I've followed a couple of examples for Django + nginx + wsgi + ssl, but I can't get them to work. I simply get an error in my browser than I can't connect.
I'm running two websites off the host. The config files are identical except for the ip addresses, server names, and directories.
When neither use SSL, they work fine. When I try to listen on 443 with one of them, I can't connect to either.
My config files are below, and any suggestions would be appreciated.
server{
listen xxx.xxx.xxx.xxx:80;
server_name sub.domain.com;
access_log /home/django/logs/nginx_customerdb_http_access.log;
error_log /home/django/logs/nginx_customerdb_http_error.log;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
}
location /site_media/ {
alias /home/django/customerdb_site_media/;
}
location /admin-media/ {
alias /home/django/django_admin_media/;
}
}
server{
listen xxx.xxx.xxx.xxx:443;
server_name sub.domain.com;
access_log /home/django/logs/nginx_customerdb_http_access.log;
error_log /home/django/logs/nginx_customerdb_http_error.log;
ssl on;
ssl_certificate sub.domain.com.crt;
ssl_certificate_key sub.domain.com.key;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol https;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
}
location /site_media/ {
alias /home/django/customerdb_site_media/;
}
location /admin-media/ {
alias /home/django/django_admin_media/;
}
}
<VirtualHost *:8080>
ServerName xxx.xxx.xxx.xxx
ServerAlias xxx.xxx.xxx.xxx
LogLevel warn
ErrorLog /home/django/logs/apache_customerdb_error.log
CustomLog /home/django/logs/apache_customerdb_access.log combined
WSGIScriptAlias / /home/django/customerdb/apache/django.wsgi
WSGIDaemonProcess customerdb_wsgi processes=4 threads=5
WSGIProcessGroup customerdb_wsgi
SetEnvIf X-Forwarded-Protocol "^https$" HTTPS=on
</VirtualHost>
UDPATE: the existence of two sites (on separate IPs) on the host is the issue. if i delete the other site, the setting above mostly work. doing so also brings up another issue: chrome doesn't accept the site as secure saying that some content is not encrypted.
[This should actually be a comment ...]
You should also set
proxy_set_header X-Forwarded-Protocol $scheme
To indicate to Django when connections are secure, otherwise your https links will get redirected to http, which is bad.
This will set http when it actually is http, and https when it's https.
I changed the server that listens on 80 to rewrite to https removed all the other directives.
Related
Been working on setting up JFrog Container Repository and have been running into an issue with setting up the Docker Repository Ports.
I have gone through and set up Nginx as a reverse proxy and have generated a working sites-available conf file
## add ssl entries when https has been set in config
ssl_certificate /etc/nginx/ssl/secret.crt;
ssl_certificate_key /etc/nginx/ssl/secret.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
## server configuration
server {
listen 443 ssl;
listen 80 ;
server_name subdomain.domain.com;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
## access_log /var/log/nginx/artifactory.jfrog.com-access.log timing;
## error_log /var/log/nginx/artifactory.jfrog.com-error.log;
rewrite ^/$ /artifactory/webapp/ redirect;
rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect;
chunked_transfer_encoding on;
client_max_body_size 0;
location / {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
if ( $request_uri ~ ^/artifactory/(.*)$ ) {
proxy_pass http://localhost:8081/artifactory/$1;
}
proxy_pass http://localhost:8081/artifactory/;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I am able to view the page, login, create repositories...etc...
But when I go to the Advanced tab of a docker repository to try and set the HTTP settings, I am still greeted by the "To use this feature first configure reverse proxy." even though I am viewing the page through the reverse proxy at the time.
I don't know if I am missing something super simple or if I am just running into a bug of sorts. I looked through the JFrog jira and couldn't seem to find anything that matched this description.
Any help would be greatly appriciated.
Thank you!
Edit:
Should probably leave some system info as well...
OS: Centos 7
Nginx: 1.16.1
JCR: 6.17.0-61700900
This is a bug. I have filed RTFACT-21197 for you. That said, it is simply a generator and you can simply edit your existing configuration. For ports, all you need to do is copy/paste and add a docker line with the repository name. For example, let's say you have a repository called docker-local and you want that to be accessible at port 5000, your final configuration would look like this:
## add ssl entries when https has been set in config
ssl_certificate /etc/nginx/ssl/secret.crt;
ssl_certificate_key /etc/nginx/ssl/secret.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
## server configuration
server {
listen 443 ssl;
listen 80 ;
server_name subdomain.domain.com;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
## access_log /var/log/nginx/artifactory.jfrog.com-access.log timing;
## error_log /var/log/nginx/artifactory.jfrog.com-error.log;
rewrite ^/$ /artifactory/webapp/ redirect;
rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect;
chunked_transfer_encoding on;
client_max_body_size 0;
location / {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
if ( $request_uri ~ ^/artifactory/(.*)$ ) {
proxy_pass http://localhost:8081/artifactory/$1;
}
proxy_pass http://localhost:8081/artifactory/;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 5000 ssl;
server_name subdomain.domain.com;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
rewrite ^/$ /artifactory/webapp/ redirect;
rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect;
rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/docker-local/$1/$2;
chunked_transfer_encoding on;
client_max_body_size 0;
location / {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
if ( $request_uri ~ ^/artifactory/(.*)$ ) {
proxy_pass http://localhost:8081/artifactory/$1;
}
proxy_pass http://localhost:8081/artifactory/;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I have 2 web servers plus the nginx server as a reverse proxy. call them web1 web2 and nginx1.
web1 10.0.0.110 with abc.com, def.com
web2 10.0.0.120 with hij.com, klm.com
nginx1 10.0.0.125
Im trying to have 2 webservers behind 1 external IP
I have nothing in /etc/nginx/conf.d/
I have created conf files for each site in sites-available and linked them with symlinks to sites-enabled.
example file.
server {
listen 80;
server_name *.abc.com;
access_log off;
error_log off;
location / {
proxy_pass http://10.0.0.110/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
The problem is its not working correctly, it seems to want to direct all the sites to either server, it seems to be dependent on the last conf file I edit.
What am I doing wrong?
You'll need to provide a server directive per backend webserver. Here's an example of what should work for you (replacing the ellipsis with your additions):
server {
server_name abc.com def.com;
...
location / {
proxy_pass http://10.0.0.110/;
...
}
}
server {
server_name hij.com klm.com;
...
location / {
proxy_pass http://10.0.0.120/;
...
}
}
I believe i have it sorted, i needed to have the IP set
listen 10.0.0.125:80
And set the domain name correctly *.abc.com doesn't include abc.com, it only included all the subdomains.
so I changed it to
server_name .abc.com;
Just making one of these changes didn't solve my problem.
I have multiple accounts/domains on my server. I'm using cPanel with Apache 2.4 and wanted to use Nginx as a front reverse proxy. I changed Apache port, installed Nginx and it works fine but for one domain/account only. I want to use it for all my domains on the server, and any future accounts. I tried to enter $domain variable instead of a specific domain but realized later that nginx doesn't support variables. Same thing with the user directory. Here is my config file:
user nobody;
worker_processes 4;
error_log logs/error.log crit;
worker_rlimit_nofile 8192;
events {
worker_connections 1024; # you might need to increase this setting for busy servers
use epoll; # Linux kernels 2.6.x change to epoll
}
http {
server_names_hash_max_size 2048;
server_names_hash_bucket_size 512;
server_tokens off;
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 10;
# Gzip on
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/xml text/css;
# Other configurations
ignore_invalid_headers on;
client_max_body_size 8m;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
# Cache most accessed static files
open_file_cache max=10000 inactive=10m;
open_file_cache_valid 2m;
open_file_cache_min_uses 1;
open_file_cache_errors on;
# virtual hosts includes
include "/etc/nginx/conf.d/*.conf";
server {
# this is your access logs location
access_log /usr/local/apache/domlogs/accountusername/example.com;
error_log logs/vhost-error_log warn;
listen 80;
# change to your domain
server_name example.com www.example.com;
location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ {
# this is your public_html directory
root /home/accountusername/public_html;
}
location / {
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_connect_timeout 30s;
# change to your domain name
proxy_redirect http://www.example.com:8080 http://www.example.com;
proxy_redirect http://example.com:8080 http://example.com;
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
What I'm trying to do is to place a code that works for all domains on the server and any future domains will be added. I see some forums and blogs explain to setup virtual hosts (Server blocks) but I'm not sure what they're used for. I'd appreciate it if anyone provide any info about this. Should I setup virtual hosts? What is needed to be changed in my configuration file? Thank you.
You config is almost correct
server {
listen frontip:80 default_server;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect http://$host:8000/ http://$host/;
}
}
But best way to you do not use 8080 port. All you need is tell to nginx to bind only external ip. Add ip and bind keyword to all your listen in each server.
server {
listen frontip:80 default_server bind;
location / {
proxy_pass http://127.0.0.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
If you missed nothing, nginx will not bind 127.0.0.1:80, so apache can bind it.
In this case you do not need any proxy_redirect directives because you don't need any redirect rewrites.
For root folder you can use variables but much better use map;
http {
...
map $host $root {
hostnames;
default /var/www;
.domain1.com /home/user1/domain1.com;
custom.domain1.com /home/user1/custom;
domain2.com /home/user2/domain2.com;
www.domain2.com /home/user2/domain2.com;
}
server {
listen frontip:80 default_server;
root $root;
location / {
proxy_pass http://127.0.0.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ {
}
}
}
More about map http://nginx.org/en/docs/http/ngx_http_map_module.html
Your idea is a kind of fantastic. To operate in good and predictable\debuggable way, you should create "server" block for every server you serve, and you should write it domain name into "proxy_redirect" directive accordingly.
To handle a lot of domains - get a list of them and write shell\perl\python script to generate your actual config. This script will be rather simple one.
And read the docs - to understand clearly what "server blocks" are for. Shortly, they are the core of nginx's performance magic.
I have configured Nginx (frontend) + LAMP, multiple domains (virtual hosts).
Nginx listen on 80 port, Apache on 8080
this is my config for Nginx
server {
listen 80 default_server;
server_name _;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 1000m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 10m;
}
location ~ ^/phpMyAdmin/(.*\.(js|css|gif|jpg|png))$ {
alias /usr/share/phpMyAdmin/$1;
}
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|flv|rtf|js|swf|iso)$ {
root /var/www/html;
}
}
server {
listen 80;
server_name example.com www.example.com;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 1000m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 10m;
}
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|flv|rtf|js|swf|iso)$ {
root /var/www/example.com;
}
}
and this my conf Apache
Listen 8080
ServerName localhost
NameVirtualHost *:8080
<VirtualHost _default_:8080>
Options -Indexes
DocumentRoot /var/www/html
Alias /phpMyAdmin /usr/share/phpMyAdmin
</VirtualHost>
<VirtualHost *:8080>
DocumentRoot /var/www/example.com/
ServerName www.example.com
ServerAlias example.com
</VirtualHost>
How to deny access from example.com:8080 ?
example.com - nginx (frontend)
example.com:8080 - apache
and what do you think my mistakes in the config? Thank you in advance!
Either :
Listen on 127.0.0.1:8080 instead of *:8080
Or
Use firewalld on CentOS 7 or iptables on CentOS < 7 (except if you put iptables back on CentOS 7 of course).
I've just set up nginx to serve static request on one site, but I have lots of sites on my server and I wonder, should I right new nginx server configuration for all of them?
What I'm doing now. I have file with all virtual hosts entries for Apache with some-thing like this:
NameVirtualHost *:8080
<VirtualHost *:8080>
ServerName sky2high.net
DocumentRoot /home/mainsiter/data/www/sky2high.net
</VirtualHost>
<VirtualHost *:8080>
ServerName surdo.asmon.ru
DocumentRoot /home/surdo/data/www/surdo.asmon.ru
</VirtualHost>
<VirtualHost *:8080>
ServerName surdoserver.ru
DocumentRoot /home/surdo/data/www/surdoserver.ru
</VirtualHost>
I have this in apache's ports.conf:
Listen 8080
And so I've set up nginx to work with one site (sky2high.net), created next configure file (/etc/nginx/sites-enabled/sky2high.net):
server {
listen 80;
server_name sky2high.net www.sky2high.net;
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
access_log /var/log/nginx.access_log;
location ~* \.(jpg|jpeg|gif|png|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|xml|docx|xlsx)$ {
root /home/mainsiter/data/www/sky2high.net/;
index index.php;
access_log off;
expires 30d;
}
location ~ /\.ht {
deny all;
}
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
proxy_set_header Host $host;
proxy_connect_timeout 60;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_redirect off;
proxy_set_header Connection close;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
}
}
And it works fine for this domain, but of course another virtual hosts are broken.
So, the question is: is there ultimate config option for nginx, witch can help to handle all request, from all virtual hosts (domains) and serve them in the right way? I mean, option that allows not to write separete configure files for each virtual hosts (with all this doubled stuff like root and index options), but only one for all virtual hosts?
PS: should I move question to serverfault?
UPDATE:
Emm.. I wonder how is it works, but it is. I've made next config files:
/etc/nginx/nginx.conf
user www-data;
worker_processes 2;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
tcp_nodelay on;
gzip on;
gzip_min_length 1000;
gzip_proxied any;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
and
/etc/nginx/sites-enabled/default
server {
listen 80;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection close;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
}
}
I do not understand how is it works, but it is...
UPDATE 2: or it doesn't work! I've looked to "top" in console and metioned that apache serves not only php request, but for static content either =(
What you do now is sending all the network traffic to 127.0.0.1:8080 without allowing Nginx to serve the static files.
What you should try is the following:
server {
listen 80;
server_name sky2high.net www.sky2high.net;
location / {
proxy_pass http://127.0.0.1:8080;
include /etc/nginx/conf.d/proxy.conf;
}
location ~* ^.+\.(jpg|jpeg|gif|png|ico|tgz|gz|pdf|rar|bz2|exe|ppt|txt|tar|mid|midi|wav|bmp|rtf) {
root /folder/to/static/files;
expires 90d;
}
location ~* ^.+\.(css|js)$ {
root /folder/to/static/files;
expires 30d;
}
And in proxy.conf you put the following:
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 8m;
client_body_buffer_size 256k;
proxy_connect_timeout 60;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffer_size 4k;
proxy_buffers 32 256k;
proxy_busy_buffers_size 512k;
proxy_temp_file_write_size 256k;
This should work for you
Just my two cents, in most cases it's not necessary to specify the listen 80.
Source: Nginx common Pitfalls