I migrated to Nginx, but i cannot find the solution for my problem.
On apache, I had 1 virutal host with ssl and specific port.
The apache config seems like this:
<VirtualHost *:443>
ServerAdmin info#example.com
ServerName example.in
DocumentRoot /paht/to/web/files
SSLEngine on
SSLCertificateFile /ssl/certificate
SSLCertificateKeyFile /ssl/key_file
SSLCACertificateFile /ssl/ca.cer
</VirtualHost>
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECD$
SSLHonorCipherOrder on
<Directory /path/to/my/web>
Options FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
<VirtualHost *:9092>
ServerAdmin info#example.com
ServerName example.in
DocumentRoot /paht/to/web/files
DocumentRoot /another/path/to/api
SSLEngine on
SSLCertificateFile /path/to/webcer
SSLCertificateKeyFile /path/to/webkey
SSLCACertificateFile /path/to/ca.cer
<Directory /another/path/to/api>
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/api_cable_error.log
CustomLog ${APACHE_LOG_DIR}/api_cable_access.log combined
When I openend https://example.in:9092, it worked without any troubles.
But when I set this up in nginx configuration, i am still getting 'certificate is not valid' error on HTTPS. The Nginx config seems to be:
server {
listen 80;
listen 9092;
server_name example.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /path/to/web/example/com;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
server {
listen 9092 ssl http2;
listen [::]:9092 ssl http2;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-S$
ssl_prefer_server_ciphers on;
ssl_certificate /path/to/cert
ssl_certificate_key path/to/key
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /another/path/to/files;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
Does anyone have experiences how to get this working?
Thanks.
Fixed. I created new config file:
server {
listen 9092 ssl;
# IPv6 Listening
# Uncomment to allow nginx to listen on IPv6
#listen [::]:80;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_certificate /my/fullchain.pem;
ssl_certificate_key /my/privkey.pem;
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /path/to/files;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
The issue was probably in rewrite rule in first server section:
rewrite ^ https://$server_name$request_uri? permanent;
Removed it and everything is working.
disable all
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# ssl_prefer_server_ciphers on;
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
#ssl_stapling on;
#ssl_stapling_verify off;
#ssl_dhparam /my/dhparam.pem;
# ssl_session_cache shared:SSL:10m;
#ssl_session_timeout 10m;
and make sure
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
/my/letsencrypt/cert and /my/letsencrypt/key ssl files at right place and there valid
Related
I'm building an NginX reverse proxy (Ubuntu Server 22.04.1 - NginX 1.22.1) to open an internal Portal for ArcGIS to extranet.
The reverse proxy listen to 8054 and redirects to 2 internal servers using usual TLS 443 port
Everything works fine except a redirection occurring during Portal's login auth.
In Chrome's console, the info of faulty are :
Request URL: https://myserver.mydomain/portal/sharing/rest/portals/self/subscriptionInfo?f=json&token=ARYpO8uD2SRx5tjuhTElBoDT_ojo9YRwvsX7XI51s3GIfvhlMIGpOjRXKN0g8fXFHgfenkIdg-YtF9TtyWvOomu9TyUm2x8mY4SfTlWSX41E9lyP_I0NVWO-xdwGzJqWDU8GJ4oi5sg53mvRH2OMdUA1bwN0fE-jcSEmK4EsxxOHBe6HZbciuGUCh4s8rgDbz7fBlpIdrFBryxe-YbvooLvb1Q8BsVSZFZFYBlclLQk.&callback=dojo_request_script_callbacks.dojo_request_script0
Request Method: GET
Status Code: 404
Remote Address: 10.0.128.36:443
Referrer Policy: strict-origin-when-cross-origin
content-encoding: gzip
content-type: text/html
date: Wed, 25 Jan 2023 09:59:31 GMT
server: nginx
vary: Accept-Encoding
:authority: myserver.mydomain
:method: GET
:path: /portal/sharing/rest/portals/self/subscriptionInfo?f=json&token=ARYpO8uD2SRx5tjuhTElBoDT_ojo9YRwvsX7XI51s3GIfvhlMIGpOjRXKN0g8fXFHgfenkIdg-YtF9TtyWvOomu9TyUm2x8mY4SfTlWSX41E9lyP_I0NVWO-xdwGzJqWDU8GJ4oi5sg53mvRH2OMdUA1bwN0fE-jcSEmK4EsxxOHBe6HZbciuGUCh4s8rgDbz7fBlpIdrFBryxe-YbvooLvb1Q8BsVSZFZFYBlclLQk.&callback=dojo_request_script_callbacks.dojo_request_script0
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6
dnt: 1
sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: script
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Usual processed URL returns :
Request URL: https://myserver.mydomain:8054/portal/sharing/rest/oauth2/authorize?client_id=arcgisonline&display=default&response_type=token&state=%7B%22portalUrl%22%3A%22https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%22%2C%22useLandingPage%22%3Atrue%7D&expiration=20160&locale=fr-fr&redirect_uri=https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%2Fhome%2Faccountswitcher-callback.html&force_login=true&hideCancel=true&showSignupOption=true&canHandleCrossOrgSignIn=true&signuptype=esri
Request Method: GET
Status Code: 200
Remote Address: 10.0.128.36:8054
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
access-control-allow-methods: GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS
access-control-allow-origin: *
access-control-max-age: 1200
cache-control: no-cache, no-store, must-revalidate
content-encoding: gzip
content-length: 1416
content-type: text/html;charset=utf-8
date: Wed, 25 Jan 2023 10:51:05 GMT
expires: -1
pragma: no-cache
server: nginx/1.22.1
vary: Origin,Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
:authority: myserver.mydomain:8054
:method: GET
:path: /portal/sharing/rest/oauth2/authorize?client_id=arcgisonline&display=default&response_type=token&state=%7B%22portalUrl%22%3A%22https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%22%2C%22useLandingPage%22%3Atrue%7D&expiration=20160&locale=fr-fr&redirect_uri=https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%2Fhome%2Faccountswitcher-callback.html&force_login=true&hideCancel=true&showSignupOption=true&canHandleCrossOrgSignIn=true&signuptype=esri
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6
cache-control: max-age=0
dnt: 1
referer: https://myserver.mydomain:8054/portal/home/signin.html?useLandingPage=true
sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
How can I catch, pass, redirect, return, or whatever, the url missing the port 8054 in order to continue auth processing ?
Here are the nginx general and server configs if it may help
Thanks for any help !
nginx.conf
<pre>
user www-data nginx;
worker_processes auto;
error_log /var/log/nginx/main_error.log;
pid /var/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
worker_rlimit_core 4096;
events {
worker_connections 1024;
multi_accept on;
}
http {
include /etc/nginx/phpconf/php_processes.conf;
include /etc/nginx/mimetypes/mime.types;
client_body_buffer_size 16K;
client_header_buffer_size 1k;
client_max_body_size 12m;
large_client_header_buffers 4 8k;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
access_log /var/log/nginx/main_access.log;
client_body_timeout 30;
client_header_timeout 10;
keepalive_timeout 75s;
send_timeout 60;
keepalive_requests 1000;
proxy_cache_path /var/nginx/cache1 levels=1:2 keys_zone=cache1:10m inactive=5m max_size=1G use_temp_path=off; # (20230113)
proxy_cache_path /var/nginx/cache2 levels=1:2 keys_zone=cache2:10m inactive=5m max_size=1G use_temp_path=off; # (20230113)
# copies data between one FD and other from within the kernel
# faster than read() + write()
sendfile on;
# Limit whole filesize sending at once
sendfile_max_chunk 512k; #(20220905)
# send headers in one piece, it is better than sending them one by one
tcp_nopush on;
tcp_nodelay on;
server_names_hash_bucket_size 64;
types_hash_max_size 2048;
default_type application/octet-stream;
gzip on;
gzip_comp_level 6;
gzip_min_length 256; #(20220605 previous 50)
gzip_proxied any;
gzip_vary on; #(20220605 previous disabled)
gzip_disable “MSIE [1–6]\.(?!.*SV1)”; #(20220605 previous disabled)
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-javascrip # (20200219)
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/png
image/jpeg
image/x-icon
text/cache-manifest
text/css
text/javascript # (20200219)
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
gzip_buffers 16 8k; #(2020110 previous 4k 8k)
# allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on;
##
# Virtual Host Configs
##
# include /etc/nginx/conf.d/default.conf;
include /etc/nginx/conf.d/port8054.conf;
}
</pre>
port8054.conf
<pre>
server {
## Config base : 18/01/2023
listen 8054 ssl http2;
listen [::]:8054 ssl http2;
## Set TLS 1.2 (ArcGIS compliance)
ssl_certificate /etc/nginx/tls/intra/cacert.pem;
ssl_certificate_key /etc/nginx/tls/intra/cakey-stripped.key;
ssl_trusted_certificate /etc/nginx/tls/intra/rootcacert.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384"; # previous : HIGH:!MD5:!ADH:!DH:!RC4:!RSA:!aNULL
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 1400;
## Set on after debug
ssl_stapling off;
ssl_stapling_verify off;
server_name myserver.mydomain:8054;
keepalive_timeout 75s;
keepalive_requests 1000;
# access_log /var/log/nginx/port8054-access.log;
## Record errors
error_log /var/log/nginx/port8054-error.log debug;
proxy_http_version 1.1;
## Overwrite proxy response headers
proxy_hide_header access-control-allow-methods;
proxy_hide_header access-control-allow-headers;
proxy_hide_header access-control-allow-origin;
add_header access-control-allow-methods "GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS";
add_header access-control-allow-headers "Origin, X-Requested-With, Content-Type, Accept";
add_header access-control-allow-origin "*";
proxy_hide_header x-aspnet-version;
proxy_hide_header x-powered-by;
proxy_set_header "Connection" "";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
location ^~ /favicon.ico {
}
## PHP files processing
location ~ ^(.+\.php)(.*)$ {
include /etc/nginx/phpconf/fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_hide_header X-Powered-By;
fastcgi_hide_header X-CF-Powered-By;
## If error 404
try_files $fastcgi_script_name =404;
}
## Set cache for following contents (20201106)
location ~* \.(?:png|jpg|jpeg|gif|ico|svg|otf|ttf|woff|woff2|doc|pdf|css)$ {
include /etc/nginx/proxyparams/proxy_params;
proxy_cache cache1;
proxy_set_header Host $host;
# proxy_pass https://otherserver.mydomain/$1;
# proxy_ssl_verify off;
# add_header X-Cache-Status $upstream_cache_status;
# add_header Pragma "public";
# add_header Cache-Control "max-age=86400, public";
}
location ^~ /portal/ {
proxy_pass https://otherserver.mydomain/portal/;
}
location /10.9.1/{
proxy_pass https://otherserver.mydomain/portal/home/10.9.1/;
}
location /sharing/rest/ {
proxy_intercept_errors on;
proxy_pass https://otherserver.mydomain/portal/sharing/rest/;
}
location ^~ /oauth2/ {
proxy_pass https://otherserver.mydomain/portal/sharing/rest/oauth2/;
}
location /self/ {
proxy_pass https://otherserver.mydomain/portal/sharing/rest/portals/self/;
}
location ^~ /nodejs/ {
proxy_http_version 1.1;
include /etc/nginx/proxyparams/proxy_params;
proxy_pass https://thirdserver.mydomain/;
proxy_buffering on;
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k;
proxy_buffers 64 4k;
client_max_body_size 12m;
}
}
</pre>
does anyone know why am I getting this problem? Basically the connection closes by itself because of dynamic proxy_pass. This is my nginx config.
error from log :
2022/08/25 19:45:28 [error] 14208#0: *13 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream, client:
pcre_jit on;
worker_processes 8;
events {
worker_connections 8192;
accept_mutex on;
#accept_mutex_delay 10ms;
multi_accept on;
}
http {
resolver 8.8.8.8 ipv6=off;
error_log /var/log/nginx/nginx_error.log debug;
log_format custom '$remote_addr - $remote_user [$time_local] ';
include mime.types;
default_type application/octet-stream;
server {
listen 443 ssl http2;
add_header Accept-Encoding "";
proxy_set_header Accept-Encoding "";
proxy_intercept_errors on;
recursive_error_pages on;
server_tokens off;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
gzip off;
location / {
resolver 1.1.1.1 ipv6=off;
set_by_lua_block $ip {
return '1.1.1.1'
}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_hide_header X-Powered-By;
proxy_hide_header X-Nextjs-Cache;
proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args";
proxy_cache_revalidate on;
proxy_ssl_server_name on;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
proxy_ssl_name $host;
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "strict-origin";
add_header Access-Control-Allow-Origin *;
add_header Content-Security-Policy upgrade-insecure-requests;
proxy_pass https://$ip;
ssl_certificate /var/www/nnn/cert.pem;
ssl_certificate_key /var/www/nnn/cert.key;
}
}
I'm trying to fix a misbehaving app behind my reverse proxy - basically, it drops absolute URLs into pages.
My conf looks like
...
location /openproject/ {
proxy_set_header Host <internal host>;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://<internal host>/openproject/;
sub_filter 'http:<internal url>' 'https:<external url>';
sub_filter_once on;
sub_filter_last_modified on;
}
...
things in <> are replaced to protect my hosts.. and yes the misbehaving app is OpenProject
It doesn't seem to be working and debug doesn't say anything about substitutions happening..
Is there anything that I've done wrong?
nginx -V is
nginx version: nginx/1.18.0 built with OpenSSL 1.1.1k 25 Mar 2021
(running with OpenSSL 1.1.1o 3 May 2022) TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2
-ffile-prefix-map=/build/nginx-q9LD4J/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module
Found this https://marsbard.github.io/2016-07-30-replace-urls-behind-nginx-reverse-proxy/
seems I needed the config to be:
location /openproject/ {
proxy_set_header Accept-Encoding ""; # no compression allowed or next won't work
sub_filter "http://<internal host>/" "https://<external host>/";
sub_filter_once off;
proxy_set_header Host <internal host>;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_pass http://<internal host>/openproject/;
}
I'm facing issue with reverse proxy configured using nginx
The curl is showing that the request is reaching the endpoint and this last send the response and it stuck on nginx.
About to connect() to 127.0.0.1 port 80 (#0)
Trying 127.0.0.1...
Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
POST / HTTP/1.1
User-Agent: curl/7.29.0
Host: 127.0.0.1
Accept: /
Content-Type: text/xml
SOAPAction: http://tempuri.org/AOI
Content-Length: 1707
Expect: 100-continue
< HTTP/1.1 100 Continue
^C
[root#venom conf.d]#
Below my configuration
server {
listen 80 ;
server_name 80_proxy;
access_log /var/log/nginx/access.log main;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
client_header_buffer_size 1k;
client_body_buffer_size 16k;
large_client_header_buffers 4 8k;
server_tokens off;
error_page 497 https://$host:$server_port$request_uri;
root html;
index index.html index.htm;
proxy_redirect http:// $scheme://;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header X-Powered-By;
proxy_cookie_path / "/; secure; SameSite=Lax; Max-Age=172800";
chunked_transfer_encoding on;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_request_buffering off;
client_body_timeout 5;
proxy_connect_timeout 90;
proxy_buffering off;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; always';
add_header Content-Security-Policy "script-src 'self';";
location / {
proxy_send_timeout 2100;
proxy_read_timeout 2100;
client_max_body_size 10M;
proxy_ssl_certificate /etc/ssl/cert.crt;
proxy_ssl_certificate_key /etc/ssl/cert.key;
proxy_ssl_trusted_certificate /etc/ssl/cert_ca.crt;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_pass https://10.34.22.33:801;
}
}
Thanks in advance
There are many threads about this problem. But none has my specific issue.
Intro to our setup: we run Nginx on port 80, which sits in front of Apache on port 8889.
We haven't changed anything in Nginx or Apache, and this setup has been working for a while. Which is why we're scratching our head for what happened to suddenly cause this starting this morning. We are now getting 500 errors in our website.
From looking at the log, I suppose they're not caused by Nginx but by Apache:
[Fri Aug 01 23:08:33 2014] [error] [client 100.99.98.97] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3112): [client 100.99.98.97] r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
In the .htaccess file of this domain, we have the following code:
Options -Indexes +FollowSymLinks -MultiViews
DirectoryIndex index index.php index.htm index.html
DefaultType application/x-httpd-php
RewriteEngine On
# If someone types just the folder name
RewriteRule ^beta$ http://%{HTTP_HOST}/beta/index [L,R=301]
# If someone types the correct file, just show it
RewriteRule ^beta/(.*)$ /beta/$1 [L]
# All other URLs..
RewriteCond %{REQUEST_URI} !^(mailman|pipermail|w3c)/
RewriteRule ^(.*)$ /beta/get?u=$1 [L,QSA]
The logic is simple. For all files that are .htm etc in the root, we just show them. For any URL that starts with /beta/[xyz] we also show the file as it exists in the hard "beta" folder in the root folder.
But for all other URLs starting with our domain, we want to forward the code to /beta/get? with the parameter being that part of URI.
Example, if someone types: http://EXAMPLE.com/xyz123, we want to actually redirect internally to: http://EXAMPLE.com/beta/get?u=xyz123
(Except when the words there mailman or pipermail etc, which are used for our specific mailing lists)
Just FYI, the NGINX.CONF file is as below:
#-------------------- START ------------------#
http {
server_name_in_redirect off;
server_names_hash_max_size 10240;
server_names_hash_bucket_size 1024;
gzip on;
gzip_static on;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5; # Not a huge compression beyond this..so save CPU cycles
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg;
connection_pool_size 256;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
client_max_body_size 200M;
client_body_buffer_size 128k;
request_pool_size 64k;
output_buffers 16 256k;
open_file_cache max=5000 inactive=20s;
open_file_cache_valid 60s;
include mime.types;
default_type application/octet-stream;
error_log logs/error.log warn;
access_log off;
server_tokens off;
autoindex off;
sendfile off;
ignore_invalid_headers on; # Malware protection
reset_timedout_connection on; # DDoS protection
# Timeouts
client_header_timeout 5;
client_body_timeout 50;
send_timeout 50;
keepalive_timeout 65; # No need for default 65, but having some keepalive speeds things up
resolver_timeout 1s;
proxy_cache_path /dev/shm/proxy_cache levels=1:2 keys_zone=proxyone:200m inactive=1h max_size=2g;
proxy_cache_key "$scheme$host$request_uri$cookie___snippa$cookie___sniplang";
proxy_cache proxyone;
proxy_cache_min_uses 5;
proxy_cache_valid any 60s;
proxy_cache_valid 200 1m;
proxy_cache_valid 404 0s;
proxy_cache_valid 410 90d;
proxy_cache_valid 500 502 503 504 1s;
proxy_cache_valid 301 60m;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
set_real_ip_from 192.168.1.0/24;
set_real_ip_from 192.168.2.1;
set_real_ip_from 127.0.0.1;
real_ip_header X-Real-IP;
server
{
listen 127.0.0.1:80;
listen 74.86.191.114:80;
listen 100.99.98.97:80;
listen 75.126.161.225:80;
listen 75.126.161.226:80;
listen 10.17.32.66:80;
server_name EXAMPLE.com www.EXAMPLE.com;
root /home/EXAMPLE/public_html;
index index.htm index.php index index.htm;
error_page 403 = #backend;
error_page 404 = #backend;
error_page 405 = #backend;
error_page 406 = #backend;
error_page 500 = #backend;
error_page 501 = #backend;
error_page 502 = #backend;
error_page 503 = #backend;
error_page 504 = #backend;
error_page 505 = #backend;
# IMPORTANT FILES
location = /\.htaccess { deny all; access_log off; log_not_found off; }
location ~ /\.ht { deny all; access_log off; log_not_found off; }
location = /favicon.ico { log_not_found off; access_log off; expires max; }
location = /robots.txt { allow all; log_not_found off; access_log off; expires max; }
location = /sitemap.gz { allow all; log_not_found off; access_log off; expires max; }
location = /crossdomain.xml { allow all; log_not_found off; access_log off; expires max; }
location / {
location ~.*\.(gif|jpg|png|ico|swf|rss|xml|htm|txt|js|css|gz|doc|xls|pdf|html|woff|eot|svg)$ {
expires max;
try_files $uri #backend;
log_not_found off;
}
proxy_pass http://100.99.98.97:8889;
include proxy.inc;
}
location #backend {
internal;
proxy_pass http://100.99.98.97:8889;
include proxy.inc;
}
} # End of EXAMPLE.COM server block
} # End of http block
What might be causing this? The loglevel debug in apache doesn't seem to be helping much. Much appreciate any advice or pointers!
You're rules are causing a loop. The rewrite engine re-applies all the rules over and over again until the URI stops changing. Try adding some more restirctions:
Options -Indexes +FollowSymLinks -MultiViews
DirectoryIndex index index.php index.htm index.html
DefaultType application/x-httpd-php
RewriteEngine On
# If someone types just the folder name
RewriteRule ^beta/?$ http://%{HTTP_HOST}/beta/index [L,R=301]
# If someone types the correct file, just show it
RewriteRule ^beta/(.+)$ /beta/$1 [L]
# All other URLs..
RewriteCond %{REQUEST_URI} !^(mailman|pipermail|w3c|beta)/
RewriteRule ^(.*)$ /beta/get?u=$1 [L,QSA]
Namely, an optional / at the end of just /beta, a + instead of a * to ensure there is at least one character after the /, and add beta to the conditions for the last rule.