen 80;
server_name www.domianname.com;
charset utf-8;
access_log /var/log/nginx/80access.log main;
location / {
proxy_pass http://backend_front;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /sub/ {
if ($http_x_forwarded_proto != 'https') {
return 301 https://$server_name$request_uri;
}
proxy_pass http://backend_front;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 443 ssl;
server_name www.domainname.my;
ssl on;
ssl_certificate /etc/letsencrypt/live/fullch.pem;
ssl_certificate_key /etc/letsencrypt/live/privkey.pem;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
charset utf-8;
access_log /var/log/nginx/443access.log main;
add_header Strict-Transport-Security "max-age=31536000";
root /data/resources/;
location /sub/ {
proxy_pass http://backend_front;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass http://backend_front;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# for static files caching
location ~ .*\.(html|jsp)?$ {
proxy_pass http://backend_front;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ .*\.(gif|jpg|jpeg|bmp|png|ico|txt|js|css)$ {
root /data/resources/;
expires 20m;
} # for static files caching -- end
location ~ /favicon\.ico {
root html;
}
location ~ /\. {
deny all;
}
}
The view source result for the buttons
Manage Account
My Orders
When I click on the button this error message showing on google chrome element console (but for http its working fine.)
jquery-1.8.3.min.js:2 Mixed Content: The page at 'https://www.example.com/store/account.htm' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.example.com/isLogin.htm'. This request has been blocked; the content must be served over HTTPS.
send # jquery-1.8.3.min.js:2
ajax # jquery-1.8.3.min.js:2
tiaozhuan # account.htm:155
onclick # account.htm:77
please help me guys on this.i am stuck on thi for last 1 week to fix this.i am not a programmer i am a sys admin. and new for nginx.please help on this.
"Mixed content" usually refers to a page which, when loaded, then makes secondary requests under both HTTP and HTTPS (e.g., images, css, javascript).
When you use make a request under HTTPS, all subsequent requests must also be HTTPS. You need to convert the URL of the buttons to be "https://"
At last we find out the issue and resolved the issue after 3 weeks.
the issue is beacuse of the proxy ip.We use nginx server for redirection and for proxy. so we need to add aditional enty in server.xml in tomcat about the nginx server ip .here is the entry.
<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="111\.111\.111\.111" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" httpsServerPort="443" />
so the Internal proxy is the Nginx IP.
I'm running the AWS Managed ElasticSearch to collect some logs and have created some Kibana dashboards to visualise the data, all that works fine.
Unfortunately the Kibana plugin included on with the AWS cluster is pretty much open to the world, so I have setup an NGINX reverse proxy to provide authenticated access. This is also working fine if I simply hit the domain URL and specify the full URI to the Kibana plugin. For example:
http://nginx.domain.com/_plugin/kibana/app/kibana works just fine, here in the nginx configuration I am using to achieve that:
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name localhost;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Auth Required";
proxy_pass https://search-mystuff.ap-southeast-2.es.amazonaws.com/;
proxy_redirect https://search-mystuff.ap-southeast-2.es.amazonaws.com/ /;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
}
Rather than providing the full URL, I would like to simply hit the base domain name of the NGINX server, which would then redirect me to the full Kibana URI. So what I would LIKE to do is this:
http://nginx.domain.com
After entering the above URL, I would like to be redirected to the full Kibana URI, so I would end up with a URL like this
http://nginx.domain.com/_plugin/kibana/app/kibana
Here is the nginx configuration I have tried (in various different permutations) that does not work:
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name localhost;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Auth Required";
proxy_pass https://search-mystuff.ap-southeast-2.es.amazonaws.com/_plugin/kibana/app/kibana;
proxy_redirect https://search-mystuff.ap-southeast-2.es.amazonaws.com/_plugin/kibana/app/kibana /;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
}
With the configuration above, when I browse to http://nginx.mydomain.com the URL is redirected to:
http://nginx.myaws.com.au/_plugin/kibana/app/kibana
This looks like it SHOULD work, however I receive an error in the browser window:
{"statusCode":404,"error":"Not Found"}
I have about 4 hours experience with nginx, so hopefully I'm missing something simple. Any help would be very much appreciated.
Thank you!
Got it, finally!
worker_processes auto;
events {
worker_connections 1024;
}
http {
server {
listen 80 default_server;
server_name localhost;
location / {
proxy_set_header Host https://<endpoint address>.es.amazonaws.com;
proxy_set_header X-Real-IP <nginx ip address>;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_set_header Authorization "";
proxy_pass https://<endpoint address>.es.amazonaws.com/_plugin/kibana/;
proxy_redirect https://<endpoint address>.es.amazonaws.com/_plugin/kibana/ http://<nginx url>/kibana/;
}
location ~ (/app/kibana|/app/timelion|/bundles|/es_admin|/plugins|/api|/ui|/elasticsearch) {
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Auth Required";
proxy_pass https://<endpoint address>.es.amazonaws.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
}
Noobie question here.
I've setted up Parse-Server in my Ubuntu droplet and i'm currently dealing with an issue here.
My ssl is from letsencrypt
In this file
/etc/nginx/sites-enabled/default
I have the following
# HTTP - redirect all requests to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
server_name example.com;
return 301 https://$host$request_uri;
}
# HTTPS - serve HTML from /usr/share/nginx/html, proxy requests to /parse/
# through to Parse Server
server {
listen 443;
server_name example.com;
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
# Use certificate and key provided by Let's Encrypt:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# Pass requests for /parse/ to Parse Server instance at localhost:1337
location /parse/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:1337/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location /test/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:1337/test/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location /dashboard/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4040/dashboard/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location / {
try_files $uri $uri/ =404;
}
}
So the followin links are working fine
https://example.com/parse/
https://example.com/dashboard/
https://example.com/test/
but they are working cause of the default file has the code to work fine.
I can't do that for all the directories that parse has for example
https://example.com/parse/serverInfo/
is getting a 404 error.
Is there any way to make all the pages available without having to configure them in the default file?
Update
So when I put this inside my default file
location /parse/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:1337/parse/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
I get no 404 error. This is because of the proxy_pass http://localhost:1337/parse/ that is different from the first file that I've posted here.
But how can i do that for ALL the requests no matter /parse/ or /something/ etc? I cannot right down here ALL the folders and possible links that i will create inside server. Because at this domain I will also setup a website which will have /assets/ etc and it will need each single one.
Isn't there any code to include ALL the possible links that it will be created?
You can capture parts of the location entry using regex group, e.g.
location /(.*) {
...
proxy_pass http://localhost:1337/$1;
...
}