When i try to run mutiple reactapps using docker and nginx reverse proxy, iam getting an error : Upstream timed out while connecting to the upstream.
The error you can see in the below screenshot when i check the nginx logs
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
add_header 'Cache-Control' "public, max-age=31536000";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options: "nosniff";
ssl_certificate /etc/nginx/conf.d/cert.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl.key;
server_name <Domain-ip>;
location / {
proxy_pass http://domainname:3000;
#try_files $uri /index.html;
}
location /elderly {
proxy_pass http://domainname:3001;
#try_files $uri /index.html;
}
location /carer {
proxy_pass http://domainname:3002;
#try_files $uri /index.html;
}
#For gzip text compression
gzip on;
gzip_comp_level 2;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/x-javascript text/xml text/css application/xml application/javascript
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
#For optimization
location ~* \.(ico|css|js|webp|gif|jpeg|jpg|png|woff|ttf|otf|svg|woff2|eot)$ {
expires 365d;
add_header Cache-Control "public, max-age=31536000";
}
}
Related
i get the following message in my browser:
Access to XMLHttpRequest at 'myApidomain.de' from origin 'myorigindomain.de' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'myorigindomain.de, myorigindomain.de', but only one is allowed.
The message is clear. But it wasnt clear if you take a look at my nginx default.conf:
server {
listen 8000 default_server;
listen [::]:8000 default_server ipv6only=on;
server_name localhost;
root /var/www/html/public;
index index.php index.html index.htm;
real_ip_header X-Forwarded-For;
add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, OPTIONS, PATCH, PUT' always;
add_header "Access-Control-Allow-Headers" "Authorization, v-access-header, Origin, X-Requested-With, Content-Type, Accept";
add_header 'Access-Control-Allow-Credentials' 'true';
location / {
try_files $uri /index.php$is_args$args;
}
location ~ ^/(index)\.php(/|$) {
#fastcgi_pass php-upstream;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
fastcgi_param DOCUMENT_ROOT $realpath_root;
#fixes timeouts
fastcgi_send_timeout 6000;
fastcgi_read_timeout 6000;
include fastcgi_params;
internal;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PATCH, PUT' always;
add_header 'Access-Control-Allow-Headers' 'DNT,v-access-header,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Access-Control-Allow-Credentials' 'true';
#add_header 'Content-Type' 'text/plain; charset=utf-8';
#add_header 'Content-Length' 0;
#return 204;
}
if ($request_method ~* "(GET|POST|PUT|PATCH|DELETE)") {
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, OPTIONS, PATCH, PUT' always;
add_header "Access-Control-Allow-Headers" "Authorization, v-access-header, Origin, X-Requested-With, Content-Type, Accept" always;
add_header 'Access-Control-Allow-Credentials' 'true';
}
}
location ~ /\.ht {
deny all;
}
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt/;
log_not_found off;
}
}
there is only 1 Header allow origin... why i get multiple? is there a way to find out where the second entry is coming from?
When i delete this entry my GET request dont work because "NO ALLOW-ORIGIN Header is present."
Now the GET is working and the POST make this error.
I am trying to add CORS header to my app when deploying it to cloud via docker I get the error:
nginx: [emerg] "server" directive is not allowed here in /etc/nginx/conf.d/default.conf:1
My nginx file
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
root https://srm-master.nonprod.com;
index index.html index.htm;
set $cors "";
if ($http_origin ~* (.*\.ini.com)) {
set $cors "true";
}
server_name .ini.com;
location / {
if ($cors = "true") {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS,
DELETE, PUT';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-
Alive,Content-Type';
}
}
}
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
Actually, the problem has nothing to do with Docker, the cause of the error is nginx config. Because nginx allow only one http section, and it has been defined at /etc/nginx/nginx.conf. Remove the http section in your config, and it should be worked
server {
root https://srm-master.nonprod.com;
index index.html index.htm;
set $cors "";
if ($http_origin ~* (.*\.ini.com)) {
set $cors "true";
}
server_name .ini.com;
location / {
if ($cors = "true") {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS,
DELETE, PUT';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-
Alive,Content-Type';
}
}
}
I try to set up ssl with Let’s Encrypt using this article https://medium.com/#pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
my nginx config
server {
listen 80;
server_name kcr.ttfr.ru;
server_name www.kcr.ttfr.ru;
root /var/www/k4fntr/public;
index /frontend/index.html;
client_max_body_size 128M;
gzip on; # enable gzip
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log debug;
location / {
try_files /frontend/$uri $uri $uri/ /index.php?$args; # permalinks
client_max_body_size 128M;
}
location ~ /\. {
deny all; # deny hidden files
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all; # deny scripts
}
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off;
log_not_found off;
expires max; # cache static files
try_files /frontend/$uri $uri $uri/ /index.php?$args; # permalinks
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
fastcgi_pass k4fntr_php-fpm:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_read_timeout 300;
}
location /socket.io {
proxy_pass http://k4fntr_echo:6001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location ~ /\.ht {
deny all;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/kcr.ttfr.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kcr.ttfr.ru/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /.well-known/acme-challenge/ { root /var/www/certbot; }
}
but my challenges were failed because of url /.well-known/acme-challenge/ returns 403:Forbidden
what's wrong with my nginx configuration?
change your location to something like this:
location /.well-known/acme-challenge {
root /var/www/certbot;
default_type text/plain;
}
another question. Do you want to redirect all non-http traffic to https?
In that case I would create a server block listen port 80 and another one listen on 443.
server {
listen 80;
server_name domain.io;
location / {
return 301 https://$server_name$request_uri;
}
location /.well-known/acme-challenge {
root root /var/www/certbot;
default_type text/plain;
}
}
server {
listen 443 ssl;
server_name domain.io;
add_header Strict-Transport-Security "max-age=31536000" always;
...
}
I'm trying to set up CORS Policy on my Nginx container.
I've put this to my Nginx settings:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location / {
rewrite ^ https://$host$request_uri? permanent;
}
location ~ /.well-known/acme-challenge {
allow all;
root /data/letsencrypt;
}
location ~* \.(?:gif|jpe?g|png|jpg)$ {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 80;
server_name api.example.com;
location / {
rewrite ^ https://$host$request_uri? permanent;
}
location ~ /.well-known/acme-challenge {
allow all;
root /data/letsencrypt;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
return 301 https://www.example.com$request_uri;
}
server {
server_name www.example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
ssl on;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_bind 127.0.0.1;
proxy_pass http://localhost:11700;
}
location ~* \.(?:gif|jpe?g|png|jpg)$ {
root /some/dir;
}
}
server {
server_name api.example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
ssl on;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_bind 127.0.0.1;
proxy_pass http://localhost:11900;
}
}
server {
listen 11700;
server_name localhost;
index index.html index.htm;
charset utf-8;
root /some/other/dir;
client_max_body_size 100M;
fastcgi_read_timeout 1800;
location / {
try_files $uri $uri/ #rewrites;
}
location #rewrites {
rewrite ^(.+)$ /index.html last;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
}
server {
listen 11900;
server_name localhost;
root /some/another/di/r;
index index.php index.html index.htm;
charset utf-8;
client_max_body_size 100M;
fastcgi_read_timeout 1800;
location / {
rewrite ^(/.*)$ /api$1 break;
proxy_pass http://127.0.0.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
try_files $uri $uri/ /index.php?_url=$uri&$args;
}
location ~ [^/]\.php(/|$) {
fastcgi_pass php-fpm:9000;
fastcgi_index /index.php;
include fastcgi_params;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
when I'm trying to launch tests I'm getting XMLHttpRequest error:
Access to XMLHttpRequest at
'https://api.example.com/some/url/index?page=1' from origin
'https://www.example.com' has been blocked by CORS policy: Response
to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
What it could be?
You need to allow access from www.example.com on your api's domain api.example.com, so in the virtualhost of api.example.com add the following line under server_name or under the other add_header directives:
add_header 'Access-Control-Allow-Origin www.example.com';
For more information about CORS, you can check the following:
Cross-Origin Resource Sharing (CORS)
I want to redirect http to https automatically.
Below is my nginx conf.
upstream puma_tn{
# Path to Puma SOCK file, as defined previously
server unix:/home/deploy/tn/shared/tmp/sockets/tn-puma.sock fail_timeout=0;
}
server {
listen 80;
server_name www.tn.com.au;
#return 301 https://$host$request_uri;
return 301 https://$server_name$request_uri;
#if ($scheme = http) {
# return 301 https://$server_name$request_uri;
# }
}
server {
listen 443 default_server ssl;
server_name www.tn.com.au;
root /home/deploy/tn/current/public;
try_files $uri/index.html $uri #app;
ssl_certificate /etc/ssl/certs/tn.crt;
ssl_certificate_key /etc/ssl/private/tn.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
#securrity Changes-Start
server_tokens off;
more_set_headers 'Server: Eff_You_Script_Kiddies!';
# Securty Changes-End
# location / {
location #app {
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_http_version 1.1;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
proxy_set_header Connection '';
proxy_pass http://puma_tn;
}
location ~ ^/(assets|fonts|system)/|favicon.ico|robots.txt {
gzip_static on;
expires max;
add_header Cache-Control public;
}
underscores_in_headers on;
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 600;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
}
Assuming you're deploying it to production, Add below config to production.rb
config.force_ssl = true
force HTTPS connection inside server block
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
Or inside location / block write
location / {
return 301 https://$server_name$request_uri;
}
also i don't think we need config.force_ssl = true
I have written the following in server ssl block to make it working.
server {
listen 443 default_server ssl;
server_name www.tn.com.au;
if ($http_x_forwarded_proto = 'http') {
return 301 https://$server_name$request_uri;
}
.....other configurations
}