We Keep Coding

How to redirect different subdomains to applications running on different ports with nginx

I have 2 nodejs applications running in my EC2 instance at PORT 3000 and 1337. What I want to achieve is
admin.mydomain.com
should be redirected to the application running on PORT 1337 and
mydomain.com www.mydomain.com
should be redirected to the application running on PORT 3000.
With my current nginx configuration I am getting a 502
map $subdomain $subdomain_port {
default 3000;
www 3000;
admin 1337;
}
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name ~^(?P<subdomain>.+?)\.historydiaries\.com$;
location / {
proxy_pass http://localhost:$subdomain_port;
proxy_redirect off;
}
ssl_certificate /etc/letsencrypt/live/historydiaries.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/historydiaries.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;
add_header Strict-Transport-Security “max-age=15768000” always;
}

You can achieve this using two different nginx conf

I will go with separate Nginx vhost configuration.
One for www.mydomain.com and another one for admin.mydomain.com
server {
listen 80;
server_name www.mydomain.com;
access_log /var/log/nginx/mydomain_access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:3000/;
proxy_redirect off;
}
}
and
server {
listen 80;
server_name admin.mydomain.com;
access_log /var/log/nginx/admin.mydomain_access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:1337/;
proxy_redirect off;
}
}
This just simple vhost configuration. You can add Let's Encrypt later when you need.

Nginx as Reverse Proxy for Apache

Ive been reading on using Nginx as a reverse proxy for Apache and how i can get benefits from using both. I dot have much experience with nginx, so im hoping someone here with more experience can take a look at my configuration and let me know if its a good starting point/where it can be improved.
server {
listen 80 default_server;
# Here, we have told that we are to listen to any request made to port 80 & then redirect it to https.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
# This is the document root
root /var/www/html/;
# This is the file which gets loaded by default. index.html gets loaded if there is no index.php
index index.html index.htm index.php;
# This has to be the domain you want to use
server_name mysite.xyz;
ssl_certificate /etc/letsencrypt/live/mysite.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.xyz/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
# Reverse Proxy
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
proxy_pass https://127.0.0.1:444;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# This configuration prevent the logger to log not found robots.txt
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# This tells the Nginx server to rewrite any requests which do not access a valid file to rewrite on to the index.php
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# This configuration prevent the logger to log not found favicon
location = /favicon.ico {
log_not_found off;
access_log off;
}
# This says that all files with the given endings should be cached by the client
location ~* .(jpg|jpeg|png|gif|ico|svg)$ {
expires 365d;
}
# .htaccess, .htpasswd, etc, will not be served.
location ~ /\.ht {
deny all;
}
# hotlink protect your images and other file types
location ~ .(gif|png|jpg|jpeg|svg|css|js|ico)$ {
valid_referers none blocked mysite.xyz www.mysite.xyz;
if ($invalid_referer) {
return 403;
}
}
}

Use the below nginx configuration to run nginx as reverse proxy for apache
server {
listen 443 ssl;
server_name www.example.com example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
location /.git {
deny all;
return 404;
}
}
restart nginx server after modification

NGINX http proxy_pass over ssl

I'm trying to set up SSL on my nginx server, it works on the plain site which is just the nginx welcome default page, but when I try any of the configured proxy_pass locations I get a cloudflare 526 Invalid SSL certificate error which rapidly flicks to a 502 bad gateway. The certificate I'm using is self signed and cloudflare SSL is set to full (not strict).
This is the error I get on my logs:
2017/11/28 22:59:10 [error] 11457#11457: *2 upstream prematurely closed connection while reading response header from upstream, client: 141.101.104.32, server: web1.olympiccode.net, request: "GET /r/ HTTP/1.1", upstream: "http://127.0.0.1:2000/r/", host: "web1.olympiccode.net", referrer: "https://web1.olympiccode.net/r"
This is my config:
user www-data;
worker_processes 1;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
send_timeout 1800;
sendfile on;
keepalive_timeout 6500;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
server {
listen 80;
server_name web1.olympiccode.net;
return 200 "hi";
}
# HTTPS server
server {
listen 443 ssl;
server_name web1.olympiccode.net;
root /usr/share/nginx/html;
ssl on;
location / {
try_files $uri $uri/ =404;
}
location /r/ {
auth_basic "RethinkDB - Web Panel";
auth_basic_user_file /etc/nginx/.rethinkdb.pass;
proxy_pass http://localhost:2000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
location /status/ {
proxy_pass http://localhost:19999;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
}
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

Is possible to use SSL in Odoo with NginX avoiding the standard ports (80 and 443)?

Following this tutorial I configured my Nginx like this:
upstream odoo8 {
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream odoo8-im {
server 127.0.0.1:8072 weight=1 fail_timeout=0;
}
server {
# server port and name (instead of 443 port)
listen 22443;
server_name _;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 2000m;
# add ssl specific settings
keepalive_timeout 60;
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
error_page 497 https://$host:22443$request_uri;
# limit ciphers
ssl_ciphers HIGH:!ADH:!MD5;
ssl_protocols SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
# increase proxy buffer to handle some Odoo web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
# general proxy settings
# force timeouts if the backend dies
proxy_connect_timeout 3600s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Let the Odoo web service know that we’re using HTTPS, otherwise
# it will generate URL using http:// and not https://
proxy_set_header X-Forwarded-Proto https;
# by default, do not forward anything
proxy_redirect off;
proxy_buffering off;
location / {
proxy_pass http://odoo8;
}
location /longpolling {
proxy_pass http://odoo8-im;
}
# cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the Odoo web interface a bit.
location /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo8;
}
}
And I have this ports in my Odoo configuration
longpolling_port = 8072
xmlrpc_port = 8069
xmlrpcs_port = 22443
proxy_mode = True
When I load https://my_domain:22443/web/database/selector in the browser it loads well. But when I choose a database or I make any action, the address loses the https and the port, so it's loaded through the port 80. Then I would need to add this to the NginX configuration and the port 80 should be open
## http redirects to https ##
server {
listen 80;
server_name _;
# Strict Transport Security
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host:22443$request_uri? permanent;
}
Is there a way to avoid this redirection? Like that I could keep the port 80 closed in order to avoid spoofing
Update
I can open the login screen with the address https://my_domain:22443/web/login?db=dabatase_name and I can work well inside, but if I log out in order to choose another database in the droplist, it loses again the port and the ssl

Please, try to use this construction:
## http redirects to https ##
server
{
listen 80;
server_name _;
if ($http_x_forwarded_proto = 'http')
{
return 301 https://my_domain.com$request_uri;
}
}

nginx - Disable http to https redirect?

I followed this tutorial http://www.schenkels.nl/2014/12/reverse-proxy-with-odoo-8-nginx-ubuntu-14-04-lts/ how to make reverse proxy for odoo with nginx.
Everything went fine here. But the problem is with certificate.
Every browser swears that my self signed certificate is not trusted. And this is test server so I don't really care about security now. I tried to disable/comment everything with certificates and ssl. But nginx still redirects to https and then when it does not find certificate, it just gives this error:
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have
But how can I make to just ignore https, and use http instead without any encryption? Do I need to adjust something inside nginx itself?
For example using apache, if not specified to use secure connection, then it just uses normal http and that is that. Hope someone else have better experience with nginx.
Configuration I adjusted looks like this (I just commented some parts and changed rewrite to be http instead of https):
upstream odoo8 {
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream odoo8-im {
server 127.0.0.1:8072 weight=1 fail_timeout=0;
}
## http redirects to https ##
server {
listen 80;
server_name _;
# Strict Transport Security
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ http://$host$request_uri? permanent;
}
server {
# server port and name
listen 443;
server_name _;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# add ssl specific settings
#keepalive_timeout 60;
ssl off;
#ssl_certificate /etc/ssl/nginx/server.crt;
#ssl_certificate_key /etc/ssl/nginx/server.key;
# limit ciphers
#ssl_ciphers HIGH:!ADH:!MD5;
#ssl_protocols SSLv3 TLSv1;
#ssl_prefer_server_ciphers on;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
#general proxy settings
# force timeouts if the backend dies
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Let the OpenERP web service know that we’re using HTTPS, otherwise
# it will generate URL using http:// and not https://
#proxy_set_header X-Forwarded-Proto https;
# by default, do not forward anything
proxy_redirect off;
proxy_buffering off;
location / {
proxy_pass http://odoo8;
}
location /longpolling {
proxy_pass http://odoo8-im;
}
# cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the OpenERP web interface a bit.
location /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo8;
}
}

You just need to comment out redirection on 80 port and listen on 80 port.
This can be accomplished with following updates in config
upstream odoo8 {
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream odoo8-im {
server 127.0.0.1:8072 weight=1 fail_timeout=0;
}
## http redirects to https ##
#server {
#listen 80;
#server_name _;
# Strict Transport Security
#add_header Strict-Transport-Security max-age=2592000;
#rewrite ^/.*$ http://$host$request_uri? permanent;
#}
server {
# server port and name
# listen 443; # comment out this line
listen 80;
server_name _;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# add ssl specific settings
#keepalive_timeout 60;
ssl off;
#ssl_certificate /etc/ssl/nginx/server.crt;
#ssl_certificate_key /etc/ssl/nginx/server.key;
# limit ciphers
#ssl_ciphers HIGH:!ADH:!MD5;
#ssl_protocols SSLv3 TLSv1;
#ssl_prefer_server_ciphers on;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
#general proxy settings
# force timeouts if the backend dies
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Let the OpenERP web service know that we’re using HTTPS, otherwise
# it will generate URL using http:// and not https://
#proxy_set_header X-Forwarded-Proto https;
# by default, do not forward anything
proxy_redirect off;
proxy_buffering off;
location / {
proxy_pass http://odoo8;
}
location /longpolling {
proxy_pass http://odoo8-im;
}
# cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the OpenERP web interface a bit.
location /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;