NGINX as reverse proxy - forwarding not working - https

I've the following:
HTTPS access to a NAS or something like that.
NGINX as reserve proxy as container
Container with a Tomcat as appcontainer.
NAS forwards HTTPS request as HTTP to NGINX container. Then NGINX container forwards HTTP request to my appcontainer.
I can access to my appcontainer login page but after login a POST is made as follows
Nginx access.log
POST /foo/login.do HTTP/1.1" 302 0 "https://nas.dns.server/foo/login.do
In localhost_access.log in appcontainer tomcat shows
POST /foo/doLogin.do HTTP/1.0" 302
And request as HTTP to the NAS
It seems that is ignoring X-Forwarded-Proto header.
My nginx.conf is configured as follows:
server {
listen 80;
server_name $hostname;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
error_log /dev/stdout info;
access_log /dev/stdout;
client_max_body_size 100M;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
resolver 127.0.0.11 valid=30s;
sendfile on;
location /foo {
proxy_set_header Origin "";
set $appcontainer http://appcontainer:8080;
proxy_pass $appcontainer;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https; #I’ve also tested with $scheme
}
}
Thanks

Having a look to the Developer Tool of Chrome in the Network tab in can see that for the call of login.do there is Request URL: https://entry.proxy.url/foo/doLogin.do but in the Response Headers I can see what is generating the problem Location: http://proxy.entry.url/foo/login.do that must be Location: https://proxy.entry.url/foo/login.do .
I've tried doing redirection as proxy_redirect http://entry.proxy.url/ https://csprocure.ciport.be/; in the location and it works.
So location is set as:
location /foo {
proxy_set_header Origin "";
set $appcontainer http://appcontainer:8080;
proxy_redirect http://proxy.entry.url/ https://proxy.entry.url/;
proxy_pass $appcontainer;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https; #I’ve also tested with $scheme
}

Related

Nginx Reverse Proxy for Web Socket giving error failed (111: Connection refused) while connecting to upstream,

I recently added websockets to my Nginx reverse proxy on GCP. However, nginx proxy gives me an error "Connection refused while connecting to upstream. upstream: "http://127.0.0.1:3000/apisocket.io/?EIO=4&transport=polling&t=NrYupkL", . Not sure what us wrong.
The Websocket works fine if I bypass Nginx.For some reason the error.og shows it as trying to connect to upstream on port 3000 instead of port 4000
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
# Make site accessible from http://localhost/
server_name localhost www.localhost.com;
gzip on;
gzip_proxied any;
gzip_vary on;
gzip_http_version 1.1;
gzip_types application/javascript application/json text/css text/xml;
gzip_comp_level 5;
gzip_min_length 256;
location / {
proxy_pass http://localhost:3000/api;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
location /api {
proxy_pass http://localhost:3000/api;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
location /api2 {
proxy_pass http://localhost:4000/api2;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
# Websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

How to set up Nginx proxy

I have some problems with setting the Nginx proxy. I hope it works like the below example.
Http or Https call(http://example.com/api/user/info)
-> Nginx(/api location work for proxy)
-> Spring boot(http://example.com:8443/user/info)
But it goes to http://example.com:8443/api/user/info.
Please help me.
location /api/ {
proxy_pass http://example.com:8443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_max_temp_file_size 0;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
proxy_buffer_size 8k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
Try with trailing slash
like below:-
proxy_pass http://example.com:8443/;

nginx redirect only fails with firefox

I am using the following config file for nginx and it works fine with Chrome but not with Firefox. With Firefox, I get the following error:
"Firefox has detected that the server is redirecting the request for
this address in a way that will never complete."
Clearing the cookies and cache if Firefox does not help.
upstream dev_server {
server 127.0.0.1:8100 fail_timeout=0;
}
server {
listen 80;
server_name subdomain.pro.domain.com;
location /blog {
proxy_pass http://dev_server;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
location / {
rewrite ^(.*)$ https://subdomain.pro.domain.com$1;
}
}
server {
listen 443;
ssl on;
server_name subdomain.pro.domain.com;
ssl_certificate /etc/nginx/star.pro.domain.com.crt;
ssl_certificate_key /etc/nginx/star.pro.domain.com.key;
### SSL settings here ###
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 60;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security max-age=500;
location /blog {
rewrite ^(.*)$ http://subdomain.pro.domain.com$1;
}
location / {
proxy_pass http://dev_server;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $http_host;
proxy_set_header X-M-Secure "true";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_max_temp_file_size 0;
proxy_redirect off;
}
}
Found the issue.
Because the /blog redirected to HTTP and all other paths redirected to HTTPS, the problem was with the following configuration line:
add_header Strict-Transport-Security max-age=500;
When I commented out that line, the issue went away.

nginx proxy all traffic to remote nginx

I have 2 servers,
with IP xx.xx.xx.xx, situated in Germany ... (running frontend: nginx(static content), backend: Apache2)
with IP yy.yy.yy.yy, situated in Italy...
All requests at the moment is sending to server with IP xx.xx.xx.xx,
How can I proxy all traffic from xx.xx.xx.xx to yy.yy.yy.yy using nginx ...
request proxy, request
Internet -> xx.xx.xx.xx(nginx) -> yy.yy.yy.yy(nginx, Apache)
<- <-
response proxy, response
For others. Answer for subject is configure Nginx like:
server {
listen 80;
server_name mydomain.example;
location / {
access_log off;
proxy_pass http://mydomain.example:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
You can use upsteream like:
upstream xx.xx.xx.xx:8080{
#ip_hash;
server xx.xx.xx.xx:8080 max_fails=2 fail_timeout=2s;
server yy.yy.yy.yy:8181 max_fails=2 fail_timeout=2s;
}
then you can use the cookie or header to set the request like:
location /app {
if ($cookie_proxy_override = "proxy-target-A") {
rewrite . http://xx.xx.xx.xx:8080/app;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
break;
}
if ($cookie_proxy_override = "proxy-target-B") {
rewrite . http://yy.yy.yy.yy:8181/webreg;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
break;
}
proxy_pass http://xx.xx.xx.xx:8080/webreg;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Nginx Proxy for a GitHub Page?

We have a blog that we host on github with Jekyll; it is there : http://blog.superfeedr.com
Ideally, I want it to be at http://superfeedr.com/blog/ because we need to add some AJAX and we need to avoid the "Same Origin Policy" problems.
We use Nginx on our "main" webserver, and I have the following setup :
location /blog/ {
proxy_pass http://blog.superfeedr.com/;
proxy_redirect off;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
Unfortunately, as you can see if you go to http://superfeedr.com/blog/ this obviously doesn't work. Oddly enough, we're redirected to Github's homepage.
PS: obviously, we could host the blog on our main server, but the goal is to host it on a different host so that we can almost guarantee it to be online if the site is down...
First, nginx does not send Host header to the blog.superfeedr.com. This makes it send all the required headers:
proxy_set_header Host blog.superfeedr.com;
proxy_set_header X-Host blog.superfeedr.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Second, some url rewriting required. By some weird reason this depends on the version of nginx you are using. Anyway,
for 0.6.x (0.6.32 for me) this should work:
location /blog {
rewrite ^/blog(.*)$ /$1 last;
error_page 402 = #blog;
return 402;
}
location #blog {
proxy_pass http://blog.superfeedr.com;
# the rest of proxying parameters should be here
proxy_set_header Host blog.superfeedr.com;
proxy_set_header X-Host blog.superfeedr.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
You also need to cover all the paths the blog refers to (css, images etc), e.g.
location /css {
error_page 402 = #blog;
return 402;
}
For 0.7.59:
location /blog {
set $blog 1;
rewrite ^/blog(.*)$ /$1 last;
}
location /css {
set $blog 1;
error_page 402 = #blog;
return 402;
}
location / {
if ($blog) {
error_page 402 = #blog;
return 402;
}
# here is where default settings for / should be
root /usr/local/www/nginx/;
}
location #blog {
proxy_pass http://blog.superfeedr.com;
# the rest of proxying parameters should be here
proxy_set_header Host blog.superfeedr.com;
proxy_set_header X-Host blog.superfeedr.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Another way to do this (but without involving nginx) could be with a DNS directive. I think most DNS services offer URL forward service.
For example, in hover.com, first add blog with A directive to 64.99.80.30 under DNS tab, and then in the Forward tab, add blog forward to http://superfeedr.com/blog/
In dnsimple.com, it's simpler, just add blog URL record to forward to http://superfeedr.com/blog/
These forwards, I believe, also work for https:// type URLs.

Resources