I have a reverse nginx proxy
location / {
autoindex off;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://owncloud/;
}
Now I want to prevent that users can go to https://url.tld/data and view the folder content... autoindex off; is not working.
I want to achieve this without changing the (owncloud) .htaccess because it's inside a docker container.
In which way is this possible?
(pulling from commment)
I don't think you are going to be able to accomplish this without chaning the own cloud configs. autoindex here isn't being used as it is just passing the request off to owncloud and owncloud is generating the content? you can block access to /data in ngnix.
I Solved it (thanks to #Doon) by blocking the access to the /data directory.
location /data {
deny all;
return 403;
}
You have to return 403 -> Forbidden (not 404) to pass the owncloud access test.
Related
I'm serving multiple nodejs apps on a single server through pm2 and using nginx to manage reverse proxies. Right now if I use the server's ip and app port to reach the apps directly it all works fine. But if I try to navigate to my apps through the location paths set in the nginx config then I get 404 errors.
Below is my nginx default config:
upstream frontend {
server localhost:3000;
}
upstream backend {
server localhost:8000;
}
server {
listen 443 ssl;
server_name <redacted>;
ssl_certificate <redacted>.cer;
ssl_certificate_key <redacted>.key;
error page 497 301 =307 https://$host:$server_port$request_uri;
location /app/frontend {
proxy_pass http://frontend;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
location /api {
proxy pass http://backend;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
}
server {
listen 80;
server_name <redacted>;
return 301 https://$server_name$request_uri;
}
Now when I try to go to https://<server ip>:3000, the frontend loads just fine but if I go to https://<server ip>/app/frontend, I get the following 404 error:
Although the index.html loads up, it tries to find the static assets on https://<server ip>/ but rather should try to find them on https://<server ip>:3000. This is the exact behaviour that I'm trying to achieve.
What I have tried so far:
Using rewrites
Adding trailing slashes to both location path and proxy_pass
I know this can be solved by changing the app's base url or the build directory but that is not what I'm looking for.
Any help would be highly appreciated.
i want to host two small websites, both made with strapi backend and react frontend, on my server which is a digital ocean droplet.
I already configured nginx in order to work for one of the websites and everything is working correctly. I can access strapi from site1.com/dashboard and my queries point to site1.com/api/graphql. I followed some tutorials for that.
Here are the nginx files i added:
/etc/nginx/sites-available/site1.com:
server {
listen 80;
listen [::]:80;
root /var/www/site1.com/react;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name site1.com www.site1.com;
location /api/ {
rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://strapi;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass_request_headers on;
}
location /dashboard {
proxy_pass http://strapi/dashboard;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass_request_headers on;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.html;
}
}
file /etc/nginx/conf.d/upstream.conf:
upstream strapi {
server 127.0.0.1:1337;
}
What i now want to do is to deploy another website to the same server and configure nginx to serve it as well (on another domain, for example site2.com).
So i added the nginx virtual server file for the second website, copying the first one and changing the domain name and root directory.
The site 2 frontend is now working correctly and accessible on its domain.
However when i start the site 2 strapi instance it says the port 1337 is already in use (obviously, it is used by site 1 strapi instance that is running with pm2). So i changed the port in strapi config to be 1338 (is it ok?) but now i don't know what do to in nginx in order to serve the two different strapi instances on different domains.
The hostname you are using for the proxy_pass directive is the upstream name you defined in the separate config file. This is basically an indirection to one or more real backends. In your case that's the application running on port 1337 on the same machine. It could also be a list of external domains where nginx takes care to distribute the load to.
Your approach with additional virtual hosts already looks good. The frontend that already "works" under site2 is probably the old instance served under the new domain if your proxy_pass directive still points to http://strapi for site2 (which probably still resolves to `localhost:1337).
As you already mentioned, a second instance of the backend needs to run on a different port. The port number you use is not really important as you will control this with your upstream configuration. Just make sure to not use a port number below 1024 (which requires root permissions), don't conflict with other processes on the system (you will notice) and as best practice, don't use port numbers that are default for some other protocols (maybe check this list).
To fix your setup, just define a second upstream like the first one but pointing to the new url e.g. localhost:1338 and then reference this new name in the proxy_pass directive of site2.
Technically, with just one backend per upstream, you could also skip the upstream part completely and reference the URL directly in the proxy_pass directives, but using a shorthand name can also support readability of your configuration.
I've spent all day yesterday and today learning how nginx works and I got two different domains working, one with Ghost blogging platform and a static page (future NodeJS app), now I'm trying to setup the subdomain, but I'm kind of frustrated because I feel like I'm almost there but it's not working... This is my current setup:
#Main Domain
server {
listen 80;
listen [::]:80;
server_name example.com;
root /var/www/portfolio;
index index.html;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
# proxy_pass http://127.0.0.1:2222;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
#Sub domain
server {
listen 80;
listen [::]:80;
server_name example.com/blog;
root /var/www/ghost/system/nginx-root;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
The idea is to create mysite.com/blog where eventually mysite would be a nodejs app, prob linking the route later will be another problem but... one at a time lol, how can I establish that subdomain?
If I separate the config file into a separate file, I would get the other domain working :/
Thanks
EDIT: I've found that with bucket in S3 on AWS I could acomplish that, but now I don't need it for what I'm doing jeje, but it's good to know.
First: it's not a subdomain, but a subfolder called blog.
If you want to run two apps where one appears in a subfolder, you could do the following
Define two upstreams / proxy pass them to different ports the
Have them in the same config file then
Have two location blocks (location / and location /blog)
Does that make sense? Otherwise one will probably shadow the other.
Note: This is not a complete answer, you probably will need to tinker a bit
As #Jonathan mentioned, from nginx's point of view this is the same site, but you need nginx to handle both locations differently.
Here's how it would look like
server {
listen 80;
listen [::]:80;
server_name example.com;
root /var/www/portfolio;
index index.html;
client_max_body_size 50m;
location / {
# your normal location settings
}
# your blog is defined here
location /blog {
root /var/www/ghost/system/nginx-root;
# You'll probably need to do a rewrite here, because a
# /blog/article needs to be passed as `/article` to the
# app server
# rewrite ^/blog/(.*) $1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
}
}
I've recently installed GitLab, and I'm using the bundled NGINX with it. I've been able to successfully set it up, and put it on mydomain.com/lab
Great! Only problem is that when you go to mydomain.com, it has a 404 page. Well, duh. I need to upload my index.html... but WHERE do I do it?
How can I add my index page to the bundled NGINX? Most of all, WHERE do I upload it?
I'm using CentOS 7, and for the love of God I swear I've looked in every directory and I have no idea where to throw my index page in. Please bear with my ignorance as I'm quite new to this.
It seems you have install GitLab under a relative url (subdomain), using the relative_url_root rule in gitlab.yml.
You can try in your gitlab nginx config file, to define a root and redirect the rest to another location, in which the gitlab reverse_proxy rules apply: see "Getting Nginx to point to a specific index.html"
location / {
root /custom path/for/index.html;
error_page 404 = #gitlab;
expires 30d;
}
location #gitlab {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
enter code hereI have a web application mapped with multiple domains. One of the domain is using SSL while other one is simple.
I tried to use NGINX with nodeJs. My HTTPs response is very very slow. Please have a look at the conf file and help me to get rid of this problem.
upstream myserver {
server 127.0.0.1:4502;
server 127.0.0.1:4500;
}
server {
listen 0.0.0.0:80;
server_name a.myserver.com;
access_log /var/log/nginx/nodetest.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://myserver/;
proxy_redirect off;
}
}
server {
listen 0.0.0:443;
server_name myapps.com;
access_log off;
ssl on;
ssl_certificate /mnt/drives/ssl_certificates/daffodilapps/ssl-bundle.crt;
ssl_certificate_key /mnt/drives/ssl_certificates/daffodilapps/ryans-key.pem;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://myserver/;
proxy_redirect off;
It seems likely that your node.js application is not a factor, since you access it the same way in the end. Still, you might want to validate that by doing a performance test for http vs. https against a static page. If it turns out that nginx SSL performance is still poor, you might try changing the cipher suites that nginx offers, per the advice in Nginx Performance Tuning for SSL.
Also, you don't list what kind of VM you are using, but you might also try upgrading to a non-shared-core VM if you're currently on a f1/g1. The extra (and dedicated) CPU should help SSL performance, which is also mentioned in the article when they switched from a micro to a regular EC2 VM.