Has anyone run into the problem of mod-security only allowing one set-cookie through a proxy request response? We are using nginx with mod-security and seeing all but the last set-cookie be removed by nginx on the response from our application server. We are applying the mod-security in the location section
location ~* ^/(test|securitytest|$) {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
create_full_put_path on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://app;
proxy_read_timeout 10;
proxy_redirect off;
}
there was a bug in modsecurity+nginx that was dropping all except one cookie for each request. It was fixed, have a look at:
https://github.com/SpiderLabs/ModSecurity/issues/154
Related
I am configuring a odoo server to block certain routes for people outside of some networks. I am using Nginx as a reverse proxy on this server.
My issue is with the route /web/session/lougout. When i add the two following blocks to my config, browsers start caching the 303 answer from the route and stop sending headers to the server. Since the headers are missing, it prevents the server from invalidating the session and leads to a bunch of issues.
location ~ ^/web/ {
add_header Content-Security-Policy upgrade-insecure-requests;
proxy_pass http://odoo-xxx-test;
proxy_buffering on;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
expires 864000;
allow *some ip* ;
allow *some ip* ;
allow *some ip* ;
deny all;
}
location ~ ^\/web\/(action\/|content\/|static\/|image\/|login|session\/|webclient\/) {
add_header Content-Security-Policy upgrade-insecure-requests;
proxy_pass http://odoo-xxx-test;
proxy_cache_valid 200 60m;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering on;
expires 864000;
}
From my understanding, the first location should deny access to all routes outside of the 3 allowed ips and the second should allow everyone outside of those 3 ips to access those 7 routes. I dont understand how those two block affect the caching of the /web/session/logout route, removing those two directives fixes the issues but this behavior is in the requirements for the projects.
Any help would be welcome!
Found the solution to my issue, turns out the expires directive was making the NGINX server cache the 303 response and serve it without contacting the server behind the proxy.
Removing the expires directive from both location fixed our issue.
Okay so I've set up a nginx server that proxies to another 2 servers with load balancing. The only thing now missing are the cookies.
I've been searching numerous forums and questions regarding the rewriting of cookies. Can anyone please give me insight as to how to fix this issue?
The web application deployed to the 2 servers are written with Vaadin.
The 2 servers are running TomEE on port 8080 and 8081 for example.
I'm rewriting through nginx from easy.io to server1:8080 and server2:8080.
Refer to image below: when navigating to server1:8080/myapplication all my cookies are available.
https://ibb.co/X86pvCq
https://ibb.co/0M0GjCt
Refer to image below: when navigating to http://worksvdnui.io/ my cookies are not available.
https://ibb.co/qBkBRqb
I've tried using proxy_cookie_path, proxy_set_header Cookie $http_cookie but to no avail.
Here's the code:
upstream worksvdnuiio {
# ip_hash; sticky sessions!
ip_hash;
# server localhost:8080;
server hades:9090;
server loki:9090;
}
server {
listen 80;
listen [::]:80;
server_name worksvdnui.io;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /PUSH {
proxy_pass "http://worksvdnuiio/test.qa.gen/PUSH";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
proxy_ignore_client_abort off;
proxy_read_timeout 84600s;
proxy_send_timeout 84600s;
break;
}
location / {
proxy_pass "http://worksvdnuiio/test.qa.gen/";
proxy_cookie_path /test.qa.gen/ /;
proxy_set_header Cookie $http_cookie;
proxy_pass_request_headers on;
}
}
Any insight would be VALUABLE!
Thanks in advance.
Trying to get nginx to use cookies when using proxy_pass, but all of the configurations I've tried so far don't seem to pass them. Pretty much at a loss as to what I'm doing wrong.
location / {
proxy_set_header Accept-Encoding "";
proxy_pass https://example.com/;
proxy_set_header Host example.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie $http_cookie;
proxy_pass_request_headers on;
proxy_cookie_domain proxy.net example.com;
}
Is the most recent block I've tried, but still no go
I am trying to hit a URL on nginx which be proxied to Netty, for a particular URL I am getting net::ERR_INCOMPLETE_CHUNKED_ENCODING on chrome and on Safari some times it works and some times not.
Here is the configuration:
location /service-order-api {
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host:$server_port;
proxy_pass http://service_order_api;
#proxy_read_timeout 120;
proxy_set_header X-Real-IP $remote_addr;
#proxy_buffer_size 2k;
#proxy_buffers 8 24k;
proxy_redirect off;
#proxy_buffering off;
chunked_transfer_encoding on;
}
Try setting this option for your server:
proxy_buffering off;
Don't know the reason, but this solved my case.
I currently have two WORDPRESS websites sitting behind an NGINX proxy cache:
htxtp://local.example.com
htxtp://local.example.org
I want to access a URL from the first site but serve it from the second site whilst not losing the URL structure of the first (to allow website2.com to see the website1.com cookies).
For example:
I want:
htxtp://local.example.com/somepage/
To proxy the page built at:
htxtp://local.example.org/somepage/
BUT I don't want the URL to BE htxtp://local.website2.com.
My NGINX config is as follows:
server {
listen 80;
server_name local.example.com;
access_log logs/local.example.com.access.log;
error_log logs/local.example.com.error.log;
location /somepage {
proxy_pass http://localhost:8080;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host local.example.org;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_pass http://localhost:8080;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host local.example.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Any suggestions? I am trying to work out where the actual redirect is happening.