I am trying to proxy a simple lambda function on AWS through traefik. But AWS is returning status code 403 with message "Bad Request" when tried with the proxied link. I think this is because of the Host header being passed wrongly as seen on other reverse proxies.
I faced the same with nginx as well but this is fixed by providing the following conf settings
proxy_set_header Host <aws_hostname>;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Related
Situation:
Enviroment:
1 Server: Oracle Linux
Micro-integrator 4.1.0 running
Api-Manager 4.1.0 running
Admin,Publisher, DevPortal sites can be accessed within the server and the LAN
An API I've created with oauth2 (authorization+token) can be accessed within the LAN (via Postman)
NOW...I want to expose that API to internet. My IT Team addedfollowing to the DMZ server (NGINX) conf file, where oauth2 is to invoke the auth services and dsFenicio is the API .
location /oauth2 {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://192.168.135.64:9443;
proxy_read_timeout 300;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
}
location /dsFenicio {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://192.168.135.64:8243;
proxy_read_timeout 300;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
}
The Problem:
When I sent the oauth2 autorization code request (from postman), I received a msg in the browser stating: "Suspicious authentication attempts found
Suspicious login attempts found during the authentication process. Please try signing in again"
and this is in the Logs (wso2carbon.log):
ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Exception in Authentication Framework org.ws$wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Session nonce cookie value is not matching for session with sessionDataKey: bf74d0ec-05ef-4682- ...
This is due to a feature called Session Nonce Cookie Validation which is enabled by default.
I was able to reproduce this scenario and was able to solve this situation while keeping the session nonce cookie validation enabled. The following steps were followed.
Exposed the /commonauth, /authenticationendpoint, /logincontext endpoints through nginx in addition to the /oauth2 endpoint.
Added the following to the deployment.toml
[authentication.endpoints]
login_url="https://<loadbalancer_hostname>/authenticationendpoint/login.do"
retry_url="https://<loadbalancer_hostname>/authenticationendpoint/retry.do"
Without the above steps, you can disable this feature also for your scenario to work. This feature can be disabled by adding the following to the deployment.toml file.
[session.nonce.cookie]
enabled="false"
I am new to the nginx config.
I am trying to do a load balancing example with nginx and wcf rest service in windows platform.
Here is what I have in my conf/nginx.conf file:-
upstream servers_customserver {
server 127.0.0.1:62133;
server 127.0.0.1:64897;
server 127.0.0.1:64921;
}
server {
listen 8070;
location /test {
proxy_pass http://servers_customserver/;
}
My motive is whenever, I try to enter a website name which contains "/test" then redirect to one of the urls in the
"servers_customserver".
Nginx is fine in localhost:8070.
But whenever I did localhost:8070/test, I am getting "404 Not Found nginx/1.12.0" in the browser. I am sure that my services are up.
Do, I need to work with my services in IIS or any webservers to make this to work?
Could some one guide me in solving this error.
Thanks.
Luckily,
After adding the following steps to the location block, the load balancing stuff works for me.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host #server_name;
proxy_redirect off;
Thanks.
I currently have APIs running under http://example.com/api/v3/ and I want to move the APIs to a different server at http://exampleapi.com/v3.
I first thought about creating a location block in nginx to handle the requests such as:
location ~*/api/(v[0-9]+/[a-zA-Z0-9_]+) {
return 301 $scheme://exampleapi.com/$1;
}
However, using a REST client, the requests are being received as GET requests not POST. Same thing using a browser (Firefox).
I have tried the proxy pass but I was not able to make it work. This is what I tried:
location ~*/api/(v[0-9]+/[a-zA-Z0-9_]+) {
proxy_pass http://exampleapi.com/$1;
# proxy_redirect http://exampleapi.com/ /;
proxy_read_timeout 60s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
I am getting 502 or 500.
What is the best way to achieve moving the APIs?
After debugging locally the same issue, I found out that I cannot proxy pass to a domain, but only to IP address as there is no resolver to resolve this domain.
Hence I created a new server block for exampleapi.com to listen on a port, and proxy passed to that port, such as:
location ~*/api/(v[0-9]+/[a-zA-Z0-9_]+) {
proxy_pass http://127.0.0.1:4545/$1;
proxy_read_timeout 60s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
I am trying to create new user using gitlab API v3.
Gitlab API docs: https://github.com/gitlabhq/gitlabhq/blob/master/doc/api/users.md#user-creation
I am sending POST request to mygitlabhost/api/v3/users/ with all required data: email=losddsd#gmail.com&password=33wrwsdfsf3&username=testone&name=fuuu and it returns me 404.
Acutally I can list all users via GET request to mygitlabhost/api/v3/users/ so API seems to be running.
Request details: http://imm.io/120o6
what am I wrong?
Note that the issue 3411 "unable to add users to team" has some workaround in place for:
Apache
Add this to /etc/apache2/sites-available/default
ProxyPass http://127.0.0.1:8085/gitlab/api
ProxyPassReverse http://127.0.0.1:8085/gitlab/api
NGinX
location /api {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://gitlab-sock/gitlab/api;
proxy_redirect default;
}
To fix this problem you can modify the file: app/assets/javascripts/api.js.coffee to match your setup.
In our case the path has gitlab as prefix:
users_path: "/gitlab/api/:version/users.json"
user_path: "/gitlab/api/:version/users/:id.json"
notes_path: "/gitlab/api/:version/projects/:id/notes.json"
I am trying to use nginx to enforce basic authentication before allowing access to the H2 database web console. This console is running on https://localhost:8084
In my nginx.conf, I have:
location /h2 {
auth_basic "Restricted";
auth_basic_user_file htpasswd;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass https://localhost:8084/;
}
What I want it to do is proxy requests for /h2 to H2's webserver. This configuration works for the first request, however the H2 server immediately sends a HTTP redirect for "/login.jsp" which is getting sent to my browser as "/login.jsp" and not "/h2/login.jsp". This means that when my browser requests the page, the request fails because only urls at location "/h2" get passed to the H2 webserver.
How can I append "/h2" to any redirects returned by the H2 webserver? I tried the following:
proxy_redirect https://localhost:8084/ https://$host/h2;
but it didnt do anything.
This seems to be a nginx config problem. Try location /h2/ (with trailing slash) instead of location /h2 in the nginx.conf. And then connect to http://localhost/h2/. You don't need any reverse-proxy config, as the H2 Console tool doesn't use absolute URLs (it redirects goes to "login.jsp" and not to "/login.jsp"). The problem is that http://localhost:/h2 is a 'file name', whereas http://localhost:/h2/ is a 'directory'.