nginx : backend https, proxy_pass shows ip
proxy_redirect off
should do the trick. I think you should also change your proxy_pass
to use SSL if you want to use SSL for your backend. Although a Unix socket would be much better to tighten security and still keep a fast connection.
My recommended nginx.conf:
# /etc/nginx/nginx.conf
user www-data;
worker_processes 2; # Do you really have two CPU cores?
events {
multi_accept on;
worker_connections 768;
use epoll;
}
http {
charset utf-8;
client_body_timeout 65;
client_header_timeout 65;
client_max_body_size 10m;
default_type application/octet-stream;
index index.html index.php /index.php;
keepalive_timeout 20;
reset_timedout_connection on;
send_timeout 65;
sendfile on;
server_names_hash_bucket_size 64;
tcp_nodelay off;
tcp_nopush on;
gzip on;
gzip_buffers 32 4k;
gzip_comp_level 2;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_min_length 1100;
gzip_proxied any;
gzip_static on;
gzip_types
#text/html is always compressed by HttpGzipModule
text/css
text/plain
application/javascript
application/x-javascript
application/json
application/x-json
application/rss+xml
application/xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/x-icon
image/svg+xml;
gzip_vary on;
include mime.types;
include conf.d/*.conf;
include sites-enabled/*;
}
My recommended virtual host configuration:
# /etc/nginx/sites-available/default.conf
proxy_cache_key "$scheme://$host$request_uri";
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=cache:10m inactive=7d max_size=700m;
server {
listen 80;
server_name example.com;
access_log off;
root /var/www;
# Consider using a map for this! If is bad!
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
proxy_intercept_errors on;
proxy_buffering on;
proxy_pass http://127.0.0.1:port$request_uri;
}
}
Have a look at my nginx configuration at GitHub for more advanced stuff (not finished yet, have to write more comments first): https://github.com/Fleshgrinder/nginx
Related videos on Youtube
Vulpo
Updated on September 18, 2022Comments
-
Vulpo over 1 year
I am using nginx as a reverse proxy listening at port 80 (http). I am using proxy_pass to forward requests to backend http and https servers. Everything works fine for my http server but when I try to reach the https server through nginx reverse proxy the ip of the https server is shown in the client's web browser. I want the uri of the nginx server to be shown instead of the https backend server's ip (once again, this works fine with the http server but not for the https server). See this post on the forum
Here is my configuration file :
server { listen 80; server_name domain1.com; access_log off; root /var/www; if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } location / { proxy_pass http://ipOfHttpServer:port/; } } server { listen 80; server_name domain2.com; access_log off; root /var/www; if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } location / { proxy_pass http://ipOfHttpsServer:port/; proxy_set_header X_FORWARDED_PROTO https; #proxy_set_header Host $http_host; } }
When I try the "proxy_set_header Host $http_host" directive and "proxy_set_header Host $host" the web page can't be reached (page not found). But when I comment it, the ip of the https server is shown in the browser (which is bad).
Does anyone have an idea ?
My other configs files are :
proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_hide_header X-Powered-By; proxy_intercept_errors on; proxy_buffering on; proxy_cache_key "$scheme://$host$request_uri"; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=cache:10m inactive=7d max_size=700m; user www-data; worker_processes 2; error_log /var/log/nginx/error.log; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log; server_names_hash_bucket_size 64; sendfile off; tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; tcp_nodelay on; gzip on; gzip_comp_level 5; gzip_http_version 1.0; gzip_min_length 0; gzip_types text/plain text/html text/css image/x-icon application/x-javascript; gzip_vary on; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }
Thanks for your help !
I followed your advice and your example, and moves my cache directives to outside server blocks and proxy directives inside location blocs. I still have the exact same issue: when
proxy_set_header Host $host;
is written the https web site is unreacheable through nginx.When I comment it, I can reach the https server through nginx but the lan ip adress of the https server is displayed in the adress bar, in spite of the proxy_pass directive and the proxy_redirect off. But it still works for the http server (the nginx's ip is displayed instead of the http server ip).
One more precision: I don't reach the https web page as soon as I go to
http://addressOfMyNginx/
. There is a warning page before because the certificate is not authentified. On this page I stillhave http://addressOfMyNginx/
in the address bar. But when I follow the "continue to the web site anyway" link, I am redirected to the https website and then the ip adress of the https server is displayed.After reading debug logs, I have found :
2012/07/30 17:24:13 [debug] 4412#0: *75 http proxy header: "GET / HTTP/1.0^M Host: nameOfMMyNginxServer^M X-Real-IP: xxx.xxx.xxx.xxx^M X-Forwarded-For: xxx.xxx.xxx.xxx^M Connection: close^M Accept: text/html, application/xhtml+xml, */*^M Accept-Language: fr-FR^M User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)^M Accept-Encoding: gzip, deflate^M Cookie: a_cookie_which_has_nothing_to_do_with_my_nginx_and_mybackend_server^M
Where xxx.xxx.xxx.xxx is the public address of a server which has nothing to do with nginx or my backend server (and has nothing to do with the cookie mentionned before either).
I reloaded/restarted and cleared my browser's cache and nginx's cache lot of time since I tested the server which could have concerned this cookie. But xxx.xxx.xxx.xxx has really really nothing to do with this all.
I can not comment last post because I posted with an anonymous account and I cleared my browser's cache. So SF did not reconize me as Vulpo anymore... (then I created an account).
-
Fleshgrinder over 11 yearsOh, now I see it. Move all your proxy directives inside the location block and the proxy cache zone directly before the server (inside the http) block. That should solve your issues.
-
Fleshgrinder over 11 yearsI edited my answer, please have a look at it.