I need to rewrite URLs like *.lang.domain.com to lang.domain.com and I successfully did it using nginx rewrite module. I have wildcard certificate *.domain.com and it can't secure 4 level domain like test.lang.domain.com
Main problem is when users type https://bla-bla.lang.domain.com in their browser they firstly get a notice about connection is not secure. Then they need to click advanced and proceed https://bla-bla.lang.domain.com (unsafe). After that they will be redirected to https://lang.domain.com.
So my question is whether it is possible to do redirect before https-connection has been established in nginx? Or can it be achieved on some upper-level?
server {
listen 80 default;
server_name www.domain.com domain.com *.domain.com;
if ($host ~* "^.+\.(.+\.domain\.com)$") {
set "$domain" "$1";
rewrite ^(.*)$ https://$domain$uri permanent;
}
return 301 https://$host$request_uri;
}
server {
listen 443 default;
server_name www.domain.com domain.com *.domain.com;
if ($host ~* "^.+\.(.+\.domain\.com)$") {
set "$domain" "$1";
rewrite ^(.*)$ https://$domain$uri permanent;
}
ssl on;
ssl_certificate /etc/ssl/domain.com/domain.com.ca-bundle;
ssl_certificate_key /etc/ssl/domain.com/domain.com.key;
include "conf.d/ssl_settings.default";
include "conf.d/redirect.ssl.default";
include "conf.d/logger_front.default";
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTPS on;
proxy_pass https://somestream;
}
}
Redirects happen after a secure connection is established. So no, you cannot have a redirect to handle your particular case.
Related
I have recently setup JFrog Artifactory OSS and I have it running behind a nginx reverse proxy with a Lets Encrypt SSL certificate.
I can access the site fine (without inputting the port etc). However; when I click the "Set me up" button on a repository; it has the port in the <url> field. It's displaying like this;
https://sub.domain.net:443/artifactory/maven-releases/
I have set Artifactorys base URL to https://sub.domain.net/
I have included my configuration for nginx.
server {
server_name www.sub.domain.net sub.domain.net;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
rewrite ^/$ /ui/ redirect;
rewrite ^/ui$ /ui/ redirect;
chunked_transfer_encoding on;
client_max_body_size 0;
location / {
proxy_read_timeout 2400s;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_pass http://xxx.xx.xxx.xx:8082;
proxy_next_upstream error timeout non_idempotent;
proxy_next_upstream_tries 1;
proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location ~ ^/artifactory/ {
proxy_pass http://xxx.xx.xxx.xx:8081;
}
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sub.domain.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sub.domain.net/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = www.sub.domain.net) {
return 301 https://$host$request_uri;
}
if ($host = sub.domain.net) {
return 301 https://$host$request_uri;
}
listen 80 ;
server_name www.sub.domain.net sub.domain.net;
return 404;
}
Any help you can provide will be greatly appreciated. Thanks.
My application is split as:
Nuxt frontend website in a repository
Laravel backoffice AND API in a different repository (same server)
What I'm trying to achieve is setting up nginx into two server blocks, so that:
Nuxt is served via port 3000 (reverse proxy)
Laravel's backoffice is served as a regular php webpage on port 80
The API is served on port 8000 so that the website can fetch data
These are my HTTP configs:
API and backoffice
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
root /var/www/api/public;
server_name api.website.com;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location /api {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8000;
proxy_read_timeout 90;
proxy_redirect http://localhost:8000 https://api.website.com;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
location ~ /\.ht {
deny all;
}
ssl_certificate /etc/letsencrypt/live/api.website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.website.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
Website
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name website.com www.website.com;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000;
}
ssl_certificate /etc/letsencrypt/live/www.website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.website.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
With these settings on nginx I'm getting a 403 when I try to reach the backoffice, and while the website works, I'm getting a gateway timeout ("Error occured while trying to proxy to") in any request I make.
How can I have it so that I can:
Browse to api.website.com and have the Laravel + Vue.js website open up
Browse to website.com and have the compiled Nuxt website open and fetching API data from api.website.com:8000
Both of these while under HTTPS
Any help would be greatly appreciated.
I have configured reverse proxy for Rundeck behind Nginx. Below is the Rundeck.conf which is placed in the path /etc/nginx/sites-enabled
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
## server configuration
server {
listen 443 ssl;
listen 80 ;
server_name ~(?<repo>.+)\.pilot1 pilot1;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
## access_log /var/log/nginx/pilot1.ci1.peapod.com-access.log timing;
## error_log /var/log/nginx/pilot1.ci1.peapod.com-error.log;
# rewrite ^/$ /rundeck/menu/home redirect;
rewrite ^/rundeck/?(/rundeck)?$ /rundeck/menu/home redirect;
chunked_transfer_encoding on;
client_max_body_size 0;
location ^~ /rundeck/ {
proxy_pass http://localhost:4440;
proxy_read_timeout 900;
}
}
Reverse proxy works fine when I browse and login to Rundeck.But when I click log out the redirection to the login page exposes the port:4440
as below
LOGIN----> pilot1/rundeck redirects to pilot1/rundeck/menu/home (works fine)
Logout---> pilot1:4440/rundeck/user/loggedout
I do not want the port to be exposed. How do i fix this issue?
Here is what I had to do:
In NGINX config under an appropriate 'server' section set up a location:
location /rundeck/ {
proxy_pass http://localhost:4440;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Rundeck config:
sed -i "/^grails.serverURL/c grails.serverURL = ${RUNDECK_URL}" /etc/rundeck/rundeck-config.properties
sed -i "/^framework.server.url/c framework.server.url = ${RUNDECK_URL}" /etc/rundeck/framework.properties
sed -i '/^RDECK_JVM="$RDECK_JVM/ s/"$/ -Dserver.web.context=\/rundeck"/' /etc/rundeck/profile
where RUNDECK_URL should point to you NGINX ip (dns name) so http://my-nginx.com/rundeck
i am trying to configure nginx to proxy pass the request to another server,
only if the $request_body variable matches on a specific regular expression.
My problem now is, that I don't how to configure this behaviour exactly.
I am currently down to this one:
server {
listen 80 default;
server_name test.local;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
if ($request_body ~* ^(.*)\.test) {
proxy_pass http://www.google.de;
}
root /srv/http;
}
}
but the problem here is, that root has always the upperhand.
the proxy won't be passed either way.
any idea on how I could accomplish this?
thanks in advance
try this:
server {
listen 80 default;
server_name test.local;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
if ($request_body ~* ^(.*)\.test) {
proxy_pass http://www.google.de;
break;
}
root /srv/http;
}
}
Nginx routing is based on the location directive which matches on the Request URI. The solution is to temporarily modify this in order to forward the request to different endpoints.
server {
listen 80 default;
server_name test.local;
if ($request_body ~* ^(.*)\.test) {
rewrite ^(.*)$ /istest/$1;
}
location / {
root /srv/http;
}
location /istest/ {
rewrite ^/istest/(.*)$ $1 break;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://www.google.de;
}
}
The if condition can only safely be used in Nginx with the rewrite module which it is part of. In this example. The rewrite prefixes the Request URI with istest.
The location blocks give precedence to the closest match. Anything matching /istest/ will go to the second block which uses another rewrite to remove /istest/ from the Request URI before forwarding to the upstream proxy.
We have a blog that we host on github with Jekyll; it is there : http://blog.superfeedr.com
Ideally, I want it to be at http://superfeedr.com/blog/ because we need to add some AJAX and we need to avoid the "Same Origin Policy" problems.
We use Nginx on our "main" webserver, and I have the following setup :
location /blog/ {
proxy_pass http://blog.superfeedr.com/;
proxy_redirect off;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
Unfortunately, as you can see if you go to http://superfeedr.com/blog/ this obviously doesn't work. Oddly enough, we're redirected to Github's homepage.
PS: obviously, we could host the blog on our main server, but the goal is to host it on a different host so that we can almost guarantee it to be online if the site is down...
First, nginx does not send Host header to the blog.superfeedr.com. This makes it send all the required headers:
proxy_set_header Host blog.superfeedr.com;
proxy_set_header X-Host blog.superfeedr.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Second, some url rewriting required. By some weird reason this depends on the version of nginx you are using. Anyway,
for 0.6.x (0.6.32 for me) this should work:
location /blog {
rewrite ^/blog(.*)$ /$1 last;
error_page 402 = #blog;
return 402;
}
location #blog {
proxy_pass http://blog.superfeedr.com;
# the rest of proxying parameters should be here
proxy_set_header Host blog.superfeedr.com;
proxy_set_header X-Host blog.superfeedr.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
You also need to cover all the paths the blog refers to (css, images etc), e.g.
location /css {
error_page 402 = #blog;
return 402;
}
For 0.7.59:
location /blog {
set $blog 1;
rewrite ^/blog(.*)$ /$1 last;
}
location /css {
set $blog 1;
error_page 402 = #blog;
return 402;
}
location / {
if ($blog) {
error_page 402 = #blog;
return 402;
}
# here is where default settings for / should be
root /usr/local/www/nginx/;
}
location #blog {
proxy_pass http://blog.superfeedr.com;
# the rest of proxying parameters should be here
proxy_set_header Host blog.superfeedr.com;
proxy_set_header X-Host blog.superfeedr.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Another way to do this (but without involving nginx) could be with a DNS directive. I think most DNS services offer URL forward service.
For example, in hover.com, first add blog with A directive to 64.99.80.30 under DNS tab, and then in the Forward tab, add blog forward to http://superfeedr.com/blog/
In dnsimple.com, it's simpler, just add blog URL record to forward to http://superfeedr.com/blog/
These forwards, I believe, also work for https:// type URLs.