I was trying to organize my nginx config file a little better by adding an http block.
This is the working config file.
upstream node_server {
server 127.0.0.1:5000 fail_timeout=0;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
index index.html;
server_name _;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://node_server;
}
}
However when I wrap this code in a http block it breaks. i.e.
http{
upstream node_server {
server 127.0.0.1:5000 fail_timeout=0;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
index index.html;
server_name _;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://node_server;
}
}
}
Can anyone explain why this might be the case. To my knowledge you can wrap server blocks inside the http block.
Related
I've read similar questions with same error, but nothing matches my problem, because my upstream servers have local IPs.
The server is a proxmox machine with some different vms.
One is for nginx reverse gateway/proxy, the other are vms with several docker containers.
I want to setup a fallback (backup) for one container.
The config of the nginx reverse gateway/proxy containing these machines is:
server {
listen 80;
server_name my-web.page;
return 301 http://www.my-web.page$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name www.my-web.page;
location / {
return 301 https://www.my-web.page$request_uri;
}
}
server {
listen 443 ssl;
server_name my-web.page;
return 301 https://www.my-web.page$request_uri;
ssl_certificate /etc/ssl/my/my-web.page.chained.crt;
ssl_certificate_key /etc/ssl/my/my-web.page.key.pem;
}
upstream backend {
server 192.168.200.210:8030 max_fails=1 fail_timeout=600s;
server 192.168.200.211:8031 backup;
}
server {
listen 443 ssl;
ssl_certificate /etc/ssl/my/my-web.page.chained.crt;
ssl_certificate_key /etc/ssl/my/my-web.page.key.pem;
server_name www.my-web.page;
location ~ ^/$ {
# rewrite only the root page, other urls see next rule
return 301 https://www.my-web-page-microsite.de/;
}
location / {
resolver 127.0.0.1 valid=30s;
# pass to backend-client, failover to second container for the next 5 minutes
proxy_pass http://backend;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Server-Address $server_addr;
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
If something is wrong with my backend-client-servers, nginx won't start.
Isn't there a possibilty to override the check on starting/restarting nginx?
I only want to allow access to my server from one domain. Lets say my domain is called "mydomain.mydomain.com" (yes, it is a subdomain).
Normally I would write everywhere server_name mydomain.mydomain.com, but I changed it to a non-existing domain and I can still enter the website? Why is my website working also from other domains? I know nginx is normally using the first server-block if no server_name is found, but my first server-block is my catch-all non-existing domain block. I defined server_name _; and default_server, but still, my website is working.
I have the following configuration:
server {
#If server_name mydomain.mydomain.com is not found return 444
listen 80 default_server;
server_name _;
return 444;
}
# redirect all traffic to https if the domain is mydomain.mydomain.com (server_name)
server {
listen 80;
listen [::]:80;
#-------------------------------------------
# I CHANGE HERE TO A NON-EXISTING DOMAIN AND MY WEBSITE IS STILL WORKING?!?!?
#-------------------------------------------
server_name nonExistingDomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /config/www;
index index.html index.htm index.php;
#-------------------------------------------
# I CHANGE HERE TO A NON-EXISTING DOMAIN AND MY WEBSITE IS STILL WORKING?!?!?
#-------------------------------------------
server_name nonExistingDomain.com;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;
client_max_body_size 0;
error_page 404 =200 /portal;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
location = / {
return 301 https://mydomain.mydomain.com/portal;
#try_files $uri $uri/ /index.html /index.php?$args =404;
}
location /pea {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8080/pea;
# do not pass the CORS header from the response of the proxied server to the
# client
#proxy_hide_header 'Access-Control-Allow-Origin';
}
location /portal {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8180/portal;
}
location /auth {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8280/auth;
}
}
You are listening to the IpV6 network socket in your server blocks where you change domain to non-existent. Since there are no other such server blocks, they are the default for those IPv6 ports.
Note that your first server block is default only for IPv4 network socket listen 80 default_server;.
Thus the behavior can be explained only by the fact that you are connecting/testing over IpV6.
To avoid inconsistency, use default_server for all your listen options. E.g. in the first server block add default server for IPv6 too:
server {
#If server_name mydomain.mydomain.com is not found return 444
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
Nginx server is at 192.168.5.13.
I have Nginx as reverse proxy for SSL Letsencrypt which works fine.
I would like to add ollowing:
www.nonprofitcloud.be is working fine and returns https://www.nonprofitcloud.be located at 192.168.5.26.
However I would like to add webmail.nonprofitcloud.be to point to 192.168.5.1/mewebmail where my Mailenable Server is residing (Windows Server, IIS 7).
So: webmail.nonprofitcloud.be should point to 192.168.5.1/mewebmail
Any idea?
My conf:
server {
listen 443 ssl;
server_name www.nonprofitcloud.be nonprofitcloud.be;
ssl_certificate /etc/letsencrypt/live/www.nonprofitcloud.be/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.nonprofitcloud.be/privkey.pem;
location / {
proxy_pass http://192.168.5.26;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
server_name www.nonprofitcloud.be nonprofitcloud.be;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
location / {
return 301 https://$host$request_uri;
}
}
You need to add another server block:
server {
listen 80;
server_name webmail.nonprofitcloud.be;
location / {
proxy_pass http://192.168.5.1/mewebmail;
}
}
I am creating a proxy for my server using nginx and I want to ensure that the proxy_pass server IP is hidden from anyone trying to discover it. Based on the following server {} entry is it possible to discover xxx.xxx.xxx.xxx address?
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name localhost;
location / {
proxy_pass http://xxx.xxx.xxx.xxx; // Is this hidden?
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
You can config as this:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name localhost;
location / {
proxy_pass http://xxx.xxx.xxx.xxx;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
Then the IP address is hidden and it use origin IP address or domain name.
I have a server with two ip: when i use nginx as Reverse Proxy for jboss7,
in order to prevent direct access use ip address,(we have configured the dns),
i use configuration bellow:
# You may add here yourdefault_server;
# server {
#
server {
listen *:80;
server_name _;
return 404;
}
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name www.shikuaigou.com localhost;
charset utf-8;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_pass http://jboss;
}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
allow ::1;
deny all;
}
}
server {
listen 80;
server_name example.com;
rewrite "^/(.*)$" http://www.example.com/$1 permanent;
}
server {
listen 12.34.56.78;
server_name www.example.com;
root /usr/share/nginx/html;
index index.html index.htm;
location / {
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_pass http://jboss;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ /index.html;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
}
but only on ip can matche the server whitch return 404,the other one cannot match the
configuration server_name _;
which cause this?
Because you have listen 12.34.56.78; so nginx chooses this server to process requests on 12.34.56.78, since it is more specific for that IP.
Please, also note that server_name _; actually means nothing, except an incorrect domain name.
Reference:
Server names
How nginx processes a request
The listen directive