Please do someone know if varnish 3.0.2 support http redirection to https.
In fact I have a varnish cache server behind a ssl terminator (an aws external loadbalancer on which I set a http and a https listener).
I would like the varnish when it receives a http request, to redirect in https, and directly send back the response (resquest?) to the loadbalancer, and the loadbalancer will receive the response as a https request and forward it the varnih which will then forward it to its own backend.
But it seems like my varnish cache don't redirect back to the loadbalancer but redirect the https request to its backend.
However the backend behind the varnish I don't have a https backend, I get timemout when I issue a http request.
When the client enter https in the browser it works. The problem is with http request.
Here is my configuration :
In vcl_recv :
if (client.ip != "127.0.0.1" && req.http.host ~ "^(?i)mydomain.com" && req.http.X-Forwarded-Proto !~ "(?i)https") {
set req.http.x-redir = "https://" + req.http.host + req.url;
#return(synth(850, "Moved permanently"));
error 850 "Moved permanently";
}
In vcl_error :
if (obj.status == 850) {
set obj.http.Location = req.http.x-redir;
set obj.status = 302;
return (deliver);
}
Can someone help please. I can't upgrade my varnish version manually at the moment.
Thanks
I solve the problem,
The security group of the elb was only allowing connection on port 443, I add the port 80 for the http listener and it works
Related
I have a nodejs app running inside a docker container on port 3050. If I allow the port through the firewall then everything works fine. But if I try to ProxyPass it then the app seems to receive GET instead of POST.
ProxyPass / http://localhost:3050/
When I look at the access log apache receives the request as a POST. But logging the req.method in expressjs results in GET. I have also tried loads of other settings
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:3050/
ProxyPassReverse / http://localhost:3050/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
The strangest thing is that I am Proxying lots of other services like gitlab and keycloak without any problem.
Could it be something to do with HTTP 1.1 or HTTP 2? Or does my httpd server have some setting messed up?
I was only testing with postman...obviously in future I should try curl or something as well. Turns out that postman has a setting "Redirect with the original HTTP method instead of the default behavior of redirecting with GET." which is turned off by default. I don't know whether the browser will behave like this but at least now it seems to be working
update:
Actually it wasn't even that setting. it was because i had not prefixed the url with https:// due to a training course which excluded the protocol because we weren't working with secure. so the httpd server proxied port 80 to 443 and postman didn't handle it correct. as i would be hitting directly https in production it shouldn't be a problem
I have following nginx configurations
if ($host != mydomain.com) {
return 403;
}
When I hit the url http://127.0.0.1/test/test2/index.php (from POSTMAN) I get 403. Fine. But adding a Host -> mydomain.com in Headers I get 200.
When I added add_header Host "$host"; in nginx configurations I noticed in response that nginx has mydomain.com in its host variable. I know intentionally mentioning Host header in http request overrides 127.0.0.1 according to nginx documentation.
But in this way an attacker can send requests direct to web server by bypassing Cloudflare WAF. so what's the solution to block such requests from nginx?
I have tried following solutions but didn't work for me.
https://www.digitalocean.com/community/questions/how-to-block-access-using-the-server-ip-in-nginx
https://blog.knoldus.com/nginx-disable-direct-access-via-http-and-https-to-a-website-using-ip/
When I hit the url http://127.0.0.1/test/test2/index.php (from POSTMAN) I get 403. Fine. But adding a Host -> mydomain.com in Headers I get 200.
If I understand correctly, you seem to think that "adding a Host" header in your request is somehow a bypass. And it's not ... it's how hostnames work in HTTP.
A server doesn't magically know that you typed http://domain.tld/test/ in your browser address bar. Your browser makes a DNS lookup for domain.tld and establishes a TCP connection with the resolved IP address; it then sends headers, which is where the server gets the information from:
GET /test/ HTTP/1.1
Host: domain.tld
That's the only way the server knows you requested http://domain.tld/test/.
add this block:
server {
listen 80 default_server;
server_name "";
return 444;
}
OR
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
The “default_server” parameter cannot be present in any other server block. NGINX Block direct IP access.
I tried to exclude robots.txt form varnish cache by using the following lines of code in default.vcl
if(req.url ~ "^/robots\.txt$") {
return(pass);
}
Now Network tab in dev tools, it shows a Age: 0 and X-Cache:MISS. But,for some reason varnish does not exclude the file from being cached. I even deleted the file from its location. But still its loading the url https://www.example.com/robots.txt
I also purged varnish cache using following commands
curl -X PURGE www.example.com/robots.txt
and
varnishadm "ban req.http.host == www.example.com && req.url ~ ^/robots.txt"
and
varnishadm "ban req.http.host ~ www.example.com && req.url ~ ^/robots.txt"
It shows the 200 Purged message, but still no luck.
Can anyone help me out ?
"I even deleted the file from its location. But still its loading the url https://www.example.com/robots.txt" -- may be your browser is caching it.
Sending PURGE request to varnish will only remove the object from the cache, not from the backend, so if you PURGE something from varnish and then send a GET request to it, it will serve the object to you for sure.
If you want it to be lost forever, you need to remove it from your backend.
Hi I am trying to redirect url and access using backend but i struct in configuration my initial configuration is
acl url_tag18 path_beg /v1
use_backend cdn if url_tag18
backend cdn
reqrep ^([^\ ]*\ )/v1(.*) wp/\1
server web02 24.222.145.72:80 cookie A check
I am trying to convert the below url
http://example.com/v1/auth_score/ghts/hjk/klk/jkjlj.js
to http://example.com/wp/example.com/v1/auth_score/ghts/hjk/klk/jkjlj.js
Please help me to
Change reqrep in your backend to something like this:
reqirep ^([^\ :]*)\ /v1/(.*) \1\ /wp/example.com/v1/\2
I have solved my question using below code in haproxy
acl url_tag19 path_beg -i /v1
use_backend cdn if url_tag19
redirect prefix /wp/example.com if url_tag19
To solve CORS issue, I need remove my server port and use apache to redirect to my tomcat with port.
example: http get url: localhost/app1/somerequest, my apache server will redirect to localhost:8080/app1/somerequest, so how can this redirect be work when i use nodejs?
If you want to proxy the request, use node-http-proxy.
If you want to redirect the request, see this