Re: listen proxy_protocol and rewrite redirect scheme
On Thu, Sep 22, 2016 at 07:57:17AM -0400, adrhc wrote: Hi there, > I'm just a bit surprised that "port_in_redirect off" does not also > work. But that's ok -- I'm often surprised. > There's a "if" in src/http/ngx_http_header_filter_module.c which changes > port's value from 443 to 0 when on ssl + port initially 443 so > https://adrhc.go.ro/ffp_0.7_armv5 would redirect to http when > port_in_redirect is off. Ah, right, that makes sense. As it happens, that is only necessary because your extra patch cares about when port=443. Potentially, a fuller solution to the "use https redirects even though this is http" question would not care about "port", and so "port_in_redirect" would not matter then. But as I said: what you have works for you, and is therefore good as-is. > "... but I don't know what is the set of conditions under which you would > want this ssl-rewrite to happen, and how you would go about configuring > that." > I'm not sure I understand what you mean (my bad english); the entire setup > is one allowing me to access my home server through the corporate firewall > wile not breaking what I already have (my web sites): My intention was: *if* there were to be some directive or variable in nginx that could be set to get nginx to use https redirects even though nginx believes that the connection is over http; *then* how and where would that directive or variable be set? Until the "then" has a clear answer, the "if" will not happen. But also: it does not matter right now. You have an adequate solution for you; if someone else has the same problem and wants a fuller solution, they can worry about it then. > "It looks like nobody else has had that particular use case ..." > This seems odd for me; I'm sure I'm not the only guy starving for open ports > to internet (only 80 and 443 allowed) :D Possibly other people came up with different solutions, or did not use nginx in the same way that you are using it. Anyway - it is good that you found a solution, and thanks for having shared it. Cheers, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
I'm just a bit surprised that "port_in_redirect off" does not also work. But that's ok -- I'm often surprised. There's a "if" in src/http/ngx_http_header_filter_module.c which changes port's value from 443 to 0 when on ssl + port initially 443 so https://adrhc.go.ro/ffp_0.7_armv5 would redirect to http when port_in_redirect is off. "... but I don't know what is the set of conditions under which you would want this ssl-rewrite to happen, and how you would go about configuring that." I'm not sure I understand what you mean (my bad english); the entire setup is one allowing me to access my home server through the corporate firewall wile not breaking what I already have (my web sites): browser (ssl) -> sshttp:443 -> stunnel:1443 -> nginx:443:listen proxy_protocol:no ssl ssh client -> sshttp:443 -> ssh:22 -> ssh traffic detectable by firewall (I don't want that) ssh client -> stunnel in client mode:local-custom-port -> sshttp:443 -> stunnel:1443 -> ssh:22 -> firewall sees only ssl traffic (better) See https://adrhc.go.ro/wordpress/ssh-http-and-https-multiplexing/ for instructions on full setup. "It looks like nobody else has had that particular use case ..." This seems odd for me; I'm sure I'm not the only guy starving for open ports to internet (only 80 and 443 allowed) :D Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269748#msg-269748 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
On Wed, Sep 21, 2016 at 03:25:04AM -0400, adrhc wrote: Hi there, > Indeed the solution might look strange but it works (test it with e.g. https > or http ://adrhc.go.ro/ffp). It is good that it works. The http redirect there does not include the port; the https redirect does include the port, and it is the default port for https. I'm just a bit surprised that "port_in_redirect off" does not also work. But that's ok -- I'm often surprised. > Would be nicer if would exists a variable like let's say $override_ssl which > to force nginx consider it run a ssl request with all the consequences. That variable will probably only exist after someone shows a need for it, and after someone does the work to write the code. I think that your use case is reasonable -- hide nginx-doing-http behind an external ssl terminator -- but I don't know what is the set of conditions under which you would want this ssl-rewrite to happen, and how you would go about configuring that. (You want it sort-of per-server, but not really, since you only want it if proxy_protocol is in use and indicates that the initial request was https.) It looks like nobody else has had that particular use case, and was willing to put the effort in to make it an nginx configurable. > Again I thank you for your support. You're welcome. The patch you have, you can carry for as long as you need, so it not being added to stock nginx should not block you at all. Cheers, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Indeed the solution might look strange but it works (test it with e.g. https or http ://adrhc.go.ro/ffp). Would be nicer if would exists a variable like let's say $override_ssl which to force nginx consider it run a ssl request with all the consequences. Again I thank you for your support. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269714#msg-269714 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
On Sat, Sep 17, 2016 at 03:41:34PM -0400, adrhc wrote: Hi there, > The final working setup: > > src/http/ngx_http_header_filter_module.c: > #if (NGX_HTTP_SSL) > if (c->ssl || port == 443) { > *b->last++ ='s'; > } > #endif This will work in your circumstances -- you compile with ssl (although you don't appear to use it); and your proxy_protocol means that "port" is presented as 443. So you should be able to carry this patch for as long as you need it. It won't work in general, because of the various circumstances and lack of configurability. But that's not a problem here :-) > In order to work nginx needs this config: > server { > listen 127.0.0.1:443proxy_protocol; > port_in_redirecton; I'm not sure why the port_in_redirect in redirect should be needed; but you've tested it and it works as-is, so can be left that way. > fastcgi_params: > fastcgi_param HTTPS "on"; > fastcgi_param SERVER_PORT "443"; "HTTPS" tells php to ensure that links are to the https url; I would have thought that SERVER_PORT would have been handled by the proxy_protocol thing. But again: this works for you, and that is what matters here. Good that you found a solution, and thanks for sharing it so that those who search the archive have something to refer to. Cheers, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
I'm sorry for the babble above but the source of errors are too many. The previous post the problem was php (e.g. phpMyAdmin). The final working setup: src/http/ngx_http_header_filter_module.c: #if (NGX_HTTP_SSL) if (c->ssl || port == 443) { *b->last++ ='s'; } #endif In order to work nginx needs this config: server { listen 127.0.0.1:443proxy_protocol; port_in_redirecton; stunnel.conf: [tls to http] sni = tls:* connect = 127.0.0.1:443 protocol = proxy fastcgi_params: # http://tyy.host-ed.me/pluxml/article4/port-443-for-https-ssh-and-ssh-over-ssl-and-more fastcgi_param HTTPS "on"; fastcgi_param SERVER_PORT "443"; Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269646#msg-269646 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Hi, I'm sorry for the babble above but there are so many point of failure and the setup is so complex. Last problem was php (e.g. phpMyAdmin). Anyway now really works this way: src/http/ngx_http_header_filter_module.c: #if (NGX_HTTP_SSL) if (c->ssl || port == 443) { *b->last++ ='s'; } #endif nginx.conf: server { listen 127.0.0.1:443proxy_protocol; port_in_redirecton; stunnel configuration: [tls] accept = 192.168.1.31:1443 connect = 127.0.0.1:1080 protocol = proxy [ssh] sni = tls:ssh.go.ro ... [tls to any http] sni = tls:* connect = 127.0.0.1:443 protocol = proxy fastcgi_params: fastcgi_param HTTPS "on"; fastcgi_param SERVER_PORT "443"; Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269647#msg-269647 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Well, it works partially; sometimes (scarce cases) the redirect still uses http ... this happens even with: #if (NGX_HTTP_SSL) // if (c->ssl || port != 80) { *b->last++ ='s'; // } #endif Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269645#msg-269645 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Hi, I'm sorry but I mistakenly claimed to work the patch: #if (NGX_HTTP_SSL) if (c->ssl || port == 443) { *b->last++ ='s'; } #endif In order to work nginx needs this config: server { listen 127.0.0.1:443proxy_protocol; port_in_redirecton; and stunnel: [tls to http] sni = tls:* connect = 127.0.0.1:443 protocol = proxy Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269644#msg-269644 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Hi, thank you for the hints. Starting from you suggestion I modified src/http/ngx_http_header_filter_module.c like this: #if (NGX_HTTP_SSL) if (c->ssl || port == 443) { *b->last++ ='s'; } #endif and it works! But works hand in hand with this nginx configuration (in order to keep original request's port: 443 for me): port_in_redirectoff; and it's important for the initial request to come with 443 port. For me the flow is: request:443 go to sshttp:444 then stunnel:1443 and in the end to nginx (listen 127.0.0.1:1080 proxy_protocol). This affects every server where the port is evaluated to 443 which is not perfect (in odd but possible situation 443 could be a non-ssl port or someone would want this for simply other ports too). A perfect solution I think would be one where nginx would allow me to overwrite somehow the "c->ssl" above with a nginx-custom-variable, let's say $https_override (on = force c->ssl to evaluate to true; I guess "c->ssl" takes it's value from $https that's why $https_override ...). Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269643#msg-269643 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
On Sat, Sep 17, 2016 at 03:11:20AM -0400, adrhc wrote: Hi there, > Oh, and I only want this change to apply to servers with "listen ... > proxy_protocol" but not otherwise ... That makes the initial code-change suggestion (where *all* adjusted Location: headers would be https) insufficient. If you decide that you want to provide the code to allow this feature, then it might still be a useful first step, to learn whether that one change is enough to have the desired output. After that, you can worry about how best you should set your configuration to enable it selectively. Note that http://nginx.org/r/listen suggests that proxy_protocol is a parameter to the listen directive, which suggests that you could have both listen 8000; listen 8001 proxy_protocol; in the same server{} block; so whatever configuration you choose may need to distinguish between "do https redirect here", and "do https redirect here only if proxy_protocol was used". (I have not used proxy_protocol, just read those docs.) That is not impossible, but is another wrinkle that would have to be designed correctly for if the patch were to be accepted into stock nginx, I suspect. Of course, if you are carrying your own patch, you don't have to care whether it is acceptable to anyone else. So -- if you know that your server{}s will either have proxy_protocol on all listen:s or on none, then you could patch things so that the https redirection is just configured per-server. Good luck with it, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
On Sat, Sep 17, 2016 at 02:36:31AM -0400, adrhc wrote: Hi there, > yep, that's exactly my problem: > "... but that will not help internally-generated things like the > trailing-slash redirect for directories." > > I'll check your solution though I'm very open for other too :D If you care only about the internally-generated trailing-slash redirects, then you could try to add something like (lifted from a parallel thread) if (-d $request_filename) { rewrite [^/]$ https://$host$uri/ permanent; } into places where the trailing-slash redirect might happen. If there are any other http-not-https redirections that you see, possibly they could be investigated as they arise. At least, that would avoid you patching the source. Cheers, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Oh, and I only want this change to apply to servers with "listen ... proxy_protocol" but not otherwise ... Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269640#msg-269640 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
yep, that's exactly my problem: "... but that will not help internally-generated things like the trailing-slash redirect for directories." I'll check your solution though I'm very open for other too :D PS: I do compile my own custom nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269636#msg-269636 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
On Fri, Sep 16, 2016 at 11:12:16AM -0400, adrhc wrote: Hi there, > the browser request (https on 443) is received by sshttp which sends it to > stunnel:1443 which proxy it to nginx:1080. > When nginx receives the request it has $scheme = "http"; so, for any rewrite > with "permanent" or "redirect" the Location header uses "http" while I > really need "https" scheme. > > Is there any way for forcing nginx to change $scheme according to my will? > or at least to generate the Location header with no scheme or with my > desired scheme? I think that stock nginx does not have a way to do this. For any "rewrite" that you create, you can explicitly include "https://"; at the start -- but that will not help internally-generated things like the trailing-slash redirect for directories. If you want those, and your nginx is not doing its own ssl, I think you would need a code change to get https: in the Location headers. Not tested, but I suspect that removing four lines from src/http/ngx_http_header_filter_module.c so that "*b->last++ ='s';" is always called, might be enough for your newly-compiled nginx to always redirect to https. A proper fix would presumably involve a more general config option so that it is selectable. Cheers, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx