I have the folloiwng Nginx configuration:
server {
listen 80;
server_name .example.net .example.com;
return 301 https://example.com$request_uri;
}
server {
listen 80;
server_name beta.example.com;
error_page 403 /403;
error_page 404 /404;
error_page 500 /500;
client_max_body_size 5M;
# Handle all locations
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/cert_chain.crt;
ssl_certificate_key /etc/ssl/csr.pem;
server_name example.com;
error_page 403 /403;
error_page 404 /404;
error_page 500 /500;
client_max_body_size 5M;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I'm wanting to redirect HTTP requests to HTTPS however I get a redirect loop. I've read other answers on different questions including this one and this one however none of their solutions solved mine. Any ideas? Thanks.
It seems like your backend (running on 127.0.0.1:8000) issues Location: http://example.com/ header.
Please look into the access logs, nginx's and backend's too.
Or use httpliveheaders or tcpdump to investigate the traffic.
Related
We have a Nginx server configured for reverse proxying to protect an aging SOAP server that can't be patched.
I've been asked to restrict what calls clients can make from specific IP ranges.
I've no idea how to allow some SOAP calls but filter out others.
The Nginux config is
server {
listen 443;
listen [::]:443;
server_name shiny.nginx.server;
ssl on;
ssl_certificate "/public/directory/proxy.pem";
ssl_certificate_key "/secret/directory/proxy.key";
location / {
proxy_pass http://very.old.server:80/;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
Any ideas how I achieve this?
Thanks
I'v found a solution to this.
server {
listen 443;
listen [::]:443;
server_name shiny.nginx.server;
ssl on;
ssl_certificate "/public/directory/proxy.pem";
ssl_certificate_key "/secret/directory/proxy.key";
location / {
proxy_pass http://very.old.server:80/;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
if ($remote_addr ~ 192.168.1.1) {
set $is_user Y;
}
if ($http_soapaction ~ SOAP/Request/Goes/Here) {
set $user_allowed Y;
}
set $user_test "${is_user}${user_allowed}";
if ($user_test = YY) {
set $good yes;
}
if ($good != yes) {
return 403;
}
}
Not being able to do nested or complex tests made it a bit tricky...
I used certbot to create a SSL certificate for my domain. It modified my Nginx configuration automatically. Below is the section which redirects http (80) to https (443):
server {
if ($host = domain.tld) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.domain.tld) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name www.suzaku.pw suzaku.pw;
return 404;
}
That seems to work. But the problem is that any POST/PUT/DELETE request is now interpreted as GET request:
http://domain.tld/api only understands GET
https://domain.tld/api works with all GET/POST/PUT/DELETE
_
Below is the rest of the configuration (where HTTP gets forwarded to)
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name www.domain.tld domain.tld;
location / { try_files $uri $uri/ =404; }
location ~ \.php$ { ... }
listen [::]:443 ssl http2 default_server ipv6only=on; # managed by Certbot
listen 443 ssl http2 default_server; # managed by Certbot
ssl on;
ssl_certificate /etc/letsencrypt/live/www.domain.tld/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.domain.tld/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location ^~ /jenkins/ { ... }
location ^~ /api {
proxy_pass http://localhost:6000;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Is there any obvious error in my config?
I am running a django application through gunicorn via unix socket and I have my nginx configuration which looks like this :
Current NGINX config File :
upstream django_app_server {
server unix:/django/run/gunicorn.sock fail_timeout=0;
}
server{
listen 80;
server_name demo.mysite.com;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://django_app_server;
break;
}
}
}
so my django is running on a unix socket here , lets say if it was running on localhost then it has a url which looks like :
http://127.0.0.1:8000/demo/app1
http://127.0.0.1:8000/demo/notifications
Main goal
so what i want to do is , when someone visit http://demo.mysite.com/app1 they can access via proxy pass the url : http://127.0.0.1:8000/demo/app1
It would have been really easy if i would be running django on localhost tcp port and i could have easy done this and it would have worked for me :
server{
listen 80;
server_name demo.mysite.com;
location / {
proxy_pass http://127.0.0.1:8000/demo/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
How do i achieve this with my current nginx configurtion ?
One approach is to use rewrite ... break, for example:
location / {
try_files $uri #proxy;
}
location #proxy {
rewrite ^ /demo$uri break;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://django_app_server;
}
See this document for details.
This is my Nginx config:
upstream app_server {
# Bindings to the Gunicorn server
server 127.0.0.1:8002 fail_timeout=0;
}
server {
listen 80;
server_name "~^www\.(.*)$";
return 301 https://$host$request_uri;
}
server {
access_log path_to_nginx-access.log;
error_log path_to_nginx-error.log;
listen 443 ssl;
server_name _;
ssl_certificate path_to_nginx.crt;
ssl_certificate_key path_to_nginx.key;
client_max_body_size 4G;
keepalive_timeout 5;
root path_to_root;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://app_server;
break;
}
}
error_page 500 502 503 504 /500.html;
location = /500.html {
root path_to_templates;
}
}
My goal is to have all this addresses redirecting to https://domain.com
http://domain.com
https://domain.com
http://www.domain.com
https://www.domain.com
What should I change?
Keep in mind that I need to handle multiple domains with the same Nginx server (vide server_name).
Thanks!
this is my site-available nginx configuration for flask application
server {
listen 80;
server_name _;
access_log /var/log/nginx/nginx_access.log;
error_log /var/log/nginx/nginx_error.log;
rewrite ^ https://$http_host$request_uri? permanent;
}
server {
listen 443;
server_name _;
access_log /var/log/nginx/nginx_access.log;
error_log /var/log/nginx/nginx_error.log;
ssl on;
ssl_certificate /etc/nginx/ssl/<redacted>.pem;
ssl_certificate_key /etc/nginx/ssl/<redacted>.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
I have gone through the questions
Nginx configuration leads to endless redirect loop
and nginx redirect loop with ssl. I seem to have the configuration specified in them already.
EDIT
Flask application is running via gunicorn/supervisord
Supervisor config.conf
[program:config]
command=/usr/local/bin/gunicorn run:app --config /etc/gunicorn/gunicorn.conf --preload
directory=/srv/<application>
autostart=true
autorestart=true
startretries=10
stderr_logfile = /var/log/supervisord/<application>-stderr.log
stdout_logfile = /var/log/supervisord/<application>-stdout.log
user=root
Gunicorn gunicorn.conf
bind = '0.0.0.0:5000'
backlog = 2048
workers = 3
worker_class = 'sync'
worker_connections = 1000
timeout = 30
keepalive = 2
accesslog='/var/log/gunicorn/gunicorn_access.log'
errorlog='/var/log/gunicorn/gunicorn_error.log'
pidfile = '/tmp/gunicorn.pid'
loglevel = 'debug'
Flask Application
run.py
from app import app
from app import views
if __name__ == '__main__':
app.run(host='0.0.0.0', debug=True)
view.py
from app import app, session
from flask import render_template, json, jsonify
import datetime
#app.route("/hello/")
def render_templates():
return render_template("display.html")
(... other code ..)
NB: I have an ELB in front of the flask application. 80 and 443 ports are open.
Input: https://example.com/hello/ Output: Redirected Loop
Any help will be appreciated.Thanks in advance.
I did figure out the issue.
The nginx configuration should have been
server {
listen 80;
server_name _;
access_log /var/log/nginx/nginx_access.log;
error_log /var/log/nginx/nginx_error.log;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
As ELB does an unloading of HTTPS encryption to HTTP request , my previous configuration was redirecting all my HTTP requests into HTTPS.