Hi All,
I am using nginx 1.15.3 in our application as a proxy server. It has a server config block which works as a HTTP as well as HTTPS server.(mentioned below).
x.y.z.f indicates IP of the HTTPS web server.
What is the use case ?
This is a case of redirection from HTTP to HTTPS server.
When the user opens up http://somedomain.com/users/ on the browser, he gets redirect to https://x.y.z.f/ as per the location config below. Also, "/users" in the location below is a just a placeholder to redirect to https://x.y.z.f and does not represent an actual api on https://x.y.z.f server.
Problem statement:
The location config works fine and i land on on login page of https://x.y.z.f, but i get a 403 Forbidden "CSRF verification failed. Request aborted." on login.
Please suggest.
server {
listen 80 default_server;
listen [::]:8080 default_server ipv6only=on;
client_max_body_size 30000m;
listen 443 ssl default_server;
listen [::]:443 ssl;
ssl_certificate abc.cert;
ssl_certificate_key abc.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location ~* ^/users/(.*)$ {
proxy_pass https://x.y.z.f;
rewrite ^/users/(.*)$ / break;
proxy_set_header X-Real_IP $remote_addr;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Content-Type,Accept';
add_header 'Access-Control-Allow-Methods' 'POST';
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Accept-Encoding "";
proxy_pass_header X-CSRFToken;
}
location ~* ^/static/(.*)$ {
proxy_pass https://x.y.z.f;
rewrite ^/users/(.*)$ / break;
proxy_set_header X-Real_IP $remote_addr;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Content-Type,Accept';
add_header 'Access-Control-Allow-Methods' 'POST';
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Accept-Encoding "";
proxy_pass_header X-CSRFToken;
}
}
I am using nginx 1.15.3 in our application as a proxy server. It has a server config block which works as a HTTP as well as HTTPS server.(mentioned below).
x.y.z.f indicates IP of the HTTPS web server.
What is the use case ?
This is a case of redirection from HTTP to HTTPS server.
When the user opens up http://somedomain.com/users/ on the browser, he gets redirect to https://x.y.z.f/ as per the location config below. Also, "/users" in the location below is a just a placeholder to redirect to https://x.y.z.f and does not represent an actual api on https://x.y.z.f server.
Problem statement:
The location config works fine and i land on on login page of https://x.y.z.f, but i get a 403 Forbidden "CSRF verification failed. Request aborted." on login.
Please suggest.
server {
listen 80 default_server;
listen [::]:8080 default_server ipv6only=on;
client_max_body_size 30000m;
listen 443 ssl default_server;
listen [::]:443 ssl;
ssl_certificate abc.cert;
ssl_certificate_key abc.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location ~* ^/users/(.*)$ {
proxy_pass https://x.y.z.f;
rewrite ^/users/(.*)$ / break;
proxy_set_header X-Real_IP $remote_addr;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Content-Type,Accept';
add_header 'Access-Control-Allow-Methods' 'POST';
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Accept-Encoding "";
proxy_pass_header X-CSRFToken;
}
location ~* ^/static/(.*)$ {
proxy_pass https://x.y.z.f;
rewrite ^/users/(.*)$ / break;
proxy_set_header X-Real_IP $remote_addr;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Content-Type,Accept';
add_header 'Access-Control-Allow-Methods' 'POST';
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Accept-Encoding "";
proxy_pass_header X-CSRFToken;
}
}