Re: listen proxy_protocol and rewrite redirect scheme
On Thu, Sep 22, 2016 at 07:57:17AM -0400, adrhc wrote: Hi there, > I'm just a bit surprised that "port_in_redirect off" does not also > work. But that's ok -- I'm often surprised. > There's a "if" in src/http/ngx_http_header_filter_module.c which changes > port's value from 443 to 0 when on ssl + port initially 443 so > https://adrhc.go.ro/ffp_0.7_armv5 would redirect to http when > port_in_redirect is off. Ah, right, that makes sense. As it happens, that is only necessary because your extra patch cares about when port=443. Potentially, a fuller solution to the "use https redirects even though this is http" question would not care about "port", and so "port_in_redirect" would not matter then. But as I said: what you have works for you, and is therefore good as-is. > "... but I don't know what is the set of conditions under which you would > want this ssl-rewrite to happen, and how you would go about configuring > that." > I'm not sure I understand what you mean (my bad english); the entire setup > is one allowing me to access my home server through the corporate firewall > wile not breaking what I already have (my web sites): My intention was: *if* there were to be some directive or variable in nginx that could be set to get nginx to use https redirects even though nginx believes that the connection is over http; *then* how and where would that directive or variable be set? Until the "then" has a clear answer, the "if" will not happen. But also: it does not matter right now. You have an adequate solution for you; if someone else has the same problem and wants a fuller solution, they can worry about it then. > "It looks like nobody else has had that particular use case ..." > This seems odd for me; I'm sure I'm not the only guy starving for open ports > to internet (only 80 and 443 allowed) :D Possibly other people came up with different solutions, or did not use nginx in the same way that you are using it. Anyway - it is good that you found a solution, and thanks for having shared it. Cheers, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
I'm just a bit surprised that "port_in_redirect off" does not also work. But that's ok -- I'm often surprised. There's a "if" in src/http/ngx_http_header_filter_module.c which changes port's value from 443 to 0 when on ssl + port initially 443 so https://adrhc.go.ro/ffp_0.7_armv5 would redirect to http when port_in_redirect is off. "... but I don't know what is the set of conditions under which you would want this ssl-rewrite to happen, and how you would go about configuring that." I'm not sure I understand what you mean (my bad english); the entire setup is one allowing me to access my home server through the corporate firewall wile not breaking what I already have (my web sites): browser (ssl) -> sshttp:443 -> stunnel:1443 -> nginx:443:listen proxy_protocol:no ssl ssh client -> sshttp:443 -> ssh:22 -> ssh traffic detectable by firewall (I don't want that) ssh client -> stunnel in client mode:local-custom-port -> sshttp:443 -> stunnel:1443 -> ssh:22 -> firewall sees only ssl traffic (better) See https://adrhc.go.ro/wordpress/ssh-http-and-https-multiplexing/ for instructions on full setup. "It looks like nobody else has had that particular use case ..." This seems odd for me; I'm sure I'm not the only guy starving for open ports to internet (only 80 and 443 allowed) :D Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269748#msg-269748 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
On Wed, Sep 21, 2016 at 03:25:04AM -0400, adrhc wrote: Hi there, > Indeed the solution might look strange but it works (test it with e.g. https > or http ://adrhc.go.ro/ffp). It is good that it works. The http redirect there does not include the port; the https redirect does include the port, and it is the default port for https. I'm just a bit surprised that "port_in_redirect off" does not also work. But that's ok -- I'm often surprised. > Would be nicer if would exists a variable like let's say $override_ssl which > to force nginx consider it run a ssl request with all the consequences. That variable will probably only exist after someone shows a need for it, and after someone does the work to write the code. I think that your use case is reasonable -- hide nginx-doing-http behind an external ssl terminator -- but I don't know what is the set of conditions under which you would want this ssl-rewrite to happen, and how you would go about configuring that. (You want it sort-of per-server, but not really, since you only want it if proxy_protocol is in use and indicates that the initial request was https.) It looks like nobody else has had that particular use case, and was willing to put the effort in to make it an nginx configurable. > Again I thank you for your support. You're welcome. The patch you have, you can carry for as long as you need, so it not being added to stock nginx should not block you at all. Cheers, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Indeed the solution might look strange but it works (test it with e.g. https or http ://adrhc.go.ro/ffp). Would be nicer if would exists a variable like let's say $override_ssl which to force nginx consider it run a ssl request with all the consequences. Again I thank you for your support. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269714#msg-269714 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
On Sat, Sep 17, 2016 at 03:41:34PM -0400, adrhc wrote:
Hi there,
> The final working setup:
>
> src/http/ngx_http_header_filter_module.c:
> #if (NGX_HTTP_SSL)
> if (c->ssl || port == 443) {
> *b->last++ ='s';
> }
> #endif
This will work in your circumstances -- you compile with ssl (although
you don't appear to use it); and your proxy_protocol means that "port"
is presented as 443.
So you should be able to carry this patch for as long as you need it.
It won't work in general, because of the various circumstances and lack
of configurability. But that's not a problem here :-)
> In order to work nginx needs this config:
> server {
> listen 127.0.0.1:443proxy_protocol;
> port_in_redirecton;
I'm not sure why the port_in_redirect in redirect should be needed;
but you've tested it and it works as-is, so can be left that way.
> fastcgi_params:
> fastcgi_param HTTPS "on";
> fastcgi_param SERVER_PORT "443";
"HTTPS" tells php to ensure that links are to the https url; I would have
thought that SERVER_PORT would have been handled by the proxy_protocol
thing. But again: this works for you, and that is what matters here.
Good that you found a solution, and thanks for sharing it so that those
who search the archive have something to refer to.
Cheers,
f
--
Francis Dalyfran...@daoine.org
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
I'm sorry for the babble above but the source of errors are too many.
The previous post the problem was php (e.g. phpMyAdmin).
The final working setup:
src/http/ngx_http_header_filter_module.c:
#if (NGX_HTTP_SSL)
if (c->ssl || port == 443) {
*b->last++ ='s';
}
#endif
In order to work nginx needs this config:
server {
listen 127.0.0.1:443proxy_protocol;
port_in_redirecton;
stunnel.conf:
[tls to http]
sni = tls:*
connect = 127.0.0.1:443
protocol = proxy
fastcgi_params:
#
http://tyy.host-ed.me/pluxml/article4/port-443-for-https-ssh-and-ssh-over-ssl-and-more
fastcgi_param HTTPS "on";
fastcgi_param SERVER_PORT "443";
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,269623,269646#msg-269646
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Hi, I'm sorry for the babble above but there are so many point of failure
and the setup is so complex.
Last problem was php (e.g. phpMyAdmin).
Anyway now really works this way:
src/http/ngx_http_header_filter_module.c:
#if (NGX_HTTP_SSL)
if (c->ssl || port == 443) {
*b->last++ ='s';
}
#endif
nginx.conf:
server {
listen 127.0.0.1:443proxy_protocol;
port_in_redirecton;
stunnel configuration:
[tls]
accept = 192.168.1.31:1443
connect = 127.0.0.1:1080
protocol = proxy
[ssh]
sni = tls:ssh.go.ro
...
[tls to any http]
sni = tls:*
connect = 127.0.0.1:443
protocol = proxy
fastcgi_params:
fastcgi_param HTTPS "on";
fastcgi_param SERVER_PORT "443";
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,269623,269647#msg-269647
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Well, it works partially; sometimes (scarce cases) the redirect still uses
http ...
this happens even with:
#if (NGX_HTTP_SSL)
// if (c->ssl || port != 80) {
*b->last++ ='s';
// }
#endif
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,269623,269645#msg-269645
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Hi, I'm sorry but I mistakenly claimed to work the patch:
#if (NGX_HTTP_SSL)
if (c->ssl || port == 443) {
*b->last++ ='s';
}
#endif
In order to work nginx needs this config:
server {
listen 127.0.0.1:443proxy_protocol;
port_in_redirecton;
and stunnel:
[tls to http]
sni = tls:*
connect = 127.0.0.1:443
protocol = proxy
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,269623,269644#msg-269644
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Hi, thank you for the hints.
Starting from you suggestion I modified
src/http/ngx_http_header_filter_module.c like this:
#if (NGX_HTTP_SSL)
if (c->ssl || port == 443) {
*b->last++ ='s';
}
#endif
and it works!
But works hand in hand with this nginx configuration (in order to keep
original request's port: 443 for me):
port_in_redirectoff;
and it's important for the initial request to come with 443 port. For me the
flow is: request:443 go to sshttp:444 then stunnel:1443 and in the end to
nginx (listen 127.0.0.1:1080 proxy_protocol).
This affects every server where the port is evaluated to 443 which is not
perfect (in odd but possible situation 443 could be a non-ssl port or
someone would want this for simply other ports too).
A perfect solution I think would be one where nginx would allow me to
overwrite somehow the "c->ssl" above with a nginx-custom-variable, let's say
$https_override (on = force c->ssl to evaluate to true; I guess "c->ssl"
takes it's value from $https that's why $https_override ...).
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,269623,269643#msg-269643
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
On Sat, Sep 17, 2016 at 03:11:20AM -0400, adrhc wrote:
Hi there,
> Oh, and I only want this change to apply to servers with "listen ...
> proxy_protocol" but not otherwise ...
That makes the initial code-change suggestion (where *all* adjusted
Location: headers would be https) insufficient.
If you decide that you want to provide the code to allow this feature,
then it might still be a useful first step, to learn whether that one
change is enough to have the desired output.
After that, you can worry about how best you should set your configuration
to enable it selectively.
Note that http://nginx.org/r/listen suggests that proxy_protocol is a
parameter to the listen directive, which suggests that you could have both
listen 8000;
listen 8001 proxy_protocol;
in the same server{} block; so whatever configuration you choose may need
to distinguish between "do https redirect here", and "do https redirect
here only if proxy_protocol was used".
(I have not used proxy_protocol, just read those docs.)
That is not impossible, but is another wrinkle that would have to be
designed correctly for if the patch were to be accepted into stock nginx,
I suspect.
Of course, if you are carrying your own patch, you don't have to care
whether it is acceptable to anyone else. So -- if you know that your
server{}s will either have proxy_protocol on all listen:s or on none,
then you could patch things so that the https redirection is just
configured per-server.
Good luck with it,
f
--
Francis Dalyfran...@daoine.org
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
On Sat, Sep 17, 2016 at 02:36:31AM -0400, adrhc wrote:
Hi there,
> yep, that's exactly my problem:
> "... but that will not help internally-generated things like the
> trailing-slash redirect for directories."
>
> I'll check your solution though I'm very open for other too :D
If you care only about the internally-generated trailing-slash redirects,
then you could try to add something like (lifted from a parallel thread)
if (-d $request_filename) {
rewrite [^/]$ https://$host$uri/ permanent;
}
into places where the trailing-slash redirect might happen.
If there are any other http-not-https redirections that you see, possibly
they could be investigated as they arise.
At least, that would avoid you patching the source.
Cheers,
f
--
Francis Dalyfran...@daoine.org
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
Oh, and I only want this change to apply to servers with "listen ... proxy_protocol" but not otherwise ... Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269640#msg-269640 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
yep, that's exactly my problem: "... but that will not help internally-generated things like the trailing-slash redirect for directories." I'll check your solution though I'm very open for other too :D PS: I do compile my own custom nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269623,269636#msg-269636 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: listen proxy_protocol and rewrite redirect scheme
On Fri, Sep 16, 2016 at 11:12:16AM -0400, adrhc wrote: Hi there, > the browser request (https on 443) is received by sshttp which sends it to > stunnel:1443 which proxy it to nginx:1080. > When nginx receives the request it has $scheme = "http"; so, for any rewrite > with "permanent" or "redirect" the Location header uses "http" while I > really need "https" scheme. > > Is there any way for forcing nginx to change $scheme according to my will? > or at least to generate the Location header with no scheme or with my > desired scheme? I think that stock nginx does not have a way to do this. For any "rewrite" that you create, you can explicitly include "https://"; at the start -- but that will not help internally-generated things like the trailing-slash redirect for directories. If you want those, and your nginx is not doing its own ssl, I think you would need a code change to get https: in the Location headers. Not tested, but I suspect that removing four lines from src/http/ngx_http_header_filter_module.c so that "*b->last++ ='s';" is always called, might be enough for your newly-compiled nginx to always redirect to https. A proper fix would presumably involve a more general config option so that it is selectable. Cheers, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
listen proxy_protocol and rewrite redirect scheme
Hi, I have this setup:
the browser request (https on 443) is received by sshttp which sends it to
stunnel:1443 which proxy it to nginx:1080.
When nginx receives the request it has $scheme = "http"; so, for any rewrite
with "permanent" or "redirect" the Location header uses "http" while I
really need "https" scheme.
Is there any way for forcing nginx to change $scheme according to my will?
or at least to generate the Location header with no scheme or with my
desired scheme?
Thank you
nginx configuration:
server {
listen 127.0.0.1:1080 proxy_protocol;
port_in_redirectoff;
server_name_in_redirect off;
...
}
stunnel configuration:
[tls]
accept = :1443
connect = 127.0.0.1:1080
protocol = proxy
[ssh]
sni = tls:tti.go.ro
...
[www on any]
sni = tls:*
connect = 127.0.0.1:1080
protocol = proxy
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,269623,269623#msg-269623
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
