I have a rest-api service running on :8080, the frontend runs :3000
If user interact with frontend :8080 (HTTPS enabled), when data sent :3000 (same ip different port) is this still secure?
Should I also be passing via HTTPS / SSL to the backend rest-api?
In /etc/nginx/sites-available I have:
location ~* ^/api {
rewrite ^/api/(.*) /$1 break;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8080;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
}
```
Related
can you help on the nginx configration .
my application on node express js I have two application express js i want to run in single domain.
This my server like : app.example.com
app1 run :- app.example.com/allinone/
app2 run :-app.example.com/app/
I am using the express redirect based on the root URL redirect.
res.redirect('/login')
this response redirects to the root server domain URL I want that to redirect to the location URL.
here my nginx server block code
server {
listen [::]:80;
listen 80;
server_name app.example.com;
location /allinone/ {
proxy_set_header Host $host;
proxy_redirect ~/(.*)$ /allinone/$1;
proxy_pass http://127.0.0.1:5002;
}
location /app/ {
proxy_set_header Host $host;
proxy_redirect ~/(.*)$ /app/$1;
proxy_pass http://127.0.0.1:5000;
}
}
app is working with the location host when i move to production with sub url it was not working.
I have also tried those solutions.
Express.js redirect with virtual path
proxy_set_header Host $host;
#replase with
proxy_set_header Host $http_host;
Express.js redirect with virtual path
Nginx is redirecting proxy_pass to root path automatically
Error
This page isn’t working app.example.com redirected you too many times.
Try clearing your cookies.
ERR_TOO_MANY_REDIRECTS
I have tried a new clean browser but still have the same Error.
but direct open api GET endpoint /allinone/openapi not working.
My doubt begins because I have an nginx and a number of dockerized apis in a virtual machine. In my nginx.conf file I have each api defined as follows:
location /items {
set $backend_server http://api-items:8080;
# Access swagger via proxy
location ~ ^(/items/).*\.(js|css|html|png|json)$ {
set $backend_server http://api-items:8080;
rewrite ^/items/(.*)$ /$1 break;
proxy_pass $backend_server;
}
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass $backend_server/items;
}
For nginx to build correctly I need to have all the APIs built in my virtual machine.
The question is if I can have this directive for a service (url) that is not working. I don't know if there is a way to mark a url so that if the proxy_pass doesn't work, nginx doesn't throw you down.
Conditionals in location directives for nginx configuration
I'm having a problem with a nginx configuration which I use as a reverse proxy for different containerized applications.
Basically Nginx is listening on port 80 and is redirecting every request to https. On different subdomains I'll then proxy pass to the port of the applications.
For example my gitlab config:
server {
listen 443 ssl; # managed by Certbot
server_name gitlab.foo.de www.gitlab.foo.de;
location /{
proxy_pass http://localhost:1080;
}
I'm redirecting to the gitlab http (not https) port. The systems nginx is taking care of SSL, I don't care if the traffic behind is encrypted or not.
This has been working for every app since yesterday.
I'd like to test https://github.com/bitnami/bitnami-docker-osclass for an honorary association. Same config as above but it is not working as intended.
Ressources are downloaded via https while the main page is getting a redirect to http.
Exmaple: https://osclass.foo.de --> redirect --> http://osclass.foo.de:1234/ (yes with the port in the domain which is very strange)
I don't get why? So I changed the config a little to:
server {
listen 443 ssl; # managed by Certbot
server_name osclass.foo.de www.osclass.foo.de;
location /{
proxy_pass http://localhost:1234;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Now the mainpage is loaded via https and I don't have the port in my domain anymore. But the whole page is broken because no ressources will be loaded due to
"mixed-content warning".
SEC7111: [Mixed-Content] Origin "https://osclass.foo.de" [...] "http://osclass.foo.de/oc-includes/osclass/assets/js/fineuploader/fineuploader.css"
Do I have a conflict with the integrated apache in the docker image or what am I doing wrong?
Any hints are appretiated!
Kind regards from Berlin!
I found a solution to fix the mixed content problem. I just edited the following line in
/opt/bitnami/osclass/config.php
# define('WEB_PATH', 'http://osclass.foo.de/');
define('WEB_PATH', 'https://osclass.foo.de/'); # with https
I'm running Gitlab behind my Nginx.
Server 1 (reverse proxy): Nginx with HTTPS enabled and following config for /git:
location ^~ /git/ {
proxy_pass http://134.103.176.101:80;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
If I dont change anything on my GitLab settings this will work but is not secure because of external http request like:
'http://www.gravatar.com/avatar/c1ca2b6e2cd20fda9d215fe429335e0e?s=120&d=identicon'. This content should also be served over HTTPS.
so if I change the gitlab config on hidden server 2 (http gitlab):
external_url 'https://myurl'
nginx['listen_https'] = false
as said in the docu. I will get a bad gateway error 502. with no page loaded.
what can I do ?
EDIT: Hacked it by setting:
gitlab_rails['gravatar_plain_url'] = 'https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'
to https... this workes but is not a clean solution. (clone url is still http://)
I run a similar setup and I ran into this problem as well. According to the docs:
By default, when you specify an external_url starting with 'https', Nginx will no longer listen for unencrypted HTTP traffic on port 80.
I see that you are forwarding your traffic over HTTP and port 80, but telling GitLab to use an HTTPS external URL. In this case, you need set the listening port.
nginx['listen_port'] = 80 # or whatever port you're using.
Also, remember to reload the gitlab configuration after making changes to gitlab.rb. You do that with this command:
sudo gitlab-ctl reconfigure
For reference, here is how I do the redirect:
Nginx config on the reverse proxy server:
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_pass http://SERVER_2_IP:8888;
}
The GitLab config file, gitlab.rb, on the GitLab server:
external_url 'https://gitlab.domain.com'
nginx['listen_addresses'] = ['SERVER_2_IP']
nginx['listen_port'] = 8888
nginx['listen_https'] = false
I am trying to use nginx to enforce basic authentication before allowing access to the H2 database web console. This console is running on https://localhost:8084
In my nginx.conf, I have:
location /h2 {
auth_basic "Restricted";
auth_basic_user_file htpasswd;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass https://localhost:8084/;
}
What I want it to do is proxy requests for /h2 to H2's webserver. This configuration works for the first request, however the H2 server immediately sends a HTTP redirect for "/login.jsp" which is getting sent to my browser as "/login.jsp" and not "/h2/login.jsp". This means that when my browser requests the page, the request fails because only urls at location "/h2" get passed to the H2 webserver.
How can I append "/h2" to any redirects returned by the H2 webserver? I tried the following:
proxy_redirect https://localhost:8084/ https://$host/h2;
but it didnt do anything.
This seems to be a nginx config problem. Try location /h2/ (with trailing slash) instead of location /h2 in the nginx.conf. And then connect to http://localhost/h2/. You don't need any reverse-proxy config, as the H2 Console tool doesn't use absolute URLs (it redirects goes to "login.jsp" and not to "/login.jsp"). The problem is that http://localhost:/h2 is a 'file name', whereas http://localhost:/h2/ is a 'directory'.