I have used OAuth authentication in my server.I'm trying a server configuration using an nginx reverse proxy and ssl.
I have redirected the https request to http using niginx reverse proxy configuration.
My Nginx server blocks look like:
server {
listen 193.169.200.88:8084;
server_name test2.test.com;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_pass http://localhost:50489/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:82
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
and
server {
listen 171.16.202.219:443 ssl;
server_name test2.test.com;
ssl_certificate /nginx/conf/nginxnew.crt;
ssl_certificate_key /nginx/conf/nginxnew.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://193.169.200.88:8084;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
If i run the server in my local machine i can easily login. But if I run the same code behind the reverse proxy the oauth request not working properly.
The oauth request going like http://test2.test.com:50489/oauth/v1/authorize?client_id=f7d1705a-b3fb-45b8-84ee-0afa4179f964&redirect_uri=https:%2F%2Ftest1.test.com%2Flogin&state=LPHxiHo_AmnfB1hqPjSNVQ&scope=Profile&response_type=code.
I want this oauth url like below,
https://test2.test.com/oauth/v1/authorize?client_id=f7d1705a-b3fb-45b8-84ee-0afa4179f964&redirect_uri=https:%2F%2Ftest1.test.com%2Flogin&state=LPHxiHo_AmnfB1hqPjSNVQ&scope=Profile&response_type=code
Any ideas for this?
Related
I have two docker container of my 2 different net core API project running on my machine (Linux) on respective ports 3333:80 and 6666:8088. I have deployed their front end part on Nginx server each having its own configuration in sites-available folder.
The problem is that my 1st container (API) is working fine, getting response from front end application as well as from Postman but the 2nd container is not working, throwing this error HTTP 502 bad gateway and error msg:
recv() failed (104: Connection reset by peer) while reading response header from upstream
What's wrong over here? Kindly help me to resolve this issue. Following are my config files:
nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
client_max_body_size 50M;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
site1.conf
server {
listen 80 default_server;
server_name _;
root /var/www/app.admin-crm.com;
index index.html;
location /api/ {
proxy_pass http://127.0.0.1:3333/api/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded_For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded_Host $server_name;
add_header Access-Control_Allow-Credentials true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
client_max_body_size 50M;
}
location / {
try_files $uri $uri/ /index.html;
}
}
site2.conf:
server {
listen 8088 default_server;
server_name _;
root /var/www/stilaar-web;
index index.html;
location /api/ {
proxy_pass http://127.0.0.1:6666/api/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded_For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded_Host $server_name;
add_header Access-Control_Allow-Credentials true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
client_max_body_size 50M;
}
location / {
try_files $uri $uri/ /index.html;
}
}
So i was asked to check this server out that after a restart is giving an 502 bad gateway message.
It's an nginx 1.10.3 in an ubuntu
I was looking around and what I can see is this:
in /var/log/nginx/error.log:
2020/03/18 02:29:45 [error] 3166#3166: *474 connect() to unix:/home/ubuntu/xxx/shared/tmp/sockets/puma.sock failed (111: Connection refused) while connecting to upstream, client: 190.162.83.37, server: 127.0.0.1, request: "GET / HTTP/1.1", upstream: "http://unix:/home/ubuntu/xxx/shared/tmp/sockets/puma.sock:/500.html", host: "domain.website.com"
I see this error multiple times. All I was told is that the website was working fine until it was rebooted. Apparently the server had been working non-stop for months.
The nginx.conf config is:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
# multi_accept on;
}
http {
uwsgi_connect_timeout 75s;
proxy_connect_timeout 600;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
fastcgi_send_timeout 600s;
fastcgi_read_timeout 600s;
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
And the /etc/nginx/sites-enabled/default file:
upstream app {
# Path to Puma SOCK file, as defined previously
server unix:/home/ubuntu/xxx/shared/tmp/sockets/puma.sock fail_timeout=0;
}
server {
listen 80;
server_name 127.0.0.1 172.31.0.59;
root /home/ubuntu/xxx/current/public;
try_files $uri/index.html $uri #app;
location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection '';
proxy_pass http://app;
}
location ~ ^/(assets|fonts|system)/|favicon.ico|robots.txt|A8774B2003352D7DCA9406C3FADC610B.txt|sitemap.xml|video.mp4 {
gzip_static on;
expires max;
add_header Cache-Control public;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
server {
listen 443 ssl;
server_name 127.0.0.1 172.31.0.59;
ssl_certificate /home/ubuntu/xxx/shared/cert/demain.website.com.crt;
ssl_certificate_key /home/ubuntu/xxx/shared/cert/demain.website.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
#maintenance
error_page 503 /maintenance.html;
location /maintenance.html {
# allow access to this specific page
}
#location / {
# return 503;
#}
# Tell Nginx and Passenger where your app's 'public' directory is
root /home/ubuntu/xxx/current/public;
try_files $uri/index.html $uri #app;
location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection '';
proxy_pass http://app;
}
location ~ ^/(assets|fonts|system)/|favicon.ico|robots.txt|A8774B2003352D7DCA9406C3FADC610B.txt|sitemap.xml|video.mp4 {
gzip_static on;
expires max;
add_header Cache-Control public;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
# Turn on Passenger
#passenger_enabled on;
#passenger_ruby /usr/share/rvm/gems/ruby-2.4.2/wrappers/ruby;
#passenger_app_env stage;
}
I don't know what to do. Please Help.
I have a little problem concerning my nginx setup. I plan to create multiple in a network with one central server as a proxy.
|---(/nextcloud/)--->Nextcloud-Server
-----> Central-Server--->|
|---(/git)---------->Git-Server
|
|---(/Redmine)---------->Redmine-Server
I started this setup with my Nextcloud Server for some reason URL redirects are not working properly. I tried to used several redirect and rewrite rules but could not get it working.
When accessing a location I always get redirected to the Central Server. So domain.net/nextcloud/ will be redirected to domain.net/login, but it should actually access domain.net/nextcloud/login. Does anyone have solution for this? My current config looks like
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
server {
listen 192.168.178.10:443 ssl;
server_name domain.net;
#root /usr/share/nginx/html;
ssl_certificate /mnt/docker/nginx/certs/fullchain.pem;
ssl_certificate_key /mnt/docker/nginx/certs/privkey.pem;
#include /etc/nginx/conf/ssl_params;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#add_header Strict-Transport-Security "max-age=<HSTS_MAX_AGE>;<HSTS_SUBDOMAINS><HSTS_PRELOAD>";
client_max_body_size 10G;
location /n/ {
alias /usr/share/nginx/html/;
index index.html index.htm;
}
location /nextcloud/ {
access_log off;
proxy_set_header X-Real_ip $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://192.168.178.11/;
}
location ^~ /c{
rewrite ^/c(.*) /$1 break;
proxy_pass https://192.168.178.11/;
proxy_connect_timeout 1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
}
upstream nextcloud {
server 127.0.0.1:8209
}
server {
listen 443 ssl;
server_name www.abc.xyz;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_client_certificate ca.crt;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
rewrite ^/core/(.+?)$ /nextcloud/core/$1 last;
rewrite ^/apps/(.+?)$ /nextcloud/apps/$1 last;
rewrite ^/js/(.+?)$ /nextcloud/js/$1 last;
rewrite ^/css/(.+?)$ /nextcloud/css/$1 last;
rewrite ^/ocs/(.+?)$ /nextcloud/ocs/$1 last;
rewrite ^/settings/(.+?)$ /nextcloud/settings/$1 last;
rewrite ^/remote.php/(.+?)$ /nextcloud/remote.php/$1 last;
rewrite ^/login(.*)$ /nextcloud/login$1 last;
rewrite ^/lostpassword(.*)$ /nextcloud/lostpassword$1 last;
location /nextcloud {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://nextcloud/;
proxy_read_timeout 90;
proxy_redirect https://www.abc.xyz https://www.abc.xyz/nextcloud;
}
}
Just for next cloud, which git server do you chose?
gitlab-ce supply relative url
https://docs.gitlab.com/omnibus/settings/nginx.html
external_url "https://gitlab.example.com" -> "https://gitlab.example.com/git"
I have installed nginx (version 1.6.3) on my amazon ec2 server with unicorn, Rails 4.2.0 and Ruby 2.1.3. Amazon load balancing is enabled on my system. The domain looks like abc.example.com. If no redirection code is written on nginx conf file, then both https://abc.example.com and http://abc.example.com seem working. But when I try to redirect all http requests to https, then sometimes it works for few seconds and then appear blank page, and sometimes it appears blank page from the beginning. Sometimes it shows 503 error too. The redirection code is:
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;
}
My nginx conf file looks like this:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
server {
listen 80;
listen 443 ssl;
client_max_body_size 4G;
server_name abc.example.com;
root '/var/www/html/example/public';
try_files $uri/index.html $uri.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded_Proto $scheme;
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;
}
proxy_redirect off;
proxy_pass http://unicorn;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
}
error_page 500 502 503 504 /500.html;
location = /500.html {
root /var/www/html/example/public;
}
}
}
So, how to resolve this issue?
Please move the redirection to its own block;
Can you please use this as your redirection:
server {
server_name domain.com.au;
server_tokens off;
return 301 https://$host$request_uri;
}
I prefer not to use IF Condition in Nginx unless I have to. See if this works if not we can work on it.
Also please remove listen 80; if everything suppose to go to ssl then you can forget port 80.
listen 443 default deferred;
try it and let me know if you need more help.
Can you please adjust this setting to fit yours then restart the Nginx:
upstream unicorn {
server unix:/tmp/unicorn.production_domain.sock fail_timeout=0;
}
server {
server_name domain.com;
server_tokens off;
return 301 https://$host$request_uri;
}
server {
listen 443 default deferred;
ssl on;
ssl_certificate /etc/ssl/SSL.crt;
ssl_certificate_key /etc/ssl/domain.com.key;
server_name domain.com.au;
root /var/www/public_html/production.domain.com;
access_log /var/www/public_html/production.domain.com/log/nginx.access.log;
error_log /var/www/public_html/production.domain.com/log/nginx.error.log ;
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
}
error_page 500 502 503 504 /public/500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
What do you have in your unicorn.rb?
I want to configure NGINX with Rails 4 and run my application in production mode. The problem is I get 403 code - command: rails s -e production and in browser typing localhost. Naturally I established 755 privileges for the whole files in my application folder. There is my nginx.conf below:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
# include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
client_max_body_size 50M;
# fastcgi_buffers 8 16k;
# fastcgi_buffer_size 32k;
# fastcgi_connect_timeout 300;
# fastcgi_send_timeout 300;
# fastcgi_read_timeout 300;
upstream proxy-user {
server 127.0.0.1:2000;
}
upstream thin_cluster {
server unix:/tmp/thin.0.sock;
# server unix:/tmp/thin.1.sock;
# server unix:/tmp/thin.2.sock;
}
server {
listen 80;
server_name localhost;
# access_log /var/log/nginx-access.log;
root /home/user/Apps/myapp/public;
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|mp3|flv|mpeg|avi)$ {
try_files $uri #app;
}
location /home/user/Apps/myapp/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://proxy-user;
if (!-f $request_filename) {
proxy_pass http://proxy-user;
break;
}
}
}
server {
listen 443;
server_name _;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
access_log /var/log/nginx-access-ssl.log;
root /home/user/Apps/myapp/public;
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|mp3|flv|mpeg|avi)$ {
try_files $uri #app;
}
location /home/user/Apps/myapp/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED_PROTO https;
proxy_set_header SSL_CLIENT_S_DN $ssl_client_s_dn;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://proxy-user;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
You kinda have few issues in your config, I'll write what I would have done and you tell me what ever questions you have, I'll assume that the server is on port 2000 because that's the upstream you used.
I'll also ignore the http block and only use the server and upstream blocks.
upstream rails {
server 127.0.0.1:2000;
}
server {
server_name domain.com; # or whichever
listen 80;
# ssl settings start
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# ssl settings end
root /home/user/Apps/myapp/public;
error_page 500 502 503 504 /50x.html;
access_log /var/log/nginx/domain-access.log;
error_log /var/log/nginx/domain-error.log;
location #pass_to_rails {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED_PROTO $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://rails;
}
location / {
try_files $uri $uri/ #pass_to_rails;
}
}
You should place this inside sites-available and symlink to sites-enabled if you are on a debian/ubuntu distro, or use /etc/nginx/conf.d if you are on another distro, to keep things tidy and maintainable.
also make sure to uncomment one of those lines depending on what you want to use
# include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*;