Enable cache only for static content using reversed proxy (Nginx + Tomcat) - nginx

I have installed Nginx 1.8.0 that works with a reversed proxy to a Tomcat 8, everything's works perfectly. However, I would like to enable proxy-cache ONLY for images, CSS and js (primarily static content); I would not like to cache any get to the server because the values may change from one request to other.
I found some configuration but still not working for me, do you guys know how to configure it correctly?
I saw this https://serverfault.com/questions/494669/setting-up-a-reverse-proxy-to-cache-images post; however is not clear for me that it will cache only static content, seems that it will cache any 200 response.
Thanks a lot...
-- UPDATE --
I have my images (blablasite.com/images), same for js and css; just replace images for js and css
I have something like this
server {
listen 80;
server_name blablasite.com;
# add ssl settings
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name blablasite.com;
root html;
keepalive_timeout 70;
client_max_body_size 50m;
#charset koi8-r;
ssl_certificate /blablasite.com-combined.crt;
ssl_certificate_key /ssl/blablasite.com.key;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
# HTTP Strict Transport Security
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options "DENY";
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
access_log /var/log/nginx/host.access.log main;
# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1d;
access_log off;
add_header Cache-Control "public";
# boilerplate copied from location /
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
location / {
if (-f /webapps/blablasite/maintenance_on.html) {
return 503;
}
index index.html index.jsp;
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
location /login {
# apply rate limiting
limit_req zone=login burst=5;
# boilerplate copied from location /
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}

Related

Odoo 11 Nginx Reverse Proxy Index of /

I have a odoo 11 installation behind a Nginx proxy. Its been working for a while but now when you access it, its showing index of / instead of Odoo login page (see screenshot).
Here is my Nginx configuration:
#odoo server
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name businessapps.enone.tech;
#server_name odoo;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443;
server_name businessapps.enone.tech;
#server_name odoo;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl on;
ssl_certificate /etc/letsencrypt/live/businessapps.enone.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/businessapps.enone.tech/privkey.pem;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers '<replaced cipher>';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect longpoll requests to odoo longpolling port
location /longpolling {
proxy_pass http://odoochat;
}
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# common gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
Can someone point out what could be the issue. Sometimes I can access the login page, other times I get the index of / page. The installation is on Ubuntu 16.0
You need to specify the directory in the nginx config, and I had this error previously and found that even once changing my config I had weird errors with odoo, so I recommend you do what I did and that is completely re install Nginx and ensure you reboot your server after having done so!
Add location block inside server {} (block)
I have used below nginx configuration
upstream odooapp {
server odoo:8069;
keepalive 8;
}
upstream longpolling {
server odoo:8072;
keepalive 8;
}
server {
listen 80;
listen [::]:80;
server_name businessapps.enone.tech;
access_log /var/log/nginx/access.log mainlog;
error_log /var/log/nginx/error.log;
return 301 https://businessapps.enone.tech:443/web/login;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name businessapps.enone.tech;
access_log /var/log/nginx/access.log mainlog;
error_log /var/log/nginx/error.log;
ssl_ciphers ALL:!ADH:!MD5:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate <PATH_TO_CERT>;
ssl_certificate_key <PATH_TO_KEY>;
add_header Strict-Transport-Security "max-age=2592000; preload;" always;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 20M;
proxy_pass http://odooapp/;
proxy_redirect off;
}
location /longpolling {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://longpolling/longpolling;
proxy_redirect off;
}

Nginx Reverse Proxy Not Redirecting to Wordpress site running on non standard http port

So I am trying to setup a nginx reverse proxy in my network to only have 2 external ports out to the world. I am taking in both http and https traffic and using HSTS to force https. I am able to reverse proxy to applications running on the standard port 80/443, but when I try to reverse proxy to a application running on a docker host it gets weird. In the address bar it changes from fireampersand.ca/website to fireampersand.ca:8050/website. Im not sure why. Im still fairly new to nginx so maybe it is something obvious. Any help would be appreciated.
nginx.conf
events {
}
http {
server {
listen 80 default_server;
server_name fireampersand.ca;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
return 301 https://$host;
}
server {
listen 443 ssl http2 default_server;
server_name fireampersand.ca;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate "/etc/letsencrypt/live/fireampersand.ca-0001/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/fireampersand.ca-0001/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
location ~* ^/owa { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/ecp { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/rpc { proxy_pass https://starscream.fireampersand.ca; }
location ~* ^/portainer { proxy_pass http://docker.fireampersand.ca:9000; }
location ~* ^/foodbank { proxy_pass https://docker.fireampersand.ca:8002; }
location ~* ^/website/ { proxy_pass http://docker.fireampersand.ca:8050; }
location / { root /usr/share/nginx/html;}
}
}

Use prerender.io with my existing nginx configuration

I am trying to implement Dynamic Rendering for google.
I have a server on Laravel Forge for serving a Nuxt.js application and I want to use prerender.io
Prerender.io gives an nginx config to use but my current config seems a lot different from it. I don't have any experience with it so I am asking for help if there is anyone who can help.
This is my current nginx config
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/beta.example.com/before/*;
map $sent_http_content_type $expires {
"text/html" epoch;
"text/html; charset=utf-8" epoch;
default off;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name beta.example.com;
root /home/forge/beta.example.com/dist;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/beta.example.com/50331/server.crt;
ssl_certificate_key /etc/nginx/ssl/beta.example.com/50331/server.key;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
charset utf-8;
gzip on;
gzip_types text/plain application/xml text/css application/javascript;
gzip_min_length 1000;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/beta.example.com/server/*;
location / {
expires $expires;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000; # set the adress of the Node.js
}
access_log off;
error_log /var/log/nginx/beta.example.com-error.log error;
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/beta.example.com/after/*;
This is how it should look like
https://gist.github.com/thoop/8165802
My main question basically is what happens to the current location / block.
You have two ways to achieve your goal:
Nuxt.js has its own pre-render solution. you could find it here.
If you still want to use prerender.io, here is an example:
I saw that your Nginx is proxying all traffic to http://127.0.0.1:3000, which is presumably a backend written in Node.js. So you could directly update your location / block to use prerender.io to catch everything.
...
location / {
proxy_set_header X-Prerender-Token YOUR_TOKEN;
set $prerender 0;
if ($http_user_agent ~* "googlebot|bingbot|yandex|baiduspider|twitterbot|facebookexternalhit|rogerbot|linkedinbot|embedly|quora link preview|showyoubot|outbrain|pinterest|slackbot|vkShare|W3C_Validator") {
set $prerender 1;
}
if ($args ~ "_escaped_fragment_") {
set $prerender 1;
}
if ($http_user_agent ~ "Prerender") {
set $prerender 0;
}
if ($uri ~* "\.(js|css|xml|less|png|jpg|jpeg|gif|pdf|doc|txt|ico|rss|zip|mp3|rar|exe|wmv|doc|avi|ppt|mpg|mpeg|tif|wav|mov|psd|ai|xls|mp4|m4a|swf|dat|dmg|iso|flv|m4v|torrent|ttf|woff|svg|eot)") {
set $prerender 0;
}
#resolve using Google's DNS server to force DNS resolution and prevent caching of IPs
resolver 8.8.8.8;
if ($prerender = 1) {
#setting prerender as a variable forces DNS resolution since nginx caches IPs and doesnt play well with load balancing
set $prerender "service.prerender.io";
rewrite .* /$scheme://$host$request_uri? break;
proxy_pass http://$prerender;
}
try_files #backend;
}
location #backend {
expires $expires;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000; # set the adress of the Node.js
}
...

nsposixerrordomain:100 error on Safari when try to open HTTPS

I m creating a website and it works fine on Chrome and FireFox, but i m getting a error on Safari:
"NSPOSIXErrorDomain:100"
I found a post telling about apparently Safari doesn’t like multiple line HTTP headers under HTTP/2, and telling to me edit my config files and remove all mutiple line config.
My server uses CPnginx, and thath is my config file:
#:hybrid:Nginx serve static files apache serve dynamic files:2.0:
server {
listen 107.161.189.242:443 ssl http2 ;
server_name meusite.com.br www.meusite.com.br;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl.cert.d/meusite.com.br_cert;
ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/meusite.com.br_key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
#.............. Cpnginx OCSP stapling protection for security start ....................
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/ssl.ca.d/meusite.com.br_ca-bundle;
resolver 127.0.0.1 8.8.8.8 4.2.2.1 8.8.4.4 4.2.2.2 valid=300s;
resolver_timeout 5s;
#.............. Cpnginx OCSP stapling protection for security end....................
location = /favicon.ico {
log_not_found off;
}
access_log /usr/local/apache/domlogs/meusite.com.br-bytes_log bytes_log buffer=32k flush=5m;
access_log /usr/local/apache/domlogs/meusite.com.br-ssl_log combined buffer=32k flush=5m;
referer_hash_bucket_size 512;
# Static files directly from nginx
location ~* ^.+.(jpg|jpeg|gif|png|svg|webp|ico|zip|tgz|gz|rar|bz2|iso|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|mp3|ogv|ogg|flv|swf|mpeg|mpg|mpeg4|mp4|avi|wmv|js|css|3gp|sis|sisx|nth)$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
root /home/meusitecom/public_html;
error_page 404 = #apache;
log_not_found off;
}
keepalive_requests 100;
keepalive_timeout 60s;
# Symlink attack
disable_symlinks on from=$document_root;
autoindex on;
# Disable direct access to .ht files and folders
location ~ /\.ht {
deny all;
}
# Access all cpanel services
location ~* ^/(cpanel|webmail|whm|bandwidth|img-sys|java-sys|mailman/archives|pipermail|sys_cpanel|cgi-sys|mailman) {
proxy_pass https://107.161.189.242:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Enabled MP4 streaming
location ~ .mp4$ {
mp4;
mp4_buffer_size 4M;
mp4_max_buffer_size 10M;
}
# X-FRAME attach protection
add_header X-Frame-Options "SAMEORIGIN";
# Protect sql injections
set $block_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
set $block_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $block_sql_injections 1;
}
if ($query_string ~ "concat.*\(") {
set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
return 403;
}
# common exploit protection
set $block_common_exploits 0;
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $block_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $block_common_exploits 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 403;
}
# Hot Link protections
location ~ \.(jpe?g|png|gif|svg|tiff|bmp|webp|bpg)$ {
valid_referers none blocked meusite.com.br *.meusite.com.br;
if ($invalid_referer) {
return 403;
}
}
location #apache {
internal;
# Internal 404 redirect of static file to apache
access_log off;
log_not_found off;
client_max_body_size 2000m;
client_body_buffer_size 512k;
proxy_buffering on;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
proxy_buffer_size 64k;
proxy_buffers 32 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_connect_timeout 300s;
proxy_http_version 1.1;
proxy_pass https://107.161.189.242:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
location / {
access_log off;
# include /usr/local/nginx/conf/vhost.ssl.d/meusite.com.br.rewrite;
log_not_found off;
client_max_body_size 2000m;
client_body_buffer_size 512k;
proxy_buffering on;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
proxy_buffer_size 64k;
proxy_buffers 32 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_connect_timeout 300s;
proxy_http_version 1.1;
proxy_pass https://107.161.189.242:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
# include /usr/local/nginx/conf/vhost.ssl.d/meusite.com.br.include;
}
server {
listen 107.161.189.242:443 ssl http2 ;
server_name cpanel.meusite.com.br whm.meusite.com.br webmail.meusite.com.br webdisk.meusite.com.br cpcalendars.meusite.com.br cpcontacts.meusite.com.br mail.meusite.com.br;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl.cert.d/meusite.com.br_cert;
ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/meusite.com.br_key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
access_log off;
location / {
location ~ /.well-known{
root /home/meusitecom/public_html;
}
proxy_pass https://127.0.0.1:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
What i m need to change on this file?
Well, after many tests, i found a solution to my problem.
I have add the directive "proxy_hide_header Upgrade;" on my nginx.conf, to ignore the header Upgrade, for some reason it's crashing on Safari.
I can't answer your question; but, I can help you with strategy to diagnose your problem.
First, the nginx config (as big as it is) does not contain the answer. What I do see are several proxy_pass lines. One (or more) of these upstream servers are returning content that violates RFC7230.
You can prove that nginx is not causing your problem by pointing you bowser directly at https://107.161.189.242:9443. Or you can stop nginx and move the process serving port 9443 to port 443.

Can I use WordPress blog as a subfolder of my main domain with a https NGINX?

I am developing a plateform on node/meteorjs stack and I want to add a WordPress blog for our website as well.
https//www.XXXXXX.com --> go to meteor app
https//www.XXXXXX.com/blog --> go to blog
I've got a NGINX front with https certificate
My NGINX config is :
`
server {
listen 80;
server_name XXXX.ovh;
return 301 https://XXXX.ovh$request_uri;
}
upstream meteorapp {
server 127.0.0.1:3000;
}
upstream blog {
server 52.16.157.100;
}
server {
listen 80;
server_name www.XXXX.ovh;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name XXXX.ovh;
return 301 https://www.XXXX.ovh$request_uri;
}
server {
listen 443 ssl default_server;
root /var/www/html;
server_name www.XXXX.ovh;
ssl_certificate /etc/letsencrypt/live/XXXX.ovh/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXXX.ovh/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location /blog {
proxy_pass http://blog;
proxy_set_header Host $host;
}
location /wp-content {
proxy_pass http://blog;
proxy_set_header Host $host;
}
location /wp-admin {
proxy_pass http://blog;
proxy_set_header Host $host;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
proxy_pass http://meteorapp;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
location ~ /.well-known {
allow all;
}
}
My blog is hosted on other server and my meteor is in a docker container.
With this configuration, css and image of my blog doesn't work (i try to access the http ressources...
so I got some errors as :
Mixed Content: The page at 'https://www.cdispo.ovh/blog' was loaded over
HTTPS, but requested an insecure image 'http://www.XXXX.ovh/wp-content/themes/twentyseventeen/assets/images/header.jpg'. This content should also be served over HTTPS.
how can I do ?
You should instead use a subdomain in this manner "blog.myapp.com". Otherwise if the Meteor app controls the root ie "myapp.com" you will need to redirect all requests coming in to "myapp.com/blog" in your router.

Resources