I have a problem trying to run my ASP.NET Core 3 App behind a NGINX reverse proxy.
I am following this guide:
https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx?view=aspnetcore-3.1
I am using Let's Encrypt for my SSL Certificate and proxy pass to a different machine in my local network. I do not really know how to fix this problem. I already tried to secure the connection between the reverse proxy and the Kestrel Server with SSL, but this still does not work. Any Help would be greatly appreciated.
My NGINX Site.conf file is the following:
upstream dotnet {
zone dotnet 64k;
server 192.168.3.222:5000;
}
server {
server_name MyDomain.net *.MyDomain.net;
location / {
proxy_pass http://dotnet;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
access_log /var/log/nginx/MyDomain.access.log;
error_log /var/log/nginx/MyDomain.error.log;
}
location = /favicon.ico {
log_not_found off;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mydomain.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = MyDomain.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name MyDomain.net;
return 404; # managed by Certbot
}
The ASP.NET Core App is running on a different machine (Local Ip: 192.168.3.222) than the NGINX reverse proxy (Local Ip: 192.168.3.111).
If I set up a NGINX reverse proxy on the machine the ASP.NET Core App is running and proxy pass to 127.0.0.1:5000 I can access it over the local network without problems.
I also configured the Startup.cs to accept my reverse proxy:
public void ConfigureServices(IServiceCollection services)
{
// Configure Headers. Required by Nginx RProxy
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
options.KnownProxies.Add(IPAddress.Parse("192.168.3.111"));
options.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("192.168.3.0"),24));
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IServiceProvider serviceProvider)
{
// Forward Headers required by Nginx RProxy
app.UseForwardedHeaders();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
}
If I try to access MyDomain.net I get a 502 Bad Gateway. So the Reverse Proxy cannot connect to the App. The Example in the Documentation uses a Reverse Proxy on the same Machine as the Kestrel Server.
The NGINX Error Log is the following:
failed (111: Connection refused) while connecting to upstream, client: 0.0.0.0.1, server: mydomain.net, request: "GET / HTTP/1.1", upstream: "http://192.168.3.222:5000/$
, host: "mydomain.net"
The Machine with the Kestrel Server allows incoming traffic for Port 5000 and 5001.
Related
I am working on building videoapp using expressjs, peerjs. I am getting the below error while connecting to peerjs server. The app is running behind a proxy server (nginx). The code works fine in my local machine (I am not using proxy server while testing in my local).
`GET https://<servername>/peerjs/id?ts=16228299262200.9619575641336071 404 (Not Found)`
I am getting the result when I do "https://<servername>/peerjs". I assume the I am able to connect to peerjs server. I do not understand why I am getting the above error.
{"name":"PeerJS Server","description":"A server side element to broker
connections between PeerJS clients.","website":"https://peerjs.com/"}
I am combining peerjs along expressjs
const ExpressPeerServer = require('peer').ExpressPeerServer;
const peerServer = ExpressPeerServer(server, {
debug: true,
proxied:true,
});
app.use('/peerjs', peerServer);
Client side code
let myPeer = new Peer({host :'servername',secure:true})
Below is the configuration for nginx
server {
server_name <server_name>;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/<server_name>/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/<server_name>/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = <server_name>) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name <server_name>;
return 404; # managed by Certbot
}
PS: I am new to nodejs and nginx. I feel I am missing something very basic that I am not able to figure it out.
Hi in your nginx config file add /peerjs in proxy_pass . So your location block should look something like
location / {
proxy_pass http://localhost:3000/peerjs;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
I tried to configure a Websocket proxy on my Nginx server, but unfortunately, I don't get it working. I have read various forms but cannot get out of it. I think it has something to do between the client connection to the server. Local om my pc is everything working fine
client code:
var port = new osc.WebSocketPort({
url: "wss://circusfamilyprojects.nl/"
});
server code:
var wss = new WebSocket.Server({
port: 8083
});
This is my configuration in Nginx
# custom code for hop by hop headers
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
#custom code for connection with websocket this is the port on the server
upstream websocket {
server 178.62.209.37:8083;
}
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/circusfamilyprojects.nl/fullchain.pem; # managed by Cert$
ssl_certificate_key /etc/letsencrypt/live/circusfamilyprojects.nl/privkey.pem; # managed by Ce$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
root /var/www/html/vue/cfdomotica/server/public;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name circusfamilyprojects.nl www.circusfmailyprojects.nl; # managed by Certbot
location / {
proxy_pass http://websocket;
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
server {
if ($host = www.circusfamilyprojects.nl) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = circusfamilyprojects.nl) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 8080 ;
listen [::]:8080 ;
server_name circusfamilyprojects.nl;
return 404; # managed by Certbot
}
In my browser I get the message "Status Code: 426 Upgrade Required" I hope someone can help me, thanks in advance!
I solved it my self by separating a server block for port 443 and a server block for the WebSocket client. I did the server block for the client on port 8086.
When requesting the site via SSL and not authenticated https://example.com
I get redirected to http://example.com/Account/Login
I have NGINX running at the edge as a load balancer that terminates the SSL and proxies the request as http to IIS.
NGINX Config
server {
server_name example.com;
listen 443 ssl;
location / {
proxy_pass http://cluster1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
}
}
as you can see I'm setting the X-Forwarded-For and X-Forwarded-Proto headers
In my MVC app startup i have this in Configure
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
ForwardLimit = null,
RequireHeaderSymmetry = false
});
I have [RequireHttps] attribute on my controllers.
What am I missing?
Update .NETCore 1.0.1, 1.0.2, 1.1.0:
New update .NETCore 1.0.1, 1.0.2, 1.1.0 seems fixed the issue
Update workaround:
Understand the root cause from answer https://serverfault.com/a/516382/379823
It works for us on Ubuntu 16.04 LTS / Nginx/1.10.0
Add map:
map $http_x_forwarded_proto $thescheme {
default $scheme;
https https;
}
and changing the proxy_set_header line to use the new scheme:
# proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $thescheme;
Previous workaround:
We got the same issue. We do workaround by NGINX redirect HTTP => HTTPS (will get double redirect).
When I just read carefully docs.asp.net again, it seems redirect HTTP => HTTPS is the only way this time.
server {
listen *:80;
add_header Strict-Transport-Security max-age=15768000;
return 301 https://$host$request_uri;
}
See docs here Securing our application / Configure SSL
Following this tutorial I configured my Nginx like this:
upstream odoo8 {
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream odoo8-im {
server 127.0.0.1:8072 weight=1 fail_timeout=0;
}
server {
# server port and name (instead of 443 port)
listen 22443;
server_name _;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 2000m;
# add ssl specific settings
keepalive_timeout 60;
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
error_page 497 https://$host:22443$request_uri;
# limit ciphers
ssl_ciphers HIGH:!ADH:!MD5;
ssl_protocols SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
# increase proxy buffer to handle some Odoo web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
# general proxy settings
# force timeouts if the backend dies
proxy_connect_timeout 3600s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Let the Odoo web service know that we’re using HTTPS, otherwise
# it will generate URL using http:// and not https://
proxy_set_header X-Forwarded-Proto https;
# by default, do not forward anything
proxy_redirect off;
proxy_buffering off;
location / {
proxy_pass http://odoo8;
}
location /longpolling {
proxy_pass http://odoo8-im;
}
# cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the Odoo web interface a bit.
location /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo8;
}
}
And I have this ports in my Odoo configuration
longpolling_port = 8072
xmlrpc_port = 8069
xmlrpcs_port = 22443
proxy_mode = True
When I load https://my_domain:22443/web/database/selector in the browser it loads well. But when I choose a database or I make any action, the address loses the https and the port, so it's loaded through the port 80. Then I would need to add this to the NginX configuration and the port 80 should be open
## http redirects to https ##
server {
listen 80;
server_name _;
# Strict Transport Security
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host:22443$request_uri? permanent;
}
Is there a way to avoid this redirection? Like that I could keep the port 80 closed in order to avoid spoofing
Update
I can open the login screen with the address https://my_domain:22443/web/login?db=dabatase_name and I can work well inside, but if I log out in order to choose another database in the droplist, it loses again the port and the ssl
Please, try to use this construction:
## http redirects to https ##
server
{
listen 80;
server_name _;
if ($http_x_forwarded_proto = 'http')
{
return 301 https://my_domain.com$request_uri;
}
}
I followed this tutorial http://www.schenkels.nl/2014/12/reverse-proxy-with-odoo-8-nginx-ubuntu-14-04-lts/ how to make reverse proxy for odoo with nginx.
Everything went fine here. But the problem is with certificate.
Every browser swears that my self signed certificate is not trusted. And this is test server so I don't really care about security now. I tried to disable/comment everything with certificates and ssl. But nginx still redirects to https and then when it does not find certificate, it just gives this error:
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have
But how can I make to just ignore https, and use http instead without any encryption? Do I need to adjust something inside nginx itself?
For example using apache, if not specified to use secure connection, then it just uses normal http and that is that. Hope someone else have better experience with nginx.
Configuration I adjusted looks like this (I just commented some parts and changed rewrite to be http instead of https):
upstream odoo8 {
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream odoo8-im {
server 127.0.0.1:8072 weight=1 fail_timeout=0;
}
## http redirects to https ##
server {
listen 80;
server_name _;
# Strict Transport Security
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ http://$host$request_uri? permanent;
}
server {
# server port and name
listen 443;
server_name _;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# add ssl specific settings
#keepalive_timeout 60;
ssl off;
#ssl_certificate /etc/ssl/nginx/server.crt;
#ssl_certificate_key /etc/ssl/nginx/server.key;
# limit ciphers
#ssl_ciphers HIGH:!ADH:!MD5;
#ssl_protocols SSLv3 TLSv1;
#ssl_prefer_server_ciphers on;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
#general proxy settings
# force timeouts if the backend dies
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Let the OpenERP web service know that we’re using HTTPS, otherwise
# it will generate URL using http:// and not https://
#proxy_set_header X-Forwarded-Proto https;
# by default, do not forward anything
proxy_redirect off;
proxy_buffering off;
location / {
proxy_pass http://odoo8;
}
location /longpolling {
proxy_pass http://odoo8-im;
}
# cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the OpenERP web interface a bit.
location /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo8;
}
}
You just need to comment out redirection on 80 port and listen on 80 port.
This can be accomplished with following updates in config
upstream odoo8 {
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream odoo8-im {
server 127.0.0.1:8072 weight=1 fail_timeout=0;
}
## http redirects to https ##
#server {
#listen 80;
#server_name _;
# Strict Transport Security
#add_header Strict-Transport-Security max-age=2592000;
#rewrite ^/.*$ http://$host$request_uri? permanent;
#}
server {
# server port and name
# listen 443; # comment out this line
listen 80;
server_name _;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# add ssl specific settings
#keepalive_timeout 60;
ssl off;
#ssl_certificate /etc/ssl/nginx/server.crt;
#ssl_certificate_key /etc/ssl/nginx/server.key;
# limit ciphers
#ssl_ciphers HIGH:!ADH:!MD5;
#ssl_protocols SSLv3 TLSv1;
#ssl_prefer_server_ciphers on;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
#general proxy settings
# force timeouts if the backend dies
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Let the OpenERP web service know that we’re using HTTPS, otherwise
# it will generate URL using http:// and not https://
#proxy_set_header X-Forwarded-Proto https;
# by default, do not forward anything
proxy_redirect off;
proxy_buffering off;
location / {
proxy_pass http://odoo8;
}
location /longpolling {
proxy_pass http://odoo8-im;
}
# cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the OpenERP web interface a bit.
location /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;