internet -> nginx -> apache-2.4
Remote_Addr prints 127.1.1.0 instead of client ip. I have apache behaind nginx with the following settings:
nginx.conf:
location / {
try_files $uri #apache;
}
location #apache {
internal;
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
location ~ .*\.(php|php5)?$ {
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
proxy.conf:
proxy_connect_timeout 300s;
proxy_send_timeout 900;
proxy_read_timeout 900;
proxy_buffer_size 32k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_redirect off;
proxy_hide_header Vary;
proxy_set_header Accept-Encoding '';
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
httpd.conf:
Listen 127.0.0.1:8080
Include conf/extra/httpd-remoteip.conf
httpd-remoteip.conf:
LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
sed -i "s#LogFormat \"%h %l#LogFormat \"%h %a %l#" /usr/local/apache/conf/httpd.conf
Related
I am running Apache/2.4.51, on Redhat Linux 9. I have disabled Selinux and set it to minimum. I have opened the firewall to the necessary ports. Lastly, I have changed the Vhost from IP based, to ''. When I change it to '' it will skip the Vhost and move to the next one for the ssl cert (if that makes sense)
I am moving servers, and this was working on Centos 8. I copied/pasted the httpd.conf and nginx.conf files.
I am getting the following : 503 Error
failed to make connection to backend: 38.17.51.135,
referer: https://www.fluttercode.com/service-worker.js
My Apache config files:
httpd.conf
<VirtualHost 38.17.51.135:80>
ServerAdmin webmaster#fluttercode.com
ServerName www.fluttercode.com
ServerAlias fluttercode.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =fluttercode.com [OR]
RewriteCond %{SERVER_NAME} =www.fluttercode.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
httpd-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost 38.17.51.135:443>
ServerAdmin webmaster#fluttercode.com
ServerName www.fluttercode.com
ServerAlias fluttercode.com
ErrorLog /home/fluttercode/web_logs/error_log
CustomLog /home/fluttercode/web_logs/hit_log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =fluttercode.com
RewriteRule ^ https://www.fluttercode.com%{REQUEST_URI} [END,NE,R=permanent]
SSLProxyEngine on
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://38.17.51.135:4200/
ProxyPassReverse / https://38.17.51.135:4200/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/fluttercode.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/fluttercode.com/privkey.pem
</VirtualHost>
</IfModule>
My nginx.conf (discourse.conf)
server {
access_log /var/log/nginx/access.log log_discourse;
listen 4200 default ssl;
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_comp_level 5;
gzip_types application/json text/css text/javascript application/x-javascript application/javascript image/svg+xml application/wasm;
gzip_proxied any;
# Uncomment and configure this section for HTTPS support
# NOTE: Put your ssl cert in your main nginx config directory (/etc/nginx)
#
# rewrite ^/(.*) https://www.fluttercode.com/$1 permanent;
#
# listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/fluttercode.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fluttercode.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
#
server_name www.fluttercode.com;
server_tokens off;
sendfile on;
keepalive_timeout 65;
# maximum file upload size (keep up to date when changing the corresponding site setting)
client_max_body_size 10m;
# path to discourse's public directory
set $public /var/www/discourse/public;
# without weak etags we get zero benefit from etags on dynamically compressed content
# further more etags are based on the file in nginx not sha of data
# use dates, it solves the problem fine even cross server
etag off;
# prevent direct download of backups
location ^~ /backups/ {
internal;
}
# bypass rails stack with a cheap 204 for favicon.ico requests
location /favicon.ico {
return 204;
access_log off;
log_not_found off;
}
location / {
root $public;
add_header ETag "";
# auth_basic on;
# auth_basic_user_file /etc/nginx/htpasswd;
location ~ ^/uploads/short-url/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse;
break;
}
location ~ ^/secure-media-uploads/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse;
break;
}
location ~* (fonts|assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico|otf)$ {
expires 1y;
add_header Cache-Control public,immutable;
add_header Access-Control-Allow-Origin *;
}
location = /srv/status {
access_log off;
log_not_found off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse;
break;
}
# some minimal caching here so we don't keep asking
# longer term we should increase probably to 1y
location ~ ^/javascripts/ {
expires 1d;
add_header Cache-Control public,immutable;
add_header Access-Control-Allow-Origin *;
}
location ~ ^/assets/(?<asset_path>.+)$ {
expires 1y;
# asset pipeline enables this
# brotli_static on;
gzip_static on;
add_header Cache-Control public,immutable;
# HOOK in asset location (used for extensibility)
# TODO I don't think this break is needed, it just breaks out of rewrite
break;
}
location ~ ^/plugins/ {
expires 1y;
add_header Cache-Control public,immutable;
add_header Access-Control-Allow-Origin *;
}
# cache emojis
location ~ /images/emoji/ {
expires 1y;
add_header Cache-Control public,immutable;
add_header Access-Control-Allow-Origin *;
}
location ~ ^/uploads/ {
# NOTE: it is really annoying that we can't just define headers
# at the top level and inherit.
#
# proxy_set_header DOES NOT inherit, by design, we must repeat it,
# otherwise headers are not set correctly
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
proxy_set_header X-Accel-Mapping $public/=/downloads/;
expires 1y;
add_header Cache-Control public,immutable;
## optional upload anti-hotlinking rules
#valid_referers none blocked mysite.com *.mysite.com;
#if ($invalid_referer) { return 403; }
# custom CSS
location ~ /stylesheet-cache/ {
add_header Access-Control-Allow-Origin *;
try_files $uri =404;
}
# this allows us to bypass rails
location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|ico|webp)$ {
add_header Access-Control-Allow-Origin *;
try_files $uri =404;
}
# SVG needs an extra header attached
location ~* \.(svg)$ {
}
# thumbnails & optimized images
location ~ /_?optimized/ {
add_header Access-Control-Allow-Origin *;
try_files $uri =404;
}
proxy_pass http://discourse;
break;
}
location ~ ^/admin/backups/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
proxy_set_header X-Accel-Mapping $public/=/downloads/;
proxy_pass http://discourse;
break;
}
# This big block is needed so we can selectively enable
# acceleration for backups, avatars, sprites and so on.
# see note about repetition above
location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker) {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
# if Set-Cookie is in the response nothing gets cached
# this is double bad cause we are not passing last modified in
proxy_ignore_headers "Set-Cookie";
proxy_hide_header "Set-Cookie";
proxy_hide_header "X-Discourse-Username";
proxy_hide_header "X-Runtime";
# note x-accel-redirect can not be used with proxy_cache
proxy_cache one;
proxy_cache_key "$scheme,$host,$request_uri";
proxy_cache_valid 200 301 302 7d;
proxy_cache_bypass $bypass_cache;
proxy_pass http://discourse;
break;
}
# we need buffering off for message bus
location /message-bus/ {
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_http_version 1.1;
proxy_buffering off;
proxy_pass http://discourse;
break;
}
# this means every file in public is tried first
try_files $uri #discourse;
}
location /downloads/ {
internal;
alias $public/;
}
location #discourse {
proxy_set_header Host $http_host;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_pass http://discourse;
}
Any help on config settings or linux settings to fix this problem would be greatly appreciated.
I am trying to deploy my app with vue.js as frontend and fastapi as backend. But I am having issue when deploy the app on the cloud. I have nginx configure like below.
I am binding backend to port 8080 and frontend to 8000. But with this configuration, I can only see my frontend page. The backend api is not respond. Can anyone show me how to fix it?
server {
listen 80;
server_name example.com;
charset utf-8;
root vis/dist;
index index.html index.htm;
location /api/ {
proxy_pass http://127.0.0.1:8000;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
proxy_connect_timeout 90s;
proxy_read_timeout 90s;
proxy_send_timeout 90s;
}
error_log /var/log/nginx/vue-app-error.log;
access_log /var/log/nginx/vue-app-access.log;
}
Hi guys i am having a problem with nginx, i have configure phpmyadmin to run with nginx phpmyadmin is configured to run on port 8080. I access phpmyadmin via localhost/phpmyadmin and it give me the proper login screen below.
phpmyadmin login screen
after login the url on the address bar changes to the configure port from localhost/phpmyadmin to localhost:8080/phpmyadmin and it throws
error message
here is my nginx configuration:
server{
listen 443 ssl;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/certificate/live/localhost/permission.pem;
ssl_certificate_key /etc/certificate/live/localhost/privkey.pem;
include /etc/certificate/live/localhost/ssl-nginx.conf;
access_log /var/log/nginx/apache2-access.log;
error_log /var/log/nginx/apache2-error.log;
location /phpmyadmin{
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Host $http_host;
proxy_set_header X-Ssl on;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/phpmyadmin;
proxy_redirect off;
}
}
Thanks in advance.
You should not be using proxy_redirect off;. You want to change the redirects
location /phpmyadmin{
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Host $http_host;
proxy_set_header X-Ssl on;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/phpmyadmin;
proxy_redirect http://127.0.0.1:8080/ $scheme://$host/;
proxy_redirect http://localhost:8080/ $scheme://$host/;
proxy_cookie_domain 127.0.0.1 $host;
proxy_cookie_domain localhost $host;
}
And you also want to setup the cookie so login works
#### Nginx is not working with multiple domain when we trying to proxy pass each domain to internal load balancer ################################################################
worker_processes auto;
events{
worker_connections 1024;
}
http{
include mime.types;
default_type application/octet-stream;
log_format main '$proxy_add_x_forwarded_for - $remote_user [$time_local] - [$request_time] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent"';
access_log /var/log/nginx/nginx.access.log main;
error_log /var/log/nginx/nginx.error.log error;
sendfile on;
tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
gzip on;
include /usr/local/nginx/conf.d/*.conf;
server{
listen 80;
server_name xxxx.com;
access_log /var/log/nginx/xxxxxx.com.access.log main;
error_log /var/log/nginx/xxxxx.com.error.log error;
index index.php index.html;
location / {
proxy_pass http://internal-ELB.ap-southeast-1.elb.amazonaws.com:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server{
listen 80;
server_name yyyyy.com;
access_log /var/log/nginx/yyyy.com.access.log main;
error_log /var/log/nginx/yyyy.com.error.log error;
index index.php index.html;
location / {
proxy_pass http://internal-BT-internal.ap-southeast-1.elb.amazonaws.com:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
I've just set up nginx to serve static request on one site, but I have lots of sites on my server and I wonder, should I right new nginx server configuration for all of them?
What I'm doing now. I have file with all virtual hosts entries for Apache with some-thing like this:
NameVirtualHost *:8080
<VirtualHost *:8080>
ServerName sky2high.net
DocumentRoot /home/mainsiter/data/www/sky2high.net
</VirtualHost>
<VirtualHost *:8080>
ServerName surdo.asmon.ru
DocumentRoot /home/surdo/data/www/surdo.asmon.ru
</VirtualHost>
<VirtualHost *:8080>
ServerName surdoserver.ru
DocumentRoot /home/surdo/data/www/surdoserver.ru
</VirtualHost>
I have this in apache's ports.conf:
Listen 8080
And so I've set up nginx to work with one site (sky2high.net), created next configure file (/etc/nginx/sites-enabled/sky2high.net):
server {
listen 80;
server_name sky2high.net www.sky2high.net;
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
access_log /var/log/nginx.access_log;
location ~* \.(jpg|jpeg|gif|png|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|xml|docx|xlsx)$ {
root /home/mainsiter/data/www/sky2high.net/;
index index.php;
access_log off;
expires 30d;
}
location ~ /\.ht {
deny all;
}
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
proxy_set_header Host $host;
proxy_connect_timeout 60;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_redirect off;
proxy_set_header Connection close;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
}
}
And it works fine for this domain, but of course another virtual hosts are broken.
So, the question is: is there ultimate config option for nginx, witch can help to handle all request, from all virtual hosts (domains) and serve them in the right way? I mean, option that allows not to write separete configure files for each virtual hosts (with all this doubled stuff like root and index options), but only one for all virtual hosts?
PS: should I move question to serverfault?
UPDATE:
Emm.. I wonder how is it works, but it is. I've made next config files:
/etc/nginx/nginx.conf
user www-data;
worker_processes 2;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
tcp_nodelay on;
gzip on;
gzip_min_length 1000;
gzip_proxied any;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
and
/etc/nginx/sites-enabled/default
server {
listen 80;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection close;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
}
}
I do not understand how is it works, but it is...
UPDATE 2: or it doesn't work! I've looked to "top" in console and metioned that apache serves not only php request, but for static content either =(
What you do now is sending all the network traffic to 127.0.0.1:8080 without allowing Nginx to serve the static files.
What you should try is the following:
server {
listen 80;
server_name sky2high.net www.sky2high.net;
location / {
proxy_pass http://127.0.0.1:8080;
include /etc/nginx/conf.d/proxy.conf;
}
location ~* ^.+\.(jpg|jpeg|gif|png|ico|tgz|gz|pdf|rar|bz2|exe|ppt|txt|tar|mid|midi|wav|bmp|rtf) {
root /folder/to/static/files;
expires 90d;
}
location ~* ^.+\.(css|js)$ {
root /folder/to/static/files;
expires 30d;
}
And in proxy.conf you put the following:
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 8m;
client_body_buffer_size 256k;
proxy_connect_timeout 60;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffer_size 4k;
proxy_buffers 32 256k;
proxy_busy_buffers_size 512k;
proxy_temp_file_write_size 256k;
This should work for you
Just my two cents, in most cases it's not necessary to specify the listen 80.
Source: Nginx common Pitfalls