I have an EC2 Win2008 server running an ASP.NET 4.5 site www.mysite.com.
In the same AWS zone but another separate EC2 Linux server, I have an NginX/PHP Wordpress site running blog.mysite.com.
I would like to create an AWS Route53 route so that all incoming requests to www.mysite.com/blog get silently routed to blog.mysite.com WITHOUT a redirect so that the user's web browser stays on the URL www.mysite.com/blog
How would I achieve this with Route53? If not achievable with Route53, is there any other way?
I don't want to run PHP/MySQL/WordPress on my Windows server, unless I absolutely have to.
Thanks!
Only way is to put an Apache or nginx in front of both the site that is hosting your ASP.NET 4.5 app and your Wordpress site.
Then you can setup a reverse proxy on that server that makes that /blog path point to your Wordpress site and the / path point to your ASP.NET 4.5 app.
For nginx you would have something like this:
server {
listen 80;
server_name www.yourdomain.com;
access_log /var/log/nginx/log/www.yourdomain.access.log main;
error_log /var/log/nginx/log/www.yourdomain.error.log;
location /blog {
proxy_pass http://yourblogserver;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_pass http://youraspnet40server;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Keep in mind that your /blog path has to be first in the priority otherwise all the requests will get sent to just /
Related
I'm trying to allow nginx caching in the simplest form. But for some reason it's not working. I'm currently using nginx with gunicorn and flask on an ec2 instance.
This is my /etc/nginx/nginx.conf file:
user nginx;
...
proxy_cache_path /var/cache/nginx keys_zone=mycache:10m;
proxy_cache_methods GET HEAD POST;
server {
listen 80;
access_log /var/log/nginx/agori.access.log main;
error_log /var/log/nginx/agori.error.log;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache mycache;
proxy_cache_valid any 48h;
proxy_buffering on;
proxy_pass http://unix:/home/ec2-user/src/project.sock;
}
}
when check the /var/cache/nginx folder, it's empty. These are the folders permissions:
drwxrwxrwx 2 nginx root 6 May 13 14:03 nginx
This is the request and respond headers:
PS: This is on mobile(ios)
It sounds to me that something in your Nginx config might not be correct (syntax error or not supported by your Nginx version). In most of the case I encountered so far that was the case for me.
You probably know Nginx' reverse proxy example which features the following configuration
http {
proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
server {
location / {
proxy_pass http://1.2.3.4;
proxy_set_header Host $host;
proxy_buffering on;
proxy_cache STATIC;
proxy_cache_valid 200 1d;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
}
}
}
I tried to compare that with your configuration file and I my debugging approach would be:
Does nginx log your requests in access_log?
Try to remove whether the example configuration file works after minimal modifications.
Replace the any with a 200 for a start and see whether that works.
If that works, put in step by step all additional config lines like the proxy_cache_methods line.
I created an Ubuntu 19.10 VirtualBox VM and installed installed there OpenJDK 8, Nginx 1.16.1, and Jenkins 2.222.1. I can access via HTTP IP address, like http://{IP_OF_THE_VM}:8080. Now I want also to be able to access it by the hostname like https://jenkins.ciserver.loc/.
Here is the VHost file /etc/nginx/sites-available/jenkins.ciserver.loc:
upstream jenkins {
server 127.0.0.1:8080;
}
server {
listen 80;
server_name jenkins.ciserver.loc;
access_log /var/log/nginx/jenkins.access.log;
error_log /var/log/nginx/jenkins.error.log;
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location / {
proxy_pass http://jenkins;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
When I request http://ci.ciserver.loc in the browser, "This site can’t be reached" and the request end up in a ERR_SOCKET_NOT_CONNECTED.
How to configure Jenkins and/or Nginx correctly to make Jenkins accessible by the hostname?
SOLVED
It was a stupid typo... I set server_name to jenkins.ciserver.loc, but was all the time trying to request ci.ciserver.loc. Now I corrected the requested URL to http://jenkins.ciserver.loc -- and it started working.
AWS EC2 Ubuntu 18.04
Keycloak 5.0.0
Nginx 1.15.8
I am trying to place an application (not my development) based on the Wildfly with the Keycloak integration (openid-connect) and am aware of posts that relate to my task, but I believe my question has not been covered in those posts.
In my case everything works fine, an application and a keycloak server behind a Nginx reverse proxy. What I can't understand is that according to this Keycloak document it is necessary to make the following changes in the keycloak standalone.xml (in my case):
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
<socket-binding name="proxy-https" port="443"/>
If I understand it correctly, this setup assumes that an application sends an authentication request to http-listener and it is redirected to the proxy-https. It is not quite clear where the proxy is supposed to sent its proxy_pass.
But anyway, in my case, an application sends the authentication request the following way:
<realm>MyRealm</realm>
<resource>MyRealm</resource>
<public-client>true</public-client>
<auth-server-url>https://<host name>:8843/auth/</auth-server-url>
<ssl-required>external</ssl-required>
I have just changed https port in the Keycloak stanalone.xml to 8943 and assigned port 8843 to the Nginx server with the location /auth/, like in this fragment:
server {
listen 192.168.80.40:8843 ssl http2 default_server;
server_name <host name>;
location /auth/ {
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 8843;
add_header Strict-Transport-Security "max-age=15552000";
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass https://192.168.80.40:8943/auth/;
proxy_redirect off;
}
}
It works, but I am not quite sure if it is the right way to place a Keycloak server behind the Nginx reverse proxy, considering the above mentioned Keycloak article. It is basically a question not about something that doesn't work but rather why it works.
If some Keycloak experts can assure me that my setup is workable, I would very appreciate it.
My second question:
Is it possible to restrict an external access only to the application realm, if users decide to open:
https://<host name>:<port>/auth
I would like to block any external access to the master realm login screen.
When I am using /auth/realms/MyRealm/ in the Nginx location, it does prevent users from accessing the master realm login screen, but it shows just some ugly login screen for the application realm, which actually works, but looks unprofessional.
Thanks in advance.
UPDATE:
The only solution for my second question I have found so far:
location /auth/realms/master/ {
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 8843;
add_header Strict-Transport-Security "max-age=15552000";
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
add_header Pragma "no-cache";
proxy_pass https://192.168.80.40:8943/auth/realms/master/;
proxy_redirect off;
allow X.X.X.X;
deny all;
}
And similar for the root location:
location / {
*
*
*
proxy_pass https://192.168.80.40:8943$request_uri;
proxy_redirect off;
allow X.X.X.X;
deny all;
}
The location /auth/ is not changed.
https://<host name>:<port>/auth still opens "Welcome to Keycloak" screen but access to the "Administration Console" is forbidden. At least, I have now a normal login screen for the application realm and rogue Internet people are going to nowhere from that Welcome screen.
I still need help with my first question.
Is there a way to use nginx as a router while keeping the requested domain in the URL? For example, if I hit mysite.com, the nginx routing server looks at the URL and directs traffic to a particular server, all while maintaining the original requested domain in the URL.
E.g.
mysite.com/site1/params
Router -> site1.mysite.com/params
But even though behind the scenes site1.mysite.com/params is being called, the user sees mysite.com/site1/params in the URL.
I've taken a stab at the configuration, but seem to be getting 404's.
upstream site1 {
server site1.mysite.com;
}
location /site1 {
rewrite ^(.*)$ /$1 break;
proxy_pass http://site1;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Use location with trailing slash, remove rewrite and use proxy_pass with / uri. Nginx will take of replacing /site1/ with /. Also, you may need to set Host header to site1.mysite.com not the $host.
location /site1/ {
proxy_pass http://site1/;
proxy_set_header Host site1.mysite.com;
...
}
I have a problem that nginx removes the content-length header after the proxy pass. the application back-end sends a gzip stream but specifies the content length. NGINX changes the type content-type to chunked and removes the content length header. This is not acceptable for the app since it is read not by the browser but by an proprietary app that requires the content-legth to be specified.
After specified chunked_transfer_encoding off; it stops adding the content type header but still removes the content length. How to disable any header modifications in nginx?
The confing:
upstream backend {
server 127.0.0.1:9090;
}
server {
root /usr/share/nginx/www;
index index.html index.htm;
chunked_transfer_encoding off;
location / {
proxy_pass http://backend;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
This was a known bug in nginx in the past. Update to the latest build.
http://forum.nginx.org/read.php?2,216085,216085#msg-216085