Re: Where to compress text files and filter access
Hello Maxim,Thank you for this detailed answer.I'll keep it in my personal notes.I wish you a good year for 2023 Le vendredi 30 décembre 2022 à 01:17:11 UTC+1, Maxim Dounin a écrit : Hello! On Wed, Dec 28, 2022 at 11:05:01PM +0000, Mik J via nginx wrote: > What is the best practice for these two situations: > 1. Compress text files, should I make the compression on the > reverse proxy or on the backend server ? In most cases, it makes sense to compress things on the frontend server. In particular, this is because of at least the following factors: 1) Frontend servers are usually not just reverse proxies, but also serve some static resources. As such, compression is anyway needs to be configured on frontend servers. 2) Frontend servers often used with multiple different backends. Further, in some cases they are used to generate responses based on subrequests to different requests, such as with SSI. This makes compression on frontend servers easier or even the only possible solution. 3) Frontend servers are often used to cache backend responses, and proper caching of compressed responses might be problematic and/or inefficient (in particular, because the only mechanism available is Vary). Note well that by default nginx uses HTTP/1.0 when connecting to upstream servers, and this in turn will disable gzip with default settings. This naturally results in compression being done on frontend servers when nginx with default settings is used both as a backend and a frontend. In some cases, it might make sense to compress on the backend servers, for example, to ensure that CPU usage for compression is balanced among multiple backend servers, or to minimize traffic between frontends and backends. These are mostly about specific configurations though. > 2. Deny access to specific files for example, files starting > with a dot .file, should I write the rule on the reverse proxy > or on the backend server ? I would recommend both. In particular, rules on the backend server will ensure that the access is denied where the file resides, making things safe even if the frontend servers is somehow bypassed. Rules on the frontend server ensure that requests are denied efficiently. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Where to compress text files and filter access
Hello, What is the best practice for these two situations: 1. Compress text files, should I make the compression on the reverse proxy or on the backend server ? 2. Deny access to specific files for example, files starting with a dot .file, should I write the rule on the reverse proxy or on the backend server ? Regards ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
website/admin behind my reverse proxy doesn't work
Hello, I have a website hosted on a server using nginx behind a nginx reverse proxy but things don't work properly. https://mywebsite.org => workshttps://mywebsite.org/admin => doestn't work it redirects to https://mywebsite.org On my backend serverserver { listen 80; server_name mywebsite.org ; index index.php; root /var/www/htdocs/sites/mywebsite;... location / { try_files $uri $uri/ /index.php$is_args$args; location ~ \.php$ { root /var/www/htdocs/sites/mywebsite; try_files $uri =404; fastcgi_pass unix:/run/php-fpm.mywebsite.org.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }} On my reverse proxyserver { # listen 80; # listen [::]:80; listen 443 ssl; listen [::]:443 ssl; server_name http://mywebsite.org;... root /var/www/htdocs/mywebsite; location ^~ / { proxy_pass http://10.12.255.23:80; proxy_redirect off; proxy_set_header Host $host; proxy_http_version 1.1; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Referer "http://mywebsite.org/"; proxy_pass_header Set-Cookie; proxy_set_header X-Forwarded-Proto $scheme; } } So I can't access In the backend server logs I see[28/Dec/2022:23:54:33 +0100] "GET /admin/ HTTP/1.1" 302 5 "http://mywebsite.org/"; ...[28/Dec/2022:23:54:33 +0100] "GET / HTTP/1.1" 499 0 "http://mywebsite.org/"; ... Regards ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx sends syslog messages with the name of the server - I would like the ip
Thannk you Jeffrey for your help Le dimanche 11 décembre 2022 à 09:31:10 UTC+1, Jeffrey 'jf' Lim a écrit : On Sun, Dec 11, 2022 at 8:03 AM Mik J via nginx wrote: > > Hello, > > My Nginx server sends syslogs to my remote syslog server with a host = > myserver.mydomain.org > However I would like that the host to be the IP a specific IP of the server > (which exists) > > On my Nginx server > server { > ... > access_log syslog:server=1.2.3.4; > error_log syslog:server=1.2.3.4; > > Is it possible that the syslog hostname in the message is set to 4.5.6.7 (the > IP address of the Nginx server) ? > you can define a custom log_format (http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) and then log using that format -jf -- He who settles on the idea of the intelligent man as a static entity only shows himself to be a fool. ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Nginx sends syslog messages with the name of the server - I would like the ip
Hello, My Nginx server sends syslogs to my remote syslog server with a host = myserver.mydomain.org However I would like that the host to be the IP a specific IP of the server (which exists) On my Nginx server server { ... access_log syslog:server=1.2.3.4; error_log syslog:server=1.2.3.4; Is it possible that the syslog hostname in the message is set to 4.5.6.7 (the IP address of the Nginx server) ? Regards ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Re: 2 x Applications using the same domain behind a reverse proxy
Hello everyone, I'm still trying to solve my implementation. When I access to example.org, I was to use /var/www/htdocs/app1 and it works. When I access to example.org/app2, I was to use /var/www/htdocs/app2 and it doesn't really work. location / { try_files $uri $uri/ /index.php$is_args$args; root /var/www/htdocs/app1; location ~ \.php$ { root /var/www/htdocs/app1; try_files $uri =450; fastcgi_pass unix:/run/php-fpm.sock; fastcgi_read_timeout 700; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } location /app2 { #root /var/www/htdocs/app2; alias /var/www/htdocs/app2; try_files $uri $uri/ /index.php$is_args$args; location ~ \.php$ { root /var/www/htdocs/app2; #alias /var/www/htdocs/app2; try_files $uri =450; fastcgi_pass unix:/run/ php-fpm.sock;# fastcgi_read_timeout 700; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } I have created an index.html file in /var/www/htdocs/app2, when I access it with example.org/app2/index.html I can see the html text. Problem My application has to be accessed with index.php so when I type example.org/app2/index.php, Nginx should process /var/www/htdocs/app2/index.phpThe problem is that I receive a code 404. I don't receive a code 450.It looks like the condition location /app2 matches but location ~ \.php$ inside doesn't match Then I tried to replace alias by root just after location /app2 and I do get this error code 450. the location ~ \.php$ seems to match but the php code is not being processed. Does anyone has a idea ? Le mardi 19 juillet 2022 à 16:32:05 UTC+2, Mik J via nginx a écrit : Hello Ian, Thank you for your answer. I did what you told me Now I have on my reverse proxy location / { proxy_pass http://10.10.10.10:80; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Real-IP $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Referer "http://example.org"; #proxy_set_header Upgrade $http_upgrade; #proxy_pass_header Set-Cookie; } And on the backend server server { listen 80; server_name example.org; index index.html index.php; root /var/www/htdocs/app1; access_log /var/log/nginx/example.org.access.log; error_log /var/log/nginx/example.org.error.log; location / { try_files $uri $uri/ /index.php$is_args$args; root /var/www/htdocs/app1; } location /app2 { try_files $uri $uri/ /index.php$is_args$args; root /var/www/htdocs/app2; } location ~ \.php$ { try_files $uri =450; fastcgi_pass unix:/run/php-fpm.app1.sock; fastcgi_read_timeout 700; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } Access to example.org leads me to app1 so it works as expected.Access to example.org/app2 doesnt lead me to app2. It seems to me that the following lineproxy_set_header Referer "http://example.org";on the reverse proxy could make a confusion ? I can see that example.org/app2 still lands on /var/www/htdocs/app1 Regards Le mardi 19 juillet 2022 à 06:10:28 UTC+2, Ian Hobson a écrit : Hi Mik, I think the problem is that your back end cannot distinguish app1 from app2. I don't think there is a need for proxy-pass, unless it is to spread the load. I would try the following approach: Change the root within location / and location /app2 and serve static files directly. When you pass the .php files, the different roots will appear in the $document_root location, so you can share the php instance. It will be MUCH more efficient if you use fast-cgi because it removes a process create from every php serve. Finally, you need to protect against sneaks who try to execute code, by
Re: Php page returns 450
Hello, After taking a rest I found the solution. There was this directive placed a few lines beforelocation ~ /log { deny all; return 404; } And the /logout.php page was marching that directive. I have replaced it bylocation /log { deny all; return 404; }Which hopefully will help to protect access to anypage inside the /log directory. Thank you Le samedi 23 juillet 2022 à 12:04:56 UTC+2, Mik J via nginx a écrit : Hello, I use an application named Cacti and everything works well except the logout.php page So when I try to accesshttps://example.org/index.phphttps://example.org/graph_view.phpIt works, code http is 200 But when I access the logout.php page a page 404 is returnedGET /logout.php HTTP/2.0 For php pages I use this location ~ \.php$ { try_files $uri =450; fastcgi_pass unix:/run/php-fpm.cacti.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; limit_except GET HEAD POST { deny all; } } So I would expect a 450 code If I add this line location = /logout.php { return 405; } before that stanza, a 405 code is returned location = /logout.php { return 405; } location ~ \.php$ { try_files $uri =450; fastcgi_pass unix:/run/php-fpm.cacti.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; limit_except GET HEAD POST { deny all; } } So it matches my location My location ~ \.php$ { doesn't seem to mach when the logout.php page is accessed and I don't understand why Do you have any advice ? Thank you ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Php page returns 450
Hello, I use an application named Cacti and everything works well except the logout.php page So when I try to accesshttps://example.org/index.phphttps://example.org/graph_view.phpIt works, code http is 200 But when I access the logout.php page a page 404 is returnedGET /logout.php HTTP/2.0 For php pages I use this location ~ \.php$ { try_files $uri =450; fastcgi_pass unix:/run/php-fpm.cacti.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; limit_except GET HEAD POST { deny all; } } So I would expect a 450 code If I add this line location = /logout.php { return 405; } before that stanza, a 405 code is returned location = /logout.php { return 405; } location ~ \.php$ { try_files $uri =450; fastcgi_pass unix:/run/php-fpm.cacti.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; limit_except GET HEAD POST { deny all; } } So it matches my location My location ~ \.php$ { doesn't seem to mach when the logout.php page is accessed and I don't understand why Do you have any advice ? Thank you ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Re: 2 x Applications using the same domain behind a reverse proxy
Hello Ian, Thank you for your answer. I did what you told me Now I have on my reverse proxy location / { proxy_pass http://10.10.10.10:80; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Real-IP $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Referer "http://example.org"; #proxy_set_header Upgrade $http_upgrade; #proxy_pass_header Set-Cookie; } And on the backend server server { listen 80; server_name example.org; index index.html index.php; root /var/www/htdocs/app1; access_log /var/log/nginx/example.org.access.log; error_log /var/log/nginx/example.org.error.log; location / { try_files $uri $uri/ /index.php$is_args$args; root /var/www/htdocs/app1; } location /app2 { try_files $uri $uri/ /index.php$is_args$args; root /var/www/htdocs/app2; } location ~ \.php$ { try_files $uri =450; fastcgi_pass unix:/run/php-fpm.app1.sock; fastcgi_read_timeout 700; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } Access to example.org leads me to app1 so it works as expected.Access to example.org/app2 doesnt lead me to app2. It seems to me that the following lineproxy_set_header Referer "http://example.org";on the reverse proxy could make a confusion ? I can see that example.org/app2 still lands on /var/www/htdocs/app1 Regards Le mardi 19 juillet 2022 à 06:10:28 UTC+2, Ian Hobson a écrit : Hi Mik, I think the problem is that your back end cannot distinguish app1 from app2. I don't think there is a need for proxy-pass, unless it is to spread the load. I would try the following approach: Change the root within location / and location /app2 and serve static files directly. When you pass the .php files, the different roots will appear in the $document_root location, so you can share the php instance. It will be MUCH more efficient if you use fast-cgi because it removes a process create from every php serve. Finally, you need to protect against sneaks who try to execute code, by adding a try_files thus... location ~ \.php$ { try_files $uri =450; include /etc/nginx/fastcgi.conf; fastcgi_split_path_info ^(.+\.php)(/.+)$; etc. Hope this helps. Ian On 18/07/2022 05:08, Mik J via nginx wrote: > Hello, > > I don't manage to make my thing works although it's probably a classic > for Nginx users. > > I have a domain https://example.org > > What I want is this > https://example.org goes on reverse proxy => server1 (10.10.10.10) to > the application /var/www/htdocs/app1 > https://example.org/app2 goes on reverse proxy => server1 (10.10.10.10) > to the application /var/www/htdocs/app2 > So in the latter case the user adds /app2 and the flow is redirected to > the /var/www/htdocs/app2 directory > > First the reverse proxy, I wrote this > ## > # App1 > ## > location / { > proxy_pass http://10.10.10.10:80; > proxy_redirect off; > proxy_set_header Host $http_host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header Referer > "http://example.org";; > #proxy_set_header Upgrade $http_upgrade; > #proxy_pass_header Set-Cookie; > } > ## > # App2 > ## > location /app2 { > proxy_pass http://10.10.10.10:80; > proxy_redirect off; > proxy_set_header Host $http_host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header Referer > "http://example.org";; > #proxy_set_header Upgrade $http_upgrade; > #proxy_pass_header Set-Cookie; > } > > > Second the back end server
2 x Applications using the same domain behind a reverse proxy
Hello, I don't manage to make my thing works although it's probably a classic for Nginx users. I have a domain https://example.org What I want is thishttps://example.org goes on reverse proxy => server1 (10.10.10.10) to the application /var/www/htdocs/app1https://example.org/app2 goes on reverse proxy => server1 (10.10.10.10) to the application /var/www/htdocs/app2 So in the latter case the user adds /app2 and the flow is redirected to the /var/www/htdocs/app2 directory First the reverse proxy, I wrote this ## # App1 ## location / { proxy_pass http://10.10.10.10:80; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Referer "http://example.org"; #proxy_set_header Upgrade $http_upgrade; #proxy_pass_header Set-Cookie; } ## # App2 ## location /app2 { proxy_pass http://10.10.10.10:80; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Referer "http://example.org"; #proxy_set_header Upgrade $http_upgrade; #proxy_pass_header Set-Cookie; } Second the back end serverserver { listen 80; server_name example.org; index index.html index.php; root /var/www/htdocs/app1; access_log /var/log/nginx/example.org.access.log; error_log /var/log/nginx/example.org.error.log; location / { try_files $uri $uri/ /index.php$is_args$args; location ~ \.php$ { root /var/www/htdocs/app1; fastcgi_pass unix:/run/php-fpm.app1.sock; fastcgi_read_timeout 700; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } location /app2 { try_files $uri $uri/ /index.php$is_args$args; location ~ \.php$ { root /var/www/htdocs/app2; fastcgi_pass unix:/run/php-fpm.app1.sock; fastcgi_read_timeout 700; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }} The result I have right now is that I can access app1 with http://example.org, but i cannot access app2 with http://example.org/app2 Also what is the best practice on the backend server:- should I make one single virtual host with two location statements like I did or 2 virtual hosts with a fake name like internal.app1.example.org and internal.app2.example.org ? - can I mutualise the location ~ \.php$ between the two ? - Should I copy access_log and error_log in the location /app2 statement ? By the way, app1 and app2 are the same application/program but sometimes I want another instance or test app version 1, app version 2 etc. What I tend to do in the past is to haveapp1.example.orgapp2.example.orgThe problem is that it makes me use multiple certificates.Here I want to group all the applications behind one domain name example.org with one certificate and then access different applications with example.org/app1, example.org/app2 Thank you ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Re: Real client IP in the error logs when a server is behind a reverse proxy
Thank you for your answers, Matthew, I use Openbsd Nanaya, I tried your solution and it worked. I had to readapt a bit my configuration (removed xforwardedLog) so that my access_log is formated without duplicate IPs. Regards Le jeudi 30 juin 2022 à 17:17:01 UTC+2, nanaya a écrit : Hello, You need to set the reverse proxy ip in the www server: https://nginx.org/r/set_real_ip_from Also note this will replace $remote_addr with the value from X-Real-IP header (the original value is in $realip_remote_addr). On Thu, Jun 30, 2022, at 21:56, Mik J via nginx wrote: > Hello, > > My configuration on my www server (192.168.1.10) on the vhost looks like that > server { > ... > access_log /var/log/nginx/mylogs.mydomain.org.access.log xforwardedLog; > error_log /var/log/nginx/ mylogs.mydomain.org.error.log; > > and in nginx.conf > http { > ... > log_format xforwardedLog '$remote_addr forwarded for $http_x_real_ip > - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' > '"$http_referer" "$http_user_agent"'; > > On my www server 192.168.1.10 I can see the access logs > 192.168.1.20 forwarded for 54.38.10x.x - - [30/Jun/2022:13:44:38 +0200] > "GET / HTTP/1.0" 200 7112 "http://app.mydomain.org"; "Mozilla/1.22 > (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1" > And it works correctly for me because I can see the IP of the user on > the Internet > > But on the error.log I don't see the IP of the user on the Internet > 2022/06/28 16:12:27 [error] 45747#0: *11 access forbidden by rule, > client: 192.168.1.20, server: app.mydomain.org, request: "GET > /.git/config HTTP/1.0", host: " ", referrer: > "http://app.mydomain.org"; > So here as you can see in the logs my client 192.168.1.20 is the > reverse proxy and not the client on the Internet > > So in access logs > http://nginx.org/en/docs/http/ngx_http_log_module.html > I can get the IP of the Internet use > > How can I get the IP of the Internet user when it generates an error log ? > ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Real client IP in the error logs when a server is behind a reverse proxy
Hello, I have a real server placed behing my reverse proxywww server 192.168.1.10 <---> 192.168.1.20 reverse proxy <---> NAT Firewall <---> Interrnet <---> Client on Internet My configuration on my reverse proxy (192.168.1.20) looks like that location ^~ / { proxy_pass http://192.168.1.10:80; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Referer "http://app.mydomain.org";; } My configuration on my www server (192.168.1.10) on the vhost looks like thatserver { ... access_log /var/log/nginx/mylogs.mydomain.org.access.log xforwardedLog; error_log /var/log/nginx/ mylogs.mydomain.org.error.log; and in nginx.conf http { ... log_format xforwardedLog '$remote_addr forwarded for $http_x_real_ip - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; On my www server 192.168.1.10 I can see the access logs 192.168.1.20 forwarded for 54.38.10x.x - - [30/Jun/2022:13:44:38 +0200] "GET / HTTP/1.0" 200 7112 "http://app.mydomain.org"; "Mozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1"And it works correctly for me because I can see the IP of the user on the Internet But on the error.log I don't see the IP of the user on the Internet2022/06/28 16:12:27 [error] 45747#0: *11 access forbidden by rule, client: 192.168.1.20, server: app.mydomain.org, request: "GET /.git/config HTTP/1.0", host: " ", referrer: "http://app.mydomain.org"So here as you can see in the logs my client 192.168.1.20 is the reverse proxy and not the client on the Internet So in access logshttp://nginx.org/en/docs/http/ngx_http_log_module.htmlI can get the IP of the Internet use How can I get the IP of the Internet user when it generates an error log ? Thank you ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Re: Capture clear text with Nginx reverse proxy
Thank you for your answer Stuart. I'm on an Openbsd platform and it's not available for it. It seems to me a bit complicated because I'll have to insert it between the Nginx reverse proxy and the end server. Have you used it ? Le dimanche 5 mai 2019 à 04:01:54 UTC+2, Andrew Stuart a écrit : >> Is there a way to see in clear text what is exchanged between the Nginx >> reverse proxy and the server ? Maybe something like this? https://mitmproxy.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Reverse proxy and 502 bad gateway
Hello, I'm sucessfully accessing a server/site behind my reverse proxy with the following URL https://app.mydomain.org/screens/dashboard.html#/MainDashboard But the following URL gives a 502 Bad Gateway https://app.mydomain.org/screens/webui/resource/swccopolldata.json I don't understand why beyond resource it sends me an error 502. Does anyone has an idea about what's wrong ? My Nginx config looks like this upstream backend-app { server 192.168.0.2:443; } server { listen 80; listen [::]:80; listen 443 ssl; listen 4443 ssl; listen [::]:4443 ssl; listen [::]:443 ssl; server_name server_name app.mydomain.org; ... proxy_ssl_verify off; location / { try_files $uri @proxy; proxy_ssl_verify off; access_log /var/log/nginx/app.mydomain.org.access.log; error_log /var/log/nginx/app.mydomain.org.error.log; } location @proxy { proxy_pass https://backend-app; } } ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Capture clear text with Nginx reverse proxy
Hello, I often try to solve problems between Nginx and the server communicating in https client <= https => Nginx <= https => server And I don't have access to the server or it's a source code that is closed so it's not possible to troubleshoot there. Is there a way to see in clear text what is exchanged between the Nginx reverse proxy and the server ? Thank you ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: avoid redirect
Hello Moshe, Thank you very much for your quick and detailed answer. Have a nice day ! Le dimanche 2 décembre 2018 à 23:57:25 UTC+1, Moshe Katz a écrit : Here is a sample working configuration from one of my servers. Note that it uses separate `server` blocks for HTTP and HTTPS to make it easier to read. server { listen 80; listen [::]:80; server_name server.example.com; location ~ /\.well-known { root /path/to/site; } location / { return 301 https://$host$request_uri; }} server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name server.example.com; root /path/to/site; # rest of server config left our for brevity...} Doing it this way has a side benefit if you have many sites running on a single server and you would like all of them to use LetsEncrypt and to be redirected to HTTPS.You can change the HTTP `server` block to look like this: server { listen 80 default_server; listen [::]:80 default_server; location ~ /\.well-known { # ALL LetsEncrypt authorizations will be done in this single shared folder. # This means you can issue the certificate using the LetsEncrypt command line # and then create the `server` block which already includes the correct path to the certificate. root /var/www/html; } location / { return 301 https://$host$request_uri; }} You then only need to create HTTPS `server` blocks for each site, which makes your configuration much simpler. Moshe -- Moshe Katz -- kohenk...@gmail.com -- +1(301)867-3732 On Sun, Dec 2, 2018 at 5:09 PM Moshe Katz wrote: I believe you need to put the `return 301 ...` inside a location block too. Otherwise, it overrides all the location blocks. I'm on my phone now, but I'll try to share a sample file from one of my servers (that works as you want it) when I get back to my computer. Moshe On Sun, Dec 2, 2018, 5:03 PM Mik J via nginx http://www.mydomain.org blog.mydomain.org; location ^~ /.well-known/acme-challenge { default_type "text/plain"; root /var/www/letsencrypt; } location = /.well-known/acme-challenge/ { return 404; } return 301 https:// mydomain.org; } My problem is that everything is redirected and I cannot access a file in /var/www/letsencrypt/.well-known/acme-challenge When I comment the return 301 it works but I loose the redirection. It seems to me that nginx parses everything where I would expect it to stop at location ^~ /.well-known/acme-challenge { default_type "text/plain"; root /var/www/letsencrypt; } Does anyone know the trick ? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
avoid redirect
Hello, I'd like to be able to offer let's encrypt in port 80 only and redirect everything else to port 443 server { listen 80; listen [::]:80; listen 443; listen [::]:443; server_name http://www.mydomain.org blog.mydomain.org; location ^~ /.well-known/acme-challenge { default_type "text/plain"; root /var/www/letsencrypt; } location = /.well-known/acme-challenge/ { return 404; } return 301 https:// mydomain.org; } My problem is that everything is redirected and I cannot access a file in /var/www/letsencrypt/.well-known/acme-challenge When I comment the return 301 it works but I loose the redirection. It seems to me that nginx parses everything where I would expect it to stop at location ^~ /.well-known/acme-challenge { default_type "text/plain"; root /var/www/letsencrypt; } Does anyone know the trick ? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse proxy for multiple domains
Hello, Sorry if I'm asking again a question on the same topic. I would like to know what is the best practice to setup a web proxy. I do it like this - 1 virtual host per application on the reverse proxy and the proxy_pass points to one IP+path - 1 virtual host (default) for all application on the backend server but one location stanza per application The problem is that I meet many problems with installation of application: magento, glpi, etc Is it the correct way to do it ? On this reverse proxy I have a virtual host which looks like that server { listen 80; server_name application1.org; access_log /var/log/nginx/application1.org.access.log; error_log /var/log/nginx/application1.org.error.log; ... location ^~ / { proxy_pass http://10.1.1.10:80/app/application1/; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } On the web server behind the proxy I just have one virtual host which is the default one server { listen 80 default_server; server_name _; index index.html index.htm index.php; root /var/www/htdocs; location ^~ /app/application1 { root /var/www; index index.php; location ~ \.php$ { root /var/www; try_files $uri =404; fastcgi_pass unix:/run/php-fpm.application1.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } Le mercredi 30 août 2017 à 19:57:40 UTC+2, Francis Daly a écrit : On Sun, Aug 27, 2017 at 11:27:05AM +0000, Mik J via nginx wrote: Hi there, > > Thats because the pages are called by the reverse proxy server > > like http://10.1.1.10:80/app/application1/;and it can't use a FQDN > > because it's in a private adressing > Francis: I don't follow that last part.=> I mean that the reverse proxy uses > an IP to connect to the backend web server. If it used a fqdn, it has to > resolve it, through a dns request The backend web server can care about the IP:port you connect to, and the Host: header you send. You can connect to 10.1.1.10:80 and send a Host: header of "app1" if you want to. No dns resolution involved. Anyway, it sounds like you have this part working now; so that's good. > I still have problems, the site doesn't diplay properly because it can't load > a javascript > The request for the javascript looks like > thathttp://application1.org/?wooslider-javascript=load&t=1503832510&ver=1.0.0 > HTTP/1.1It arrives on the backend server I see it in the logs (file specified > in the stanza location) > 10.1.1.10 forwarded for IP_CLIENT - - [27/Aug/2017:13:15:12 +0200] "GET > /app1/?wooslider-javascript=load&t=1503832510&ver=1.0.0 HTTP/1.1" 404 5 > "http://application1.org/"; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) > Gecko/20100101 Firefox/54.0" A request for /?some-thing came to nginx; nginx reverse-proxied the request as /app1/?same-thing. That is all you want nginx to do, so it is working. If your back-end wordpress handles that request incorrectly, that is a question for your back-end wordpress configuration. People on this list who know about wordpress configuration are more likely to see the question if it is in a new thread with words like "wordpress" in the Subject: line. (If the actual question is "why does my browser request /?some-thing instead of /thing.js ?", that might also be related to the back-end config.) > Another question, if I want to set expires header, would it be better to do > it on the reverse proxy or on the backend server ? Again, I'd suggest that people who know about "wordpress" and "expires" are much more likely to see that question if it is in a thread with an obvious Subject: line. Good luck with it! f -- Francis Daly fran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: IPv6 does not work correctly with nginx
Hello Francis, The port seems open but there is no ssl transaction.When I did a simple tcpdump capture I saw syn then syn/ack, then ackThe brower displays an error that the site is not accessible. I forgot to say that I d-natted my IPv6 and the one I displayed is not a public IP.I was wondering if nginx treats it differently Le vendredi 5 janvier 2018 à 12:26:20 UTC+1, Francis Daly a écrit : On Fri, Jan 05, 2018 at 01:04:52AM +, Mik J via nginx wrote: Hi there, > I'm trying to finish to configure nginx for ipv6 > listen [::]:443 ssl;doesn't workbutlisten [fc00:1:1::13]:443 ssl;works "listen [::]:443 ssl;" seems to work for me. What does "doesn't work" mean to you, specifically? What does error log say? f -- Francis Daly fran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
IPv6 does not work correctly with nginx
Hello, I'm trying to finish to configure nginx for ipv6 listen [::]:443 ssl;doesn't workbutlisten [fc00:1:1::13]:443 ssl;works I need to explicitly specify the ipv6 address whereas in ipv4 I don't need to # nginx -V nginx version: nginx/1.12.1 server { listen 443 ssl; # listen [::]:443 ssl; listen [fc00:1:1::13]:443 ssl; server_name test.mydomain.org; root /var/www/html; # ifconfig vmx0 vmx0: flags=8843 mtu 1500 ...inet6 fc00:1:1::13 prefixlen 64 Does someone knows why ? Thank you ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse proxy for multiple domains
Hello Francis, Thank you for your answer.I've done many tests since then and yes indeed the problem came from the application => wordpress It's necessary to define these two variables WP_HOME and WP_SITEURL or $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'] in wp-config.php >From that question> Thats because the pages are called by the reverse proxy >server > like http://10.1.1.10:80/app/application1/;and it can't use a FQDN > because it's in a private adressing Francis: I don't follow that last part.=> I mean that the reverse proxy uses an IP to connect to the backend web server. If it used a fqdn, it has to resolve it, through a dns request I still have problems, the site doesn't diplay properly because it can't load a javascript On the reverse proxyserver { listen 80; listen 443 ssl; server_name application1.org; ... location / { location ~ /\.ht { deny all; } proxy_pass http://10.1.1.10/app1/; proxy_http_version 1.1; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Set-Cookie; } On the backend serverserver { listen 80 default_server; server_name _; index index.php; root /var/www/htdocs; ... location /app1 { root /var/www/htdocs/; access_log /var/log/nginx/app1.access.log xforwardedLog; error_log /var/log/nginx/app1.error.log; index index.php; try_files $uri $uri/ /app1/index.php$is_args$args; location ~ /\. { deny all; } gzip off; location ~ \.php$ { root /var/www/htdocs; try_files $uri =404; fastcgi_pass unix:/run/php-fpm.app1.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } The request for the javascript looks like thathttp://application1.org/?wooslider-javascript=load&t=1503832510&ver=1.0.0 HTTP/1.1It arrives on the backend server I see it in the logs (file specified in the stanza location) 10.1.1.10 forwarded for IP_CLIENT - - [27/Aug/2017:13:15:12 +0200] "GET /app1/?wooslider-javascript=load&t=1503832510&ver=1.0.0 HTTP/1.1" 404 5 "http://application1.org/"; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" If I access a file from the internet, it works fine http://application1.org/wp-content/themes/Avada/images/divider-02.gifSo there's just a problem with the previous URL Another question, if I want to set expires header, would it be better to do it on the reverse proxy or on the backend server ? Regards Le Dimanche 20 août 2017 22h08, Francis Daly a écrit : On Fri, Aug 18, 2017 at 07:01:26AM +, Mik J via nginx wrote: Hi there, > What would you do if you had ? > CLIENT <-> INTERNET <->Reverse_Proxy<->Web_Server That is the normal case, is it not? So just "use nginx as normal". > On de web server I just use one default virtual host with multiple > sections. I think that if you configure your "back-end" server that way, you are more likely to have problems reverse proxying than if you configure "one virtual host = one application". If you want to reverse-proxy an application installed at one part of its local url hierarchy, so that it looks like it is installed at another part of the url hierarchy, then it is your job to make sure that any part of the content returned that the client browser might interpret as a url on this server, is correctly relative to the "another part". (It presumably is by default relative to the "one part".) Unless the application was written with a config option to make that job trivial, I think it is easier to have the "public" url and "private" url be the same. On your system, you can configure it however you want to. > Thats because the pages are called by the reverse proxy server > like http://10.1.1.10:80/app/application1/; and it can't use a FQDN > because it's in a private adressing I don't follow that last part. It can use a hostname if you want it to use a hostname. I expect that it will be easier for you if you use a hostname, or if you use two services listening on different ports. > Is there a way that the reverse proxy connects to 10.1.1.10 but pretend > the GET/POST queries use application1.org ? If you can describe the http request that you want the client to make to nginx; and describe the matching http request that you want nginx to make to the back-end, it may be clearer what you mean. > I'd pr
Re: Reverse proxy for multiple domains
Thank you Francis for your answer Actually is does this with a simple index.html page# cat index.htmlTEST What would you do if you had ? CLIENT <-> INTERNET <->Reverse_Proxy<->Web_ServerOn de web server I just use one default virtual host with multiple sections. Thats because the pages are called by the reverse proxy server like http://10.1.1.10:80/app/application1/; and it can't use a FQDN because it's in a private adressing Is there a way that the reverse proxy connects to 10.1.1.10 but pretend the GET/POST queries use application1.org ? I'd prefer my application would be accessible by www.application1.org than www.application1.org/app/application1 like right now Le Jeudi 17 août 2017 21h35, Francis Daly a écrit : On Thu, Aug 10, 2017 at 09:17:14PM +, Mik J via nginx wrote: Hi there, > I have application1.org and application2.org. > > The client requesting these URLs, arrives one the reverse proxy. > > On this reverse proxy I have a virtual host which looks like that > > server { > server_name application1.org; > location ^~ / { > proxy_pass http://10.1.1.10:80/app/application1/; > } > > And another virtual host for application2 which is similar with > > proxy_pass http://10.1.1.10:80/app/application2/; > > > The server behind the reverse proxy is the same right now > 1) Is it the right way to do this ? I think that trying to reverse-proxy an application at a different part of the url tree to where the app thinks it is installed, is difficult. So if application1 believes that it is installed at /app/application1, I would suggest to expose that to the world. (Or: if you want the world to see it at /, then configure the internal server so that it is at / there too.) Then your external config is mostly just "proxy_pass http://10.1.1.10:80;";, possibly with "location = / { return 301 /application/app1/; }" The *internal* config could probably have one server{} for each application as well. > 2) When I access the application from Internet using application1.org, I am > redirected to application1.org/app/application1 I don't know why. And I have > to add one more section on the reverse proxy > Is there a better way to do it ? I'm not sure why that extra section is necessary, unless the "..." part of your config is important. f -- Francis Daly fran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Reverse proxy for multiple domains
Nginx: 1.10.2 Hello, I'm tryging to get reverse proxy working with multiple domains I have application1.org and application2.org. The client requesting these URLs, arrives one the reverse proxy. On this reverse proxy I have a virtual host which looks like that server { listen 80; server_name application1.org; access_log /var/log/nginx/application1.org.access.log; error_log /var/log/nginx/application1.org.error.log; ... location ^~ / { proxy_passhttp://10.1.1.10:80/app/application1/; proxy_redirectoff; proxy_set_header Host $http_host; proxy_set_header X-Real-IP$remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } And another virtual host for application2 which is similar with proxy_pass http://10.1.1.10:80/app/application2/; The server behind the reverse proxy is the same right now On the web server behind the proxy I just have one virtual host which is the default one server { listen 80 default_server; server_name _; index index.html index.htm index.php; root /var/www/htdocs; location ^~ /app/application1 { root /var/www; index index.php; location ~ \.php$ { root /var/www; try_files $uri =404; fastcgi_pass unix:/run/php-fpm.application1.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; includefastcgi_params; } location ^~ /app/application2 { root /var/www; index index.php; location ~ \.php$ { root /var/www; try_files $uri =404; fastcgi_pass unix:/run/php-fpm.application2.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; includefastcgi_params; } } Questions: 1) Is it the right way to do this ? 2) When I access the application from Internet using application1.org, I am redirected to application1.org/app/application1 I don't know why. And I have to add one more section on the reverse proxy location ^~ /app/application1 { proxy_passhttp://10.1.1.10:80/app/application1/; proxy_redirectoff; proxy_set_header Host$http_host; proxy_set_header X-Real-IP$remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } Is there a better way to do it ? Thank you ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse proxy problem with an application
Hello BR,Thank you for your answer and for the hints. I'll investigate further in that direction.Have a nice week Le Mercredi 8 mars 2017 14h03, B.R. via nginx a écrit : This clearly looks like an application problem and not a nginx-related one. nginx does not remove cookies nor, as the configuration snippet you shared suggest, handles authentication. If you use DNS, make sure all requests are served by the instance of nginx you quote, including redirects which might happen on login (have a look at access logs). You can also investigate the content of cookies received either from downstream or upstream if you think it is related to your problem. If you got a question on the nginx configuration this ML is here to help. Otherwise, you'll need to rereoute your question where appropriate. --- B. R. On Mon, Mar 6, 2017 at 10:35 PM, Mik J via nginx wrote: Hello, I have run an application behind a nginx reverse proxy and I can't make it to work a) if I access this application using https://1.1.1.1:443 it works (certificate warning)b) if I access this application using https://myapp.mydomain.org, I get access to the login page location ^~ / { proxy_pass https://1.1.1.1:443; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_hide_header X-Frame-Options; proxy_hide_header X-Content-Security-Policy; proxy_hide_header X-Content-Type-Options; proxy_hide_header X-WebKit-CSP; proxy_hide_header content-security-policy; proxy_hide_header x-xss-protection; proxy_set_header X-NginX-Proxy true; proxy_ssl_session_reuse off; } c) I log in in the page and after some time (2/3 seconds) the application logs me out When I log in directly case a) I notice that I have (firebug) CookieSaveStateCookie=root; APPSESSIONID= 070ABC6AE433D2CAEDCFFB1E430744 16; testcookieenabled Whereas when I log in in case c) I haveAPPSESSIONID= 070ABC6AE433D2CAEDCFFB1E430744 16; testcookieenabled So I feel there's a problem with the session or something like that.PS: There is only one backend server and I can't run plain http (disable https) Does anyone has an idea ? __ _ nginx mailing list nginx@nginx.org http://mailman.nginx.org/ mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Reverse proxy problem with an application
Hello, I have run an application behind a nginx reverse proxy and I can't make it to work a) if I access this application using https://1.1.1.1:443 it works (certificate warning)b) if I access this application using https://myapp.mydomain.org, I get access to the login page location ^~ / { proxy_pass https://1.1.1.1:443; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_hide_header X-Frame-Options; proxy_hide_header X-Content-Security-Policy; proxy_hide_header X-Content-Type-Options; proxy_hide_header X-WebKit-CSP; proxy_hide_header content-security-policy; proxy_hide_header x-xss-protection; proxy_set_header X-NginX-Proxy true; proxy_ssl_session_reuse off; } c) I log in in the page and after some time (2/3 seconds) the application logs me out When I log in directly case a) I notice that I have (firebug) CookieSaveStateCookie=root; APPSESSIONID=070ABC6AE433D2CAEDCFFB1E43074416; testcookieenabled Whereas when I log in in case c) I haveAPPSESSIONID=070ABC6AE433D2CAEDCFFB1E43074416; testcookieenabled So I feel there's a problem with the session or something like that.PS: There is only one backend server and I can't run plain http (disable https) Does anyone has an idea ? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse proxy should send server_name
Hello Francis,Thank you very much.Everything works fine. Have a nice week Le Mardi 22 novembre 2016 21h55, Francis Daly a écrit : On Tue, Nov 22, 2016 at 06:51:28PM +, Mik J via nginx wrote: Hi there, > location ^~ / { > proxy_pass http://10.1.1.1/service1;And it works but the > request appears is if the client typed http://10.1.1.1/service1/ from the web > server point of view > What should I write on the reverse proxy so that the IP paquet is sent to > 10.1.1.1 but the HTTP GET request hits the virtual host service1.mydomain.org > on the back end web server ? Either use "proxy_set_header" (http://nginx.org/r/proxy_set_header) to set Host (and consider "proxy_redirect" too); or create an "upstream" called service1.mydomain.org and "proxy_pass" to that. Note that if your "location" ends in /, you probably want your "proxy_pass" to end in / too. Cheers, f -- Francis Daly fran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Reverse proxy should send server_name
Hello, I don't know how to finalise my reverse proxy setup. Client <--Internet-->Reverse_Proxy<--LAN-->Web_ServerWhen a client connects to FQDN, the request is followed to the IP address of the webserver such aslocation ^~ / { proxy_pass http://10.1.1.1/service1;And it works but the request appears is if the client typed http://10.1.1.1/service1/ from the web server point of view The problem comes when some applications on the web server behind the reverse proxy wants to see the request as if the client typedhttp://service1.mydomain.org/ I would be tempted to write this on my reverse proxylocation ^~ / { proxy_pass http://10.1.1.1/service1;But it wouldn't work because the request would be dns solved and not sent to 10.1.1.1 What should I write on the reverse proxy so that the IP paquet is sent to 10.1.1.1 but the HTTP GET request hits the virtual host service1.mydomain.org on the back end web server ? Regards ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx