Quantcast
Channel: Nginx Forum - How to...
Viewing all 4759 articles
Browse latest View live

How to redirect web service URLS using nginxfrom internal to the URL

April 11, 2018, 4:09 am
$
0
0
Hi,

Hoping someone is able to provide some assistance or recommendations here.

We are wanting to make API calls from an internal network URL and have it automatically redirect to the a cloud app URL.

The redirection works seemlessly on the browser level as there is a user proxy which manages it, however when trying to make a call outside the browser such as postman/soapui it won't connect.

The idea is to be able to maintain the old URL that interface calls go to such as:

https://interfaces.companyname.com/api/table/flash

and it translates to

https://companyname.vendorcompany-now.com/api/table/flash

Any suggestions will be greatly appreciated!



Thanks!
Search

Re: Client certificate validation error handling

April 11, 2018, 11:22 am
$
0
0
I didn't find a way to achieve the goal above. In the end, we decided to use `optional_no_ca` mode and validate certificates on our backend side.

Is it possible to get the whole client certificate chain as a variable value?

April 11, 2018, 11:34 am
$
0
0
In case of a certificate hierarchy "CA -> Interm1 -> Interm2 -> a client certificate", after a successful SSL handshake the ssl_client_cert variable contains the client certificate but not the whole chain up to the CA certificate. Is there a variable/way to get the chain to put it into a header of a proxy_pass request?

how to tell nginx not to cache fastcgi

April 12, 2018, 8:47 am
$
0
0
how to tell nginx not to cache fastcgi if response/content size is less than some bytes?

Getting NGINX SSL working

April 18, 2018, 8:14 am
$
0
0
I am in need of some assistance getting NGINX working with SSL. I used CertBot to get a free SSL Certificate, and in the process of doing this it told me that my server wasn't found in the server variable or some message like that. It downloaded the certificate but did not auto install like it was supposed to.

I have tried to follow directions on several sites to manually install the certs with no luck..

I need help either getting NGINX setup correctly so that certbot can do the work, or to manually setup my server or both!!!!

HELP!!!

Re: Getting NGINX SSL working

April 18, 2018, 10:11 am
$
0
0
i can help you install ssl certificate but manually

Re: how to tell nginx not to cache fastcgi

April 18, 2018, 10:12 am

Re: Getting NGINX SSL working

April 18, 2018, 11:42 am
$
0
0
can you email me directly at michialt@ G mail dot com
Search

Reverse proxy from NGINX to Keycloak with 2FA

April 18, 2018, 2:21 pm
$
0
0
Hello all,

I have a problem with NGINX. In addition, I will provide you with a configuration file and a picture of the architecture schema.

I want to access Keycloak via nginx and log in to it. I use it as an Identity Management where I have a login with a username and password and a certificate where I check the certificate, that is 2FA. My problem is that when I access the browser through NGINX, I do not get popup to submit my user certificate, but then go to the second step to enter a username and password, but after that, Keycloak tells me I'm missing a certificate.

Something I've tried and worked on is if I add these things to the configuration file, proxy_ssl_certificate and proxy_ssl_certificate_key will pass it on, but only for one user. An example if proxy_ssl_certificate and proxy_ssl_certificate_key are a certificate and a key from the user joncheski and log in to Keycloak with the user joncheski will pass successfully. But if I want to log in with another user, it will not pass, because the certificate and the username are not equal.
I need your help. How to set this up for more users to work.

nginx.conf:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

server_name nginx.poc.com;

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate /etc/nginx/certs/ca/ROOT-CA.crt;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_certificate /etc/nginx/certs/server/SERVER.crt;
ssl_certificate_key /etc/nginx/certs/server/SERVER.key;
ssl_trusted_certificate /etc/nginx/certs/ca/ROOT-CA.crt;

#KEYCLOAK
location '/auth' {
proxy_pass https://keycloak.poc.com:8443/auth;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_http_version 1.1;

}
}
}

Best regards,
Goce Joncheski

Exclude images from location

April 19, 2018, 8:05 am
$
0
0
So far after several attempts and reading the manuals I am still unable to get a clear and working response to how to exclude a path from ngnix.

Please only reply if you ACTUALLY KNOW what you're doing, no online trolls or bullies, not references to someone else, I took the time to type this so can you.
The answer to this is probably a single line so please be respectful, people read what you put on the internet.

location /path/prefix {
#no entries
}
location ~* \.(png|gif)$ {
expires 30d;
}

I've tried the various ways to do this and none appear to work.
What I want is for images under /path/prefix to go through apache(where I've got rewrite working) every time so exclude /path/prefix from all nginx caching.

I've tried the # no entries style and that does nothing.
I've tried all these variations and none have worked.

expires off;
expires epoch; (not at the same time as off, obviously.)
proxy_no_cache 1;
proxy_pass http://127.0.0.1:8080
add_header Cache-Control 'no-store, no-cache..."


Thanks.
Jon

Wildcard certificate - force redirect http to https for specific domain

April 23, 2018, 9:13 am
$
0
0
Hi all,
My environment : Centos 6.9 + rh-nginx18-nginx-1.8.1-1.el6.x86_64 .
I have wildcard certificate for domain *.mydomain.com , server accepts both http and https requests
[code]
server {
listen 192.168.0.19:80; # we serve both http and https
listen 192.168.0.19:443 default_server ssl;
server_name *.mydomain.com;
ssl_certificate
ssl_certificate_key
...
proxy_pass http://upstreams; we pass request to upstream based on some url conditions
}
[/code]
Now if I want to force redirect http to https for only 1 specific domain abc.mydomain.com and leave the rest remains the same, what should I do ?
I tried :
[code]
server {
listen 192.168.0.19:80;
server_name abc.mydomain.com;
return 301 https://$host$request_uri;
}

server {
listen 192.168.0.19:80; # we serve both http and https
listen 192.168.0.19:443 default_server ssl;
server_name *.mydomain.com;
ssl_certificate
ssl_certificate_key
...
proxy_pass http://upstreams; we pass request to upstream based on some url conditions
}
[/code]
But it doesn't work.
Please give me some advice, thank you very much.

Re: Wildcard certificate - force redirect http to https for specific domain

April 23, 2018, 7:03 pm
$
0
0
I tried remove "default_server" at listen entry , still not work, anyone get same problem ?

Re: Wildcard certificate - force redirect http to https for specific domain

April 25, 2018, 7:01 pm
$
0
0
This also doesn't work :
[code]
server {
listen 192.168.0.19:80; # we serve both http and https
listen 192.168.0.19:443 default_server ssl;
server_name *.mydomain.com;
ssl_certificate
ssl_certificate_key

if ($host = abc.mydomain.com) {set $test A;}
if ($scheme = http) {set $test "${test}B";}
if ($test = AB) {
return 301 https://$host$request_uri;
break;
}
...
}
[/code]

Cannot get Nginx to work with my WordPress

April 27, 2018, 11:57 am
$
0
0
Hello all

A bit of background information. I have a CentOS 7 VPS. I installed the LAMP stack on it and everything was fine, all working well, but heard how Nginx is faster, so I decided to move my sites over to Nginx. I uninstall Apache and installed Nginx.

I did not imagine things would be so complex. I have followed various instructions around the web, but nothing seems to work for me. Right now, only the homepage to my website is working, everything else doesn't. Even the homepage doesn't show certain images, not sure why.

Here is my server block for the Wordpress website:

server {
listen *:80;
server_name nativeleaf.co.uk www.nativeleaf.co.uk;

expires 86400s;
add_header Pragma public;
add_header Cache-Control "max-age=86400, public, must-revalidate, proxy-revalidate";

error_page 404 /404.html;
location /404.html {
internal;
}

error_page 403 = 404;

location ~ /(\.|wp-config.php|readme.html|licence.txt) {
return 404;
}

rewrite /wp-admin$ $scheme://$host$uri/ permanent;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

location ~* ^.+\.(css|js)$ {
rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last;
expires 31536000s;
access_log off;
log_not_found off;
add_header Pragma public;
add_header Cache-Control "max-age=31536000, public";
}

error_log /var/log/nginx/nativeleaf.co.uk-error.log;
access_log /var/log/nginx/nativeleaf.co.uk-access.log;

root /var/www/html/nativeleaf.co.uk;

location / {
index index.php index.html index.htm;
}

# get friendly url links working
if (!-e $request_filename)
{
rewrite ^(.+)$ /index.php?q=$1 last;
}

# pass all PHP files through php-fpm
location ~ \.php$ {

try_files $uri =404;
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /home/wordpress-user/techarena51.com$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}

# deny all apache .htaccess or .htpasswd files
location ~ /\.ht
{
deny all;
}

# Deny access to hidden files
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
}

I am using php-fpm for handling the php, I've read that I must do this because Nginx is different from Apache and has to delegate the PHP stuff to either fastcgi or php-fpm, correct me if I'm wrong.

Any help would be greatly appreciated.

Thank you

Nginx Cache even if it's a 404 response

April 29, 2018, 7:20 am
$
0
0
Hello everybody,

I use 404 rewriting url:

error_page 404 = /url_rewriting.php;

I cache images generated with a php render script which is in a folder /render/framed/:

set $no_cache 0;

location ~ /render/ {
include snippets/fastcgi-php.conf;
#fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_pass 127.0.0.1:9000;

fastcgi_buffers 8 16k; # increase the buffer size for PHP-FTP
fastcgi_buffer_size 32k; # increase the buffer size for PHP-FTP
fastcgi_cache_key $scheme$host$request_uri$request_method;
fastcgi_cache PROD;
fastcgi_cache_valid any 20d;
fastcgi_cache_valid 404 1d;
fastcgi_cache_use_stale updating error timeout invalid_header http_500 http_503;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_hide_header "Set-Cookie";
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
expires 10M;
access_log off;
add_header Cache-Control "public";
add_header X-Cache-Status $upstream_cache_status;
}

The cache works with an url like this:

https://mywebsite.com/include/php/render/framed/img.php?VR=1&size=300&image=U3pmwKi

But the cache does not work with an url like this:

https://mywebsite.io/include/php/render/framed/file/VR/1/size/300/image/U3dpwK
This second URL go through error_page 404 = /url_rewriting.php; because the directory 'file' does not exists but the script display the image thanks to url_rewriting.php script which do the trick

What do I have to update to my Nginx config to be able to cache 404 responses?

Thanks,
Vincent.
Search

Completely discard second POST when sent in under 500ms?

April 30, 2018, 1:04 am
$
0
0
Hello,
I would like to completely discard (not buffer, queue or respond to) any POST request from a user within 500ms (preferably cookie based maybe?)
I've looked at https://www.nginx.com/blog/rate-limiting-nginx/ but not sure it "fits".

Basically, nginx is sitting in front of phpbb forum software, and it looks like when someone accidentally double-clicks (usually between 100-200ms), then two posts get made, I think because the server takes about 200ms to respond. phpbb is supposed to have inbuilt "flood control" of 15 seconds, but I guess it can't check the DB before the next request comes in.

So to silent reject the second click would be ideal.

Behavior of ssl_verify_client = optional

April 30, 2018, 3:52 am
$
0
0
Hi,

I've setup nginx 1.10.3 on ubuntu 16.04.4 with client SSL certificates:

ssl_client_certificate /etc/nginx/client-cert/ca.crt;
ssl_verify_client optional;

I am not getting any prompts for the certificate in any browser.
What is the expected behavior of ssl_verify_client = optional? Do i still get a prompt or should i somehow force the browser to submit the certificate to the server?

handling relative URL redirects in a reverse proxy; mixed content warnings

May 2, 2018, 12:17 pm
$
0
0
I am using Nginx as a reverse proxy, we are adding TLS to a back end application and are handling redirects port 80 http to 443 https. Works great for several sites and 95% for an enterprise application.

For that application it occasionally issues a 302 redirect with a relative url such as Location: /something/

Apparently Nginx is seeing this and adding <scheme>://<host>/something to fetch that content. Both firefox and chrome then flag a mixed content warning and don't load that section unless the user clicks allow it. The F12 console contents look like this:

Mixed Content: The page at 'https://<host>/something' was loaded over HTTPS, but requested an insecure resource 'http://<host>/something'. This request has been blocked; the content must be served over HTTPS.

The vendor I'm working with found this topic which sounds sort of like what's happening: https://stackoverflow.com/questions/33523821/how-to-issue-a-relative-url-redirect-from-nginx

So is there something I can add to my config file to allow nginx to pass the relative URL instead of the full scheme/host/url?

auth_request and fastcgi_pass can't use var? And what should I do ?

May 2, 2018, 11:42 pm
$
0
0
Hello,
I want to see $token to $tk not "$tk" and I think nginx doesn't understand two variables. But I can be not right, actually.
I have to cut out some part from uri and use that in sub-request. Is there some workaround for that?

my conf for that https://pastebin.com/u0ddzD3H and it doesn't work

Nginx config issue

May 3, 2018, 1:25 am
$
0
0
https://stackoverflow.com/questions/50149596/nginx-if-cookie-exist-different-location

here is my question and I need to get it to work earlier but I don't know how,
thanks,
Viewing all 4759 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>