Nginx proxy header variable not working

I’m trying to setup a load balancer with nginx.

The problem i’m having for some reason the variable $ host not working for me when i try to use proxy_set_header

When i tried to go to http://proxy.domain.com give me an 404 error, when i check logs give me this.

server: proxy.domain.com, request: "GET / HTTP/1.0", upstream: "http://1.2.3.4:80/", host: "proxy.domain.com" 

The IP 1.2.3.4 is the real IP of ss.domain.com if fine here but why give me this http://1.2.3.4:80/ instead of my domain name, because of that give me error 404 and not looking right vhost.

I configured my proxy settings like this:

upstream s3 {     server ss.domain.com weight=2;     server vv.domain.com; } 
server {     listen 80;     listen [::]:80;     server_name proxy.domain.com;     root /var/www/proxy.domain.com/html;      location / {         proxy_pass http://s3;         proxy_set_header    Host               $  host;         proxy_set_header    X-Real-IP          $  remote_addr;         proxy_set_header    X-Forwarded-For    $  proxy_add_x_forwarded_for;         proxy_set_header    X-Forwarded-Host   $  host;         proxy_set_header    X-Forwarded-Server $  host;         proxy_set_header    X-Forwarded-Port   $  server_port;         proxy_set_header    X-Forwarded-Proto  $  scheme;     } }    

NGINX, subdomain using server blocks doesn’t work

I would like to use nginx to redirect user from domain.com:3001 to sub.domain.com. Application on port 3001 is running in docker container, I didn’t add any files in directory sites-available/sites-enabled. I have added two server blocks (vhosts) in my conf.d directory. In server block I set $ upstream and resolver according to record in my /etc/resolv.conf file. The problem is that when I test in browser sub.domain.com every time I receive information that IP address could not be connected with any server (DNS_PROBE_FINISHED_NXDOMAIN) or 50x errors.

However, when I run curl sub.domain.com from the server I receive 200 with index.html response, this doesn’t work when I run the same command from my local PC. Server domain is in private network. Have you any idea what my configuration files lack of?? Maybe there is some issue with the listen port when app is running in docker or maybe there is something wrong with the version of nginx? When I installed nginx there was empty conf.d directory, with no default.conf. I am lost…

Any help will be highly appreciated.

Here is my configuration files: server.conf:

server  {     listen       80;     listen       443 ssl;     server_name  sub.domain.net;      #charset koi8-r;     #access_log  /var/log/nginx/host.access.log  main;      ssl_certificate /etc/nginx/ssl/cer.crt;     ssl_certificate_key /etc/nginx/ssl/private.key;      #set_real_ip_from 127.0.0.1;     #real_ip_header X-Real-IP;     #real_ip_recursive on; #    location / { #        root   /usr/share/nginx/html; #        index  index.html index.htm; #    }      location / {         resolver 10.257.10.4;         set $  upstream https://127.0.0.1:3000;          proxy_pass $  upstream;          proxy_set_header X-Forwarded-Host $  host;         proxy_set_header X-Forwarded-Server $  host;         proxy_set_header X-Forwarded-Proto $  scheme;`enter code here`         proxy_set_header X-Forwarded-For $  proxy_add_x_forwarded_for;         proxy_set_header Host $  host;      #error_page  404              /404.html;     # redirect server error pages to the static page /50x.html     #     error_page   500 502 503 504  /50x.html;     location = /50x.html {         root   /usr/share/nginx/html;     }      # proxy the PHP scripts to Apache listening on 127.0.0.1:80     #     #location ~ \.php$   {     #    proxy_pass   http://127.0.0.1;     #}      # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000     #     #location ~ \.php$   {     #    root           html;     #    fastcgi_pass   127.0.0.1:9000;     #    fastcgi_index  index.php;     #    fastcgi_param  SCRIPT_FILENAME  /scripts$  fastcgi_script_name;     #    include        fastcgi_params;     #}      # deny access to .htaccess files, if Apache's document root     # concurs with nginx's one     #     #location ~ /\.ht {     #    deny  all;     #} }  nginx.conf  #user  nginx; worker_processes  1;  #error_log  /var/log/nginx/error.log; #error_log  /var/log/nginx/error.log  notice; #error_log  /var/log/nginx/error.log  info;  #pid        /var/run/nginx.pid;  include /etc/nginx/modules.conf.d/*.conf;  events {     worker_connections  1024; }   http {     include       mime.types;     default_type  application/octet-stream;      #log_format  main  '$  remote_addr - $  remote_user [$  time_local]     #                  '$  status $  body_bytes_sent "$  http_referer" '     #                  '"$  http_user_agent" "$  http_x_forwarded_for"';      #access_log  /var/log/nginx/access.log  main;      sendfile        on;     #tcp_nopush     on;      #keepalive_timeout  0;     keepalive_timeout  65;      sendfile        on;     #tcp_nopush     on;      #keepalive_timeout  0;     keepalive_timeout  65;     #tcp_nodelay        on;      #gzip  on;     #gzip_disable "MSIE [1-6]\.(?!.*SV1)";      server_tokens off;     include /etc/nginx/conf.d/*.conf; }  # override global parameters e.g. worker_rlimit_nofile include /etc/nginx/*global_params 

;

Serve two different websites, one under root and another under /news for nginx

I have this set up under Apache but can’t get it working under nginx. I have two websites one that covers everything, another under /news/. They run the same framework – Silverstripe.

Here is my nginx conf:

server {       include mime.types;       default_type  application/octet-stream;       client_max_body_size 0; # Manage this in php.ini       listen 80;       listen 443 ssl;       root /var/www/html/example/webroot;       server_name example.com www.example.com;        ssl on;        ssl_certificate /etc/letsencrypt/live/example/cert.pem;       ssl_certificate_key /etc/letsencrypt/live/example/privkey.pem;        access_log /var/log/nginx/example/access.log main;       error_log /var/log/nginx/example/error.log;        # Defend against SS-2015-013 -- http://www.silverstripe.org/software/download/security-releases/ss-2015-013       if ($  http_x_forwarded_host) {         return 400;       }        location ^~ /news/ {           root /var/www/html/example2/webroot;           try_files $  uri /framework/main.php?url=$  uri&$  query_string;            location ~ /framework/.*(main|rpc|tiny_mce_gzip)\.php$   {           fastcgi_buffer_size 32k;           fastcgi_busy_buffers_size 64k;           fastcgi_buffers 4 32k;           fastcgi_keep_conn on;           fastcgi_pass unix:/run/php-fpm/php-fpm.sock;           fastcgi_index  index.php;           fastcgi_param  SCRIPT_FILENAME $  document_root$  fastcgi_script_name;           include        fastcgi_params;         }        }        location / {         try_files $  uri /framework/main.php?url=$  uri&$  query_string;       }        error_page 404 /assets/error-404.html;       error_page 500 /assets/error-500.html;        location ^~ /assets/ {         sendfile on;         try_files $  uri =404;       }        location ~ /framework/.*(main|rpc|tiny_mce_gzip)\.php$   {         fastcgi_buffer_size 32k;         fastcgi_busy_buffers_size 64k;         fastcgi_buffers 4 32k;         fastcgi_keep_conn on;         fastcgi_pass unix:/run/php-fpm/php-fpm.sock;         fastcgi_index  index.php;         fastcgi_param  SCRIPT_FILENAME $  document_root$  fastcgi_script_name;         include        fastcgi_params;       }        # Denials       location ~ /\.. {         deny all;       }       location ~ \.ss$   {         satisfy any;         allow 127.0.0.1;         deny all;       }       location ~ \.ya?ml$   {         deny all;       }       location ~* README.*$   {         deny all;       }       location ^~ /vendor/ {         deny all;       }       location ~* /silverstripe-cache/ {         deny all;       }       location ~* composer\.(json|lock)$   {         deny all;       }       location ~* /(cms|framework)/silverstripe_version$   {         deny all;       } } 

I’ve tried a few other things similar to this but it always ends up the same result, the server returning a Moved Permanently to the same URL.

How to configure nginx with mutual TLS and restrict client domains

I have an nginx server that requires mutual TLS (client certificate required). What configurations do I need for nginx to only allow client certificates where the “subject” is from a certain domain?

I’ve read about the variable “ssl_client_s_dn”. I suppose I would parse this to get the domain and check that it matches a string. Can someone provide an example of how to do this?

For client certificates NOT belonging to a certain domain, access should be denied.

How to configure nginx with mutual TLS and restrict client domains

I have an nginx server that requires mutual TLS (client certificate required). What configurations do I need for nginx to only allow client certificates where the “subject” is from a certain domain?

I’ve read about the variable “ssl_client_s_dn”. I suppose I would parse this to get the domain and check that it matches a string. Can someone provide an example of how to do this?

For client certificates NOT belonging to a certain domain, access should be denied.

Magento 2 + Varnish + Apache + Nginx SSL – Nginx.conf error

Have just had a developer implement Varnish cache with SSL termination.

http:s// –> nginx(443) –> varnish(port 8081) –> apache(8080)

All pages on our site are working fine except the home page which is returning Server 500 error.

I believe its an Nginx.conf error. Can anyone spot what might be going wrong?

I am just guessing its something to do with the below line

return 301 https://www.ourdomain.co.uk$  request_uri; 

Full config below. Any help appreciated

# For more information on configuration, see: #   * Official English Documentation: http://nginx.org/en/docs/ #   * Official Russian Documentation: http://nginx.org/ru/docs/  user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid;  # Load dynamic modules. See /usr/share/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf;  events {     worker_connections 1024; }  http {     log_format  main  '$  remote_addr - $  remote_user [$  time_local] "$  request" '                       '$  status $  body_bytes_sent "$  http_referer" '                       '"$  http_user_agent" "$  http_x_forwarded_for"';      access_log  /var/log/nginx/access.log  main;      sendfile            on;     tcp_nopush          on;     tcp_nodelay         on;     keepalive_timeout   65;     types_hash_max_size 2048;      include             /etc/nginx/mime.types;     default_type        application/octet-stream;      # Load modular configuration files from the /etc/nginx/conf.d directory.     # See http://nginx.org/en/docs/ngx_core_module.html#include     # for more information.     include /etc/nginx/conf.d/*.conf;      server {         listen       80;         server_name  www.ourdomain.co.uk;     #    include /etc/nginx/default.d/*.conf;     #location / {     #    proxy_pass http://ourIPaddress:8081;     #    proxy_set_header Host $  http_host;     #    proxy_set_header X-Forwarded-Host $  http_host;     #    proxy_set_header X-Real-IP $  remote_addr;     #    proxy_set_header X-Forwarded-For $  proxy_add_x_forwarded_for;     #    #proxy_set_header X-Forwarded-Proto https;     #    #proxy_set_header X-Forwarded-Port 443;     #}     return 301 https://www.ourdomain.co.uk$  request_uri;     }        server {         listen       443 ssl http2;         server_name  www.ourdomain.co.uk;         ssl_certificate "/etc/letsencrypt/live/www.ourdomain.co.uk/fullchain.pem";         ssl_certificate_key "/etc/letsencrypt/live/www.ourdomain.co.uk/privkey.pem";     ssl_trusted_certificate "/etc/letsencrypt/live/www.ourdomain.co.uk/chain.pem";         ssl_session_cache shared:SSL:1m;         ssl_session_timeout  10m;         ssl_ciphers HIGH:!aNULL:!MD5;         ssl_prefer_server_ciphers on;         include /etc/nginx/default.d/*.conf;     location / {         proxy_pass http://ourIPaddress:8081;         proxy_set_header Host $  http_host;         proxy_set_header X-Forwarded-Host $  http_host;         proxy_set_header X-Real-IP $  remote_addr;         proxy_set_header X-Forwarded-For $  proxy_add_x_forwarded_for;         #proxy_set_header X-Forwarded-Proto https;         #proxy_set_header X-Forwarded-Port 443;     }     }  } 

Nginx + Tomcat working in the same server

I’m developing a WebApp using Tomcat. I’ve set a frontal NGINX server to serve static content and redirect the rest of work to a Tomcat server.

I’ve set that configuration in NGINX:

proxy_cache_path  /var/www/mysite/assets levels=1:2 keys_zone=my_cache:10m inactive=60m; proxy_cache_key   "$  scheme$  request_method$  host$  request_uri";  server {         server_name             mysite.com www.mysite.com;         listen                  443 ssl http2;          ssl_certificate         /etc/ssl/mysite.crt;         ssl_certificate_key     /etc/ssl/mysite.key;         ssl_session_cache       shared:SSL:10m;         ssl_session_timeout     10m;          root                    /opt/tomcat/latest/webapps/mysite/;         index                   index.jsp;          location ~* \.(jpg|jpeg|png|gif|ico|css|js|xml|gz)$   {                 expires 12h;         }          location / {                 proxy_pass              http://127.0.0.1:8080/mysite/;                 proxy_redirect          off;                 proxy_set_header        Host $  host;                 proxy_set_header        X-Forwarded-For $  proxy_add_x_forwarded_for;                 proxy_set_header        X-Real-IP $  remote_addr;                 proxy_set_header        X-Forwarded-Proto $  scheme;                 proxy_set_header        X-Server-Proto $  server_protocol;                  proxy_cache             my_cache;                 add_header              X-Proxy-Cache $  upstream_cache_status;         } } 

As you can see, I set the proxy redirect and the proxy cache. Using the last directive (add_header X-Proxy-Cache $ upstream_cache_status;) I could see if a hva e HIT or a MISS loading resources.

The problems I found are:

  1. If I use this configuration, I think can’t see the HIT/MISS headers, so I don’t know if it’s working well the proxy cache.
  2. If I comment the entire location ~* \.(jpg|jpeg|png|gif|ico|css|js|xml|gz)$ section, I can see the HIT/MISS headers, so I think the proxy cache works, but I don’t know if I’m letting Tomcat manage static content, and that is what I wanted to avoid using this section

How could I set the config file to use a proxy cache and let NGINX manage the static content (jpg,css,js,…)? Maybe everything is alright and I’ve got it well… Which is the best solution?

Thanks.

How to Replace Apache with NGINX on Ubuntu 18.04

NGINX is the modern web server founded by computer software engineer Igor Sysoev in the year 2004. NGINX is used by the most busiest and high traffic website. NGINX works out of box with the most major web stacks including LEMP (Linux, NGINX, MySQL, PHP) stack. This tutorial assumes that your website is hosted with the Apache web server and you want to migrate to NGINX . The process of migration includes replacing the Apache web server with the NGINX without loosing the website data with less downtime.

Why Replace Apache with NGINX ?

There are several reasons to replace Apache with NGINX are:

  • NGINX is the fastest web server that supports concurrent connections and supports high traffic website load.
  • NGINX consumes less RAM and CPU compared to Apache and it is resource friendly.
  • NGINX improves performance of website by supporting inbuilt cache system for faster access for website static contents like Images, CSS, JavaScript, etc.

What is the major difference between Apache and NGINX?

These are the major difference between Apache and NGINX are:

  • The main configuration files for Apache and NGINX are located at /etc/apache2/apache2.conf and /etc/nginx/nginx.conf respectively.
  • NGINX uses server block but Apache uses virtual host.
  • NGINX and Apache both are using same default root directory /var/www/html.
  • NGINX has inbuilt cache system but Apache don’t have any inbuilt cache system.

Pre Requirements

Before starting the tutorial you will need:

  • You will need a Ubuntu 18.04 VPS with minimum 1GB of RAM for smooth operations.
  • The Apache web server must be previously installed on your VPS.

Step-1: Remove the Apache Web Server

Before installing the NGINX you will remove the Apache web server to avoids conflict between them.

First of all you will stop the Apache service before removing the Apache web server. This enables us to remove the Apache without any issues.

$   sudo systemctl stop apache2

After stopping the Apache you will remove the startup Apache entries from systemctl. This enables us to remove the startup entries so that Apache services won’t be automatically started during boot time.

$   sudo systemctl disable apache2

When Apache services are successfully stopped and startup entries are also remove then it time to remove the Apache web server packages from the system.

$   sudo apt remove apache2

Above command will remove only apache2 packages on but Apache related dependencies are kept on with system. So it is essential to remove those unwanted dependencies to free your space. This can be run by given command.

$   sudo apt autoremove

Now, the Apache web server has successfully removed. The installation of NGINX is described in the next step.

Step-2: Install the NGINX Web Server

Let’s begin with the installation of NGINX on Ubuntu. The Ubuntu default repository contains all the packages of NGINX. Installation is straight forward so you have to install it without any hassle using apt package manager.

First remove and flush the old apt repository cache then update the repository to load latest packages information and perform a full upgrade to upgrade all the installed packages.

$   sudo apt clean all && sudo apt update && sudo apt dist-upgrade

After updating the repository it is the right time to install the updated NGINX packages.

$   sudo apt install nginx

When NGINX has successfully installed then Let’s begin with the next step that will guide you firewall configuration for NGINX web server.

Step-3: Configure UFW Firewall

The NGINX web server requires HTTP Port that is Port No. 80 and HTTPS port that is Port No. 443 to successfully work with firewall. So it is essential to keep this port open for that purpose so that NGINX works flawlessly. The UFW (Unified Firewall) is the default firewall for Ubuntu 18.04 Linux distribution. Hence, you will add firewall rules to allow HTTP and HTTPS ports.

By Default there is no rules are added to UFW firewall so it is so easy to add those rules. You are required to add the HTTP and HTTPS port rules to UFW firewall this can be done by simple commands. The NGINX Full rules contains both the HTTP and HTTP ports and this will allow these ports to be kept open by the UFW firewall.

$   sudo ufw allow "Nginx Full"

After adding the firewall rules its time to check the rules which had been added or updated using these rules using status command.

$   sudo ufw status

The above command show given sample output.

Status: active  To Action From -- ------ ---- 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 22/tcp LIMIT Anywhere Nginx Full ALLOW Anywhere 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 22/tcp (v6) LIMIT Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)

Above output shows that you have successfully added the firewall rules and you ready to move forward to configure the NGINX web server that is described in next step.

Step-4: Understanding the Configuration File of NGINX Web Server Compared to Apache Web Server

The configuration of NGINX are almost same like Apache web server but the structure and syntax is different referred to configuration files. This Difference between the can be understand by the given sample configuration file of Apache and NGINX

Sample Apache Configuration file is located at /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80> ServerName example.com ServerAlias www.example.com ServerAdmin admin@example.com DocumentRoot /var/www/html/ </VirtualHost>  <Directory /var/www/html> Require all granted AllowOverride None </Directory>

Sample NGINX Configuration file is located at /etc/nginx/sites-available/example.com.conf

server { listen 80; server_name example.com www.example.com; root /var/www/html;  location / { try_files $  uri $  uri/ =404; } }

If you look carefully from the both the configuration files you will find that Apache configuration file are expressed in virtual host and NGINX configuration file are expressed in server block. After understanding the difference between the configuration file of Apache and NGINX. Now, you ready to configure the rest of the NGINX configuration files that is described in next step.

Step-5: Configure NGINX Web Server

The NGINX has same capabilities like Apache web server but it has faster support of concurrent connections. The configuration file of NGINX uses the server blocks in configuration. You have to configure it wheres the same location of document root where all your static web assets like HTML, CSS, JavaScript and Images are stored.

Note: In this guide we throughout assume that your document root is /var/www/html and default domain name is example.com

In Ubuntu, the NGINX Server Blocks are located at sites-available and sites-enabled directory inside the NGINX configuration directory. You will edit the server blocks files located in /etc/nginx/sites-available/ and you will be create one for enabling the server blocks for your domain. This method is highly recommended because it allows you to host more than one website and at different domains and files locations on your Ubuntu.

$   sudo nano /etc/nginx/sites-available/example.com.conf

Add the given lines and don’t forget to replace example.com and www.example.com with your base domain name and subdomain to enable server blocks for NGINX.

server {  listen 80;  server_name example.com www.example.com;  root /var/www/html;   location / {  try_files $  uri $  uri/ =404;  }  }

When you will completely add all of these lines then hit Ctrl + O to save and Ctrl + X to exit from nano text editor.

In NGINX server blocks configuration files you will create the symbolic link using soft links between sites-available and sites-enabled directory. Soft links allows you whenever you will make changes to server blocks configuration file located in sites-available directory and it will immediately replicated to sites-enabled directory.

$   sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/example.com.conf

You will check for correct syntax and to avoid any error present in NGINX configuration files. This command will also tells you where you have errors are present.

$   sudo nginx -t

When all syntax is correct then it will shows you Syntax OK as a output. If any thing goes wrong please re-check NGINX server blocks files. When all steps are completed then restart the services for making changes in the effect.

$   sudo systemctl restart nginx

After all things are ready then you will change the permission for default NGINX user www-data to enable read, write and execute permissions for default web root directory.

$   sudo chown www-data:www-data /var/www/html

To verify whether the www-data user and groups are owned the default web root directory by running the given long listing command

$   ll /var/www/html

After running this command the output shows www-data user and group is owned by the default web root directory /var/www/html . This means default NGINX user www-data will able to read, write and execute the default web root directory.

Conclusion

Lastly, you have successfully replaced the Apache to NGINX. Now you will ready to use the NGINX for your web property to enable fast access to web assets and low memory foot-printing. In the end, the NGINX can be used for various proposes and it can be used for both static and dynamic websites. For more information regarding the NGINX refer the man pages available in Ubuntu.

The post How to Replace Apache with NGINX on Ubuntu 18.04 appeared first on Low End Box.

unable to route the http requests to the web application in Nginx

I have a reactjs application running at port 5000. I want to route the requests from nginx to the webapp.

I am getting the below log

2019/06/20 04:30:10 [error] 17709#17709: *67 connect() failed (111: Connection refused) while connecting to upstream, client: 72.163.217.106, server: 159.65.123.84, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8000/", host: “example.com” 2019/06/20 04:30:10 [error] 17709#17709: *69 connect() failed (111: Connection refused) while connecting to upstream, client: 72.163.217.106, server: 159.65.123.84, request: "GET /favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:8000/favicon.ico", host: “example.com”, referrer: "http://example.com/“ 2019/06/20 04:30:10 [error] 17709#17709: *71 connect() failed (111: Connection refused) while connecting to upstream, client: 72.163.217.106, server: 159.65.123.84, request: "GET /favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:8000/favicon.ico", host: “example.com”, referrer: "http://example.com/“ 

Here are my nginx config file at /etc/nginx/sites-available/default

server {     listen 0.0.0.0:80;     server_name example.com; # or server_name subdomain.yourapp.com;      location / {         proxy_pass http://127.0.0.1:8000;         proxy_set_header X-Real-IP $  remote_addr;         proxy_set_header X-Forwarded-For $  proxy_add_x_forwarded_for;         proxy_set_header Host $  http_host;         proxy_set_header X-NginX-Proxy true;          # Enables WS support         proxy_http_version 1.1;         proxy_set_header Upgrade $  http_upgrade;         proxy_set_header Connection "upgrade";         proxy_redirect off;     } } 

what could be the reason for this kind of behavior. How to fix this issue.