Quantcast
Channel: Nginx Forum - How to...
Viewing all 4759 articles
Browse latest View live

Reverse proxy to backend without sending context location to backend

June 8, 2018, 5:51 am
$
0
0
Hello Nginx community!

I am since a bit of time trying to set up a backend server on my Nginx instance.

I can access the backend directly with: status.domain.com on port 443.

When I add this to my nginx settings:

location /status {
proxy_pass https://status.domain.com/;

}

I would expect it to forward all requests to the status machine.
It doesn't matter if I add trailing slashes in location or proxy_pass directive...

With those settings I get redirected to status.domain.com
I'd like to have all to go through the proxy.

What am I missing here?

Thanks
David
Search

Re: What's wrong with my config?

June 8, 2018, 9:18 am
$
0
0
Im stupid, I didnt see a leftover return 404. Please close if there even is any mods here.

Re: Reverse proxy to backend without sending context location to backend

June 11, 2018, 6:31 am
$
0
0
I was trying some more here: this is what I get in access log on nginx:

192.168.0.20 - - [11/Jun/2018:15:25:46 +0200] "GET /status HTTP/1.1" 301 194 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
192.168.0.20 - - [11/Jun/2018:15:25:46 +0200] "GET /status HTTP/1.1" 301 194 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
192.168.0.20 - - [11/Jun/2018:15:25:46 +0200] "GET /status/ HTTP/1.1" 200 3590 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
192.168.0.20 - - [11/Jun/2018:15:25:46 +0200] "GET /build/dist/css/all-2812406e36.css HTTP/1.1" 404 199 "https://services.domain.com/status/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
192.168.0.20 - - [11/Jun/2018:15:25:46 +0200] "GET /build/dist/js/all-b2c62d4294.js HTTP/1.1" 404 198 "https://services.domain.com/status/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
192.168.0.20 - - [11/Jun/2018:15:25:46 +0200] "GET /build/dist/js/all-b2c62d4294.js HTTP/1.1" 404 198 "https://services.domain.com/status/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"

I did not find how to set code or quote tags, sorry if I missed this!

nginx + mod_rewrite

June 13, 2018, 4:27 am
$
0
0
Hello Experts,

I have Nginx 1.12 installed on my Amazon AMI instance.
I wanted to check if mod_rewrite is enabled in my Nginx or not.
please guide.

Intentionally removed nginx header is shown with pagespeed

June 18, 2018, 4:19 am
$
0
0
I was using nginx 1.13.6 with headers_more_module to remove the "Server: nginx" header from all requests. Now, I have recompiled nginx with ngx_pagespeed module using the following command:

bash <(curl -f -L -sS https://ngxpagespeed.com/install) \ --nginx-version latest

The header starts to show up again now. When pagespeed is disabled, the header is not shown anymore. Is there anything that can be done to stop showing the headers when pagespeed is enabled too.

Adding different headers for different requests

June 21, 2018, 2:08 am
$
0
0
Hi all.

So far my config has looked like this:
- adding some haders globally in http block
- then, if necessary, adding / removing some additional headers in location blocks for certain sites (server blocks)
- usually the headers added / removed are the same for all sites, ie. adding extra headers for static files (so the configuration gets repeated throughout sites)

Example:

http {
add_header xxx;

server {
location / {
}
location ~* \.(svg)$ {
add_header xyz;
}
}

server {
location / {
}
}

server {
location / {
}
location ~* \.(svg)$ {
add_header xyz;
}
}
}

Sadly, the more sites, the harder it gets to keep with multiple locations, especially considering the configuration is repeated. So I'd like to make some changes and to go with something like this:

http {
if request = ~* \.(svg)$
add_header xyz;
else
add_header xxx;

server {
location / {
}

server {
location / {
}
}

server {
location / {
}
}

The problem is that location directive cannot be used in http block. I'm thinking about constructing some IF, although don't know how should I approach this. Any ideas?

Thanks in advance!

Re: Adding different headers for different requests

June 21, 2018, 5:29 am
$
0
0
After some research I see that I cannot use if directive in http context, it can only be used on "lower" levels, so in server or location. However, if together with add_header can only be used in location context. So it's not perfectly flexible for me - in this scenario I can configure my headers the way I want (see example below), but would still need to manually include the config file in **every** location.

add_header xxx;

if ($uri ~* \.(png)$) {
add_header xyz;
}

I'd love to hear any ideas that would help me keep my header configuration within http context (best-case scenario) or server context (if http is not possible).

Re: Reverse proxy to backend without sending context location to backend

June 21, 2018, 6:24 am
$
0
0
location /mylink {
proxy_pass http://10.0.0.2:8000/;
proxy_redirect http://10.0.0.2:8000 /mylink;
port_in_redirect off;
}

This also seems not to work, at least for some specific content.
I will try updating the NGINX version!
Search

Nginx stops working

June 21, 2018, 8:52 am
$
0
0
I am using Nginx as a reverse web proxy. I host several sites with 1 public IP address. Almost every day when I go to one of the websites I am greeted with a default Apache webpage instead of the hosted site. I reboot the Nginx server and it all starts working again. Why is it doing this?????

BTW - All sites, router, and Nginx are running on a Hyper-V server. That shouldn't have anything to do with it but....

[Conf File]Name resolution set in the hosts file has priority

June 24, 2018, 9:51 pm
$
0
0
than the redirect setting specified by [Location] on the conf file,
The setting in the hosts stored in the same server takes precedence and an unexpected redirect occurs.

① Is it that nginx's specification makes hosts settings take precedence over config file settings?
② Is there a way to avoid this phenomenon and prioritize the setting of the Conf file?

===========
Below, reference information (background)

Currently, in nginx's Conf file and hosts file in the same server,
Since there is a business requirement that it is necessary to set different IP addresses of the same server name,
It is not possible to delete the settings of the hosts file.

nginx reverse proxy with SASStudio - same host

June 25, 2018, 8:57 am
$
0
0
Hi,
i'm trying to configure nginx in reverse proxy mode to access SASStudio installed (CentOS 7).
getting an error....

Wrong content / side redirect

June 25, 2018, 11:16 am
$
0
0
Hello,

I'm encountering an issue with my server / nginx configuration and although I've searched this forum and checked other resources, I couldn't find a working solution.

So, I'm using a Ubuntu 16.04 server with nginx version 1.14.0 installed, where I'm hosting 3 websites (shared IP).

Default server configuration:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}

Everytime I point a new domain name to the shared IP, the new domain gets redirected to the first website / account created on the server, although I would just want that 444 header returned.

The other active websites are using following configuration:
server {
listen 443 ssl http2;
server_name <domain name>;
root "/home/<username>/public_html";

# Specify a charset
charset utf-8;

# Basic configuration
include /etc/nginx/config/basic.conf;

# SSL configuration
include /etc/nginx/config/directive-only/ssl.conf;

ssl_certificate /home/<username>/ssl.crt;
ssl_certificate_key /home/<username>/ssl.key;
}

What would you suggest?

Thanks

Re: Preserving Source IP using SSL Preread + OpenVPN

July 1, 2018, 12:26 am
$
0
0
i managed to do this, but not with nginx alone:

My setup:

Single Server with OpenVPN and HTTPS both on Port 443.
Additionally: since many firewalls with deep-packet-inspection (DPI) will block the OpenVPN Traffic even when on Port 443 i wanted a solution for OpenVPN where all packets _can_ be layered within regular SSL Traffic, which will look like Plain HTTPS to a DPI-Firewall. This special scenario requires that the client-device will layer all packets within SSL, this can be done using "stunnel" or "ssldroid" but is not covered here.


So my Port 443 will go by these rules:

Input on Port 443 -> is it OpenVPN Traffic? -> Keep real remote IP -> Forward to Port 1194 [OpenVPN Daemon]
Input on Port 443 -> is it non OpenVPN Traffic? -> is the requested Domain "sslvpn.mydomain.com"? -> Unpack (remove SSL-Layer) Traffic -> Forward to Port 1194 [OpenVPN Daemon]
Input on Port 443 -> is it non OpenVPN Traffic? -> is the requested Domain NOT "sslvpn.mydomain.com"? -> Keep real remote IP -> Forward to Port 4443 [Nginx Vhosts]

I managed to keep the real remote IPs in all cases but the one where i need the layering of OpenVPN-Packets within SSL. This is the only flaw, but i can live with it since usually i only use OpenVPN on Port 443 directly and need my Webroots up and running.

Tools i used:
OpenVPN 2.4.6
Nginx 1.12.2
sslh 1.18

While Nginx has the ability of forwarding the realip, this is only true for the proxy_protocol, which many applications don't support.
sslh can transparently forward traffic while keeping the realip using netfilter.

Important: in the version i used, sslh has to be configured on IP-Addresses bound to Interfaces other than localhost. Do not use 127.0.0.1, this will not work! In my setup, the server has the IP 192.168.1.251.

sslh is started with these params:
# sslh -p 192.168.1.251:443 --openvpn 192.168.1.251:1194 --anyprot 192.168.1.251:9443 --transparent

This means, sslh will listen on port 443 and redirect openvpn traffic to 1194 (OpenVPN Daemon) and everything else to 9443 (one of the nginx listening-ports).
The transparent parameter will initiate the netfilter/caps module which is important.

For this to work we need some rules for iptables:

# iptables -t mangle -N SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 1194 --jump SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 9443 --jump SSLH
# iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
# iptables -t mangle -A SSLH --jump ACCEPT
# ip rule add fwmark 0x1 lookup 100
# ip route add local 0.0.0.0/0 dev lo table 100

Replace "eth0" with whatever your interface is called.

The OpenVPN-Server config is not special, it's only required that it is running on Port 1194 (or you have to adjust the config above) and that it is listeing in TCP-Mode.

Now to the nginx part (snippets):

stream {
map $ssl_preread_server_name $name {
sslvpn.mydomain.com sslvpn_backend;
default https_backend;
}

server {
listen 9443;
proxy_pass $name;
proxy_connect_timeout 300s;
proxy_timeout 300s;
proxy_protocol on;

ssl_preread on;
}

upstream sslvpn_backend {
server 127.0.0.1:8443;
}

server {
listen 127.0.0.1:8443 ssl proxy_protocol so_keepalive=on;

ssl_certificate /etc/letsencrypt/live/sslvpn.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sslvpn.mydomain.com/privkey.pem;

proxy_protocol off;
proxy_connect_timeout 300s;
proxy_timeout 300s;
proxy_pass openvpn-ssltunnel-inet-only;
}

upstream openvpn-ssltunnel-inet-only {
# route traffic back to openvpn
server 127.0.0.1:1194;
}

upstream https_backend {
server 127.0.0.1:4443;
}
}


The first block will initiate listening on port 9443. There i turn on the proxy_protocol (important to keep the real-ip) and also start "ssl_preread", to inspect the requested domain.
The mapping is quite easy: if the domain was "sslvpn.mydomain.com" use the "sslvpn_backend", in all other cases use the default "https_backend".

The sslvpn_backend just redirects the traffic to port 8443 where the server is a simple stream server with ssl-layering, but also disables the proxy protocol. afterwards the traffic is routed back to port 1194, where the OpenVPN-Daemon can now parse the unpacked traffic.

The "https_backend" is just routing all traffic to the destination 4443 where all "real" https-vhosts of nginx reside.

A typical vhost looks like this:

http {
server {
listen 127.0.0.1:4443 ssl http2 proxy_protocol;

set_real_ip_from 127.0.0.1;
real_ip_recursive on;
real_ip_header proxy_protocol;

include includes/ssl.conf;
ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;

server_name www.mydomain.com;

access_log /var/log/nginx/www_mydomain_com.access_log main;
error_log /var/log/nginx/www_mydomain_com.error_log info;

root /var/www/mydomain/htdocs;

try_files $uri $uri/ /index.php?$args;

include includes/expires.conf;

include includes/php-fpm.conf;
}

}

The vhost will listen on 4443, activate the submodules ssl and proxy_protocol.
Within the vhost the realip will be decoded (available via proxy_protocol).
That way, within the logs (access and error) the real-remote-ip will be visible and even within PHP in the $_SERVER['REMOTE_ADDR''] variable.

I hope this setup can help someone like me.

Best regards,
David

Re: nginx 1.10.1: how to integrate the icap protocoll || a icap client to communicate with sophos icap server

July 3, 2018, 11:47 pm
$
0
0
HI ,i have same task to implement icap client in nginx now . do you have resolve it ??

Reverse proxy with Exchange 2013 and Outlook

July 4, 2018, 11:45 pm
$
0
0
Hi,

Everything runs fine for my Nginx reverse proxy, but only Exchange RPC is not working for Outlook. OWA is working well.

This is my nginx.conf

server {
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/fullchain-copy.pem;
ssl_certificate_key /etc/letsencrypt/privkey-copy.pem;
ssl_session_timeout 5m;

server_name fqdn.domain.com;

location / {
return 301 https://fqdn.domain.com/owa;
}

keepalive_timeout 3h;
tcp_nodelay on;
client_max_body_size 3G;
proxy_read_timeout 3h;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;

proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "Keep-Alive";
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;

#more_set_input_headers 'Authorization: $http_authorization';
#more_set_headers -s 401 'WWW-Authenticate: Basic realm="server.localfqdn.local"';

location ~* ^/owa { proxy_pass https://192.168.1.1; }
location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://192.168.1.1; }
location ~* ^/ecp { proxy_pass https://192.168.1.1; }
location ~* ^/rpc { proxy_pass https://192.168.1.1; }
location ~* ^/mapi { proxy_pass https://192.168.1.1; }
location ~* ^/oab { proxy_pass https://192.168.1.1; }
location ~* ^/autodiscover { proxy_pass https://192.168.1.1; }
#location ~* ^/mailarchiver { proxy_pass https://192.168.1.1; }

}

--

Not really getting an error besides and RPC_IN_DATA and RPC_OUT_DATA with 401 for "MSRPC".
Outlook keeps generating the Password prompt.

Tried with the nginx-extras, but not working also:
more_set_input_headers 'Authorization: $http_authorization';
more_set_headers -s 401 'WWW-Authenticate: Basic realm="server.localfqdn.local"';

Some one knowing the correct config for Outlook Anywhere?

Thanks

Martin
Search

Autoindex prevent top level directory from returning to index page

July 5, 2018, 12:00 am
$
0
0
I have a simple configuration where I want to use the autoindex feature for a particular directory. The following is the basic outline of the configuration:

server {
root /var/www;
...
location / {
index default.html
}
...
location /somedirectory {
autoindex on;
}
}

I want to prevent the parent directory handler from returning to default.html. Currently accessing:
url/somedirectory

Gives the following:
--
Index of /somedirectory/
--------------------------------
../ { clicking here returns to default.html, I want to prevent this at the top level directory }
directory1/
directory2/
directory3/


Ideally I would fix it in the web page but I have limited control to change at this point, someone stuffed the directory listings page in an iframe which means going back up one directory gives a duplicate index page inside the existing index page.

Re: nginx 1.10.1: how to integrate the icap protocoll || a icap client to communicate with sophos icap server

July 9, 2018, 6:49 pm
$
0
0
hello, do you have any suggessions? I have the same task.

403 Forbidden nginx/1.2.1

July 23, 2018, 11:34 am
$
0
0
Hello everyone.

I am new to ngnix. I want to create a subdomain www.website.com/test
I have created the folder like this /var/www/website/test, but then i try to access it i get 403 Forbidden Nginx/1.2.1.

I have tried changing folder permissions, but nothing changes...

Can someone explain me what am i doing wrong ?

Configuring Nginx SSL client authentication between 2 websites

July 24, 2018, 6:15 am
$
0
0
I am in the process of configuring client side certification between 2 websites. example1.com and example2.com. example1.com will be accessing example2.com

I have created my certificate store and have added the following code to vhost for example2.com

ssl_client_certificate /home/user/ca.crt;
ssl_verify_client on;

When I access example2.com from a browser I get

400 Bad Request
No required SSL certificate was sent

- so this bit looks like it's working. If I add the cert to the browser and access the site then it works.



On the vhost for example1.com I have added the following, together with the locations of the SSL client cert I created in the previous step.

location /upstream {
proxy_pass https://example2.com;
proxy_ssl_certificate /etc/nginx/ssl/user.crt;
proxy_ssl_certificate_key /etc/nginx/ssl/user.key;
proxy_ssl_server_name on;
}



Is there anything else that I need to add in?

nginx for Windows log file

July 25, 2018, 3:44 pm
$
0
0
Hello, how do I disable nginx log file creation? it is 188 GB and I don't think I need it
Viewing all 4759 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>