Current nginx config:
server {
listen 443 ssl http2;
server_name NAME www.NAME;
charset utf-8;
ssl on;
ssl_certificate /etc/nginx/ssl/NAME-cert.pem;
ssl_certificate_key /etc/nginx/ssl/NAME-key.pem;
location /static/ {
alias /home/ubuntu/NAME/static_collection/;
}
location /media/ {
alias /home/ubuntu/NAME/media_collection/;
}
location / {
proxy_pass http://localhost:8002;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Everything works, apart from the websockets. I suppose this is because it doesn't deal with the http upgrade header... I've looked at the docs, but I can't figure out how to modify this config without breaking anything else.
Try this. Let me know if it works.
server {
listen 443 ssl http2;
server_name NAME www.NAME;
charset utf-8;
ssl on;
ssl_certificate /etc/nginx/ssl/NAME-cert.pem;
ssl_certificate_key /etc/nginx/ssl/NAME-key.pem;
location /static/ {
alias /home/ubuntu/NAME/static_collection/;
}
location /media/ {
alias /home/ubuntu/NAME/media_collection/;
}
location / {
proxy_pass http://localhost:8002;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_read_timeout 86400;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
Related
I'm trying to use WSO2 Identity Server behind a reverse proxy to not expose ip and port when I use wso2 custom pages like "Create Password" and "Reset Password", but I'm getting an error.
When I try to log in on carbon it redirect to login_action.jsp and it shows:
login_action.jsp - 403 Forbidden.
The steps that I did to configure were:
deployment.toml
[server]
offset = "1"
hostname = "example.com"
node_ip = "xxx.xxx.xx.xxx"
base_path = "https://$ref{server.hostname}:${carbon.management.port}"
proxy_context_path = "/is"
[transport.https.properties]
proxyPort = 443
nginx.conf
server {
server_name example.com;
access_log /var/log/nginx/dev_mtz_access.log;
error_log /var/log/nginx/example.com.error_log debug;
proxy_cache one;
proxy_cache_key $request_method$request_uri;
proxy_cache_min_uses 1;
proxy_cache_methods GET;
proxy_cache_valid 200 1y;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
listen 80;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/certs/cup.crt;
ssl_certificate_key /etc/letsencrypt/private/cup.key;
rewrite \w*(carbon|admin)$ $1/ permanent;
location /is/ {
proxy_pass https://csm-wso2-is:9444/;
proxy_redirect https://example.com/authenticationendpoint/ https://example.com/is/authenticationendpoint/;
proxy_redirect https://example.com/accountrecoveryendpoint/ https://example.com/is/accountrecoveryendpoint/;
proxy_redirect https://example.com/oauth2/ https://example.com/is/oauth2/;
proxy_redirect https://example.com/carbon/ https://example.com/is/carbon/;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host;
# Proxy timeouts
proxy_connect_timeout 3600s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
}
location /carbon/admin/js/csrfPrevention.js {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://example.com/is/carbon/admin/js/csrfPrevention.js;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
I didn't find any documentation explaining how to achieve, only on WSO2-APIM
If you don't need a subcontext the easiest way is to route everything coming to the root context (/) to port 9443. Here is a sample Nginx config block.
upstream ssl.wso2.is.com {
server xxx.xxx.xxx.xx3:9443;
server xxx.xxx.xxx.xx4:9443;
ip_hash;
}
server {
listen 443;
server_name is.wso2.com;
ssl on;
ssl_certificate /etc/nginx/ssl/wrk.crt;
ssl_certificate_key /etc/nginx/ssl/wrk.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://ssl.wso2.is.com;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
The documentation is here.
For testing, I added Playground into the project.
In http://localhost:5000/playground case, everything is OK and connected to the Spring Boot backend and listening to notifications
Now, in Elastic Beanstalk, I cannot fetch subscription schema. (notifications)
To make the wss, I added these 2 lines to .platform\nginx\conf.d\https.conf
([according to this url]
enter link description here
graphql subscription Could not connect to websocket endpoint at elastic beanstalk)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
so the result is
# .platform\nginx\conf.d\https.conf
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/letsencrypt/live/XXXXXX.us-east-1.elasticbeanstalk.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXXXXX.us-east-1.elasticbeanstalk.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:5000;
proxy_set_header Upgrade $http_upgrade; // HERE
proxy_set_header Connection "upgrade"; // And HERE
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# .platform\nginx\conf.d\elasticbeanstalk\00_application.conf
location / {
if ($http_x_forwarded_proto = "http") {
set $redirect "https";
}
if ($http_x_forwarded_proto = "ws") {
set $redirect "wss";
}
if ($http_user_agent ~* "ELB-HealthChecker") {
set $redirect "nope";
}
if ($redirect = "https") {
return 301 https://$host$request_uri;
}
if ($redirect = "wss") {
return 301 wss://$host$request_uri;
}
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
How do I have to set files in .platform\nginx\conf.d to handle this issue?
when i use this code, i'm get error "No such file or directory" , but in docs writed what i can use variables
server {
listen 443 ssl;
server_name ~^(?<sub>.+)\.domain$;
ssl_certificate /etc/letsencrypt/live/$sub.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$sub.domain/privkey.pem;
location /.well-known {
alias /var/www/.well-known;
}
location / {
proxy_pass http://$sub.domain:8000;
proxy_set_header Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
The stack is: Ubuntu // Supervisor // Nginx <--> Gunicorn <--> Django 1.11
Static files folder: /home/sitebiz/sitebiz/static/
Nginx config: /etc/nginx/sites-enabled/site.biz
server {
listen 80;
listen [::]:80;
access_log off;
server_name site.biz;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
#listen 80 ssl;
server_name site.biz;
ssl_certificate /etc/letsencrypt/live/site.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.biz/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
#listen 80;
gzip on;
access_log /var/log/nginx-access.log;
error_log /var/log/nginx-error.log;
location /static {
root /home/sitebiz/sitebiz;
internal;
}
location /track {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8899;
break;
}
}
location /income {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8899;
break;
}
}
location / {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8000;
break;
}
}
}
I tried to change the /home/sitebiz/sitebiz/static/ directory and all of its content ownership to sitebiz user and to www-data , but none helped.
Not even Django itself can serve static files and I have no idea why.
From django settings:
SITE_ROOT = os.path.abspath(os.path.dirname(name))
MEDIA_URL = '/media/'
MEDIA_ROOT = os.path.join(BASE_DIR, 'media')
STATIC_URL = '/static/'
STATIC_ROOT = os.path.join(SITE_ROOT, 'static')
Thank you in advance.
I have no idea, why, but the solution from the POST works fine
Just execute in shell:
sudo chmod o+x /root
If someone could explain this logic - why root folder must have Execute permission - I would be very thankful (and upvoteful)
I'm trying to set up a project using django, gunicorn and nginx and I'm having trouble with the nginx configuration. More precisely when I use try_files.
If I use if (!-f $request_filename) {...} everything works fine but if use
try_files ... Django generates the exception:
Invalid HTTP_HOST header: 'myproject_server'. The domain name provided is not valid according to RFC 1034/1035.
Once everything works using the if ... I assume that the other settings
(gunicorn etc) are correct.
The configuration files I'm using are:
/home/myproject/myproject/settings.py (django)
...
ALLOWED_HOSTS = [192.168.200.100, ]
...
/etc/nginx/sites-available/myproject (this one WORKS)
upstream myproject_server {
unix server:/home/myproject/run/gunicorn.sock fail_timeout = 0;
}
server {
listen 80;
server_name 192.168.200.100;
root /home/myproject;
location /media/ {}
location /static/ {}
location / {
proxy_set_header Host $HTTP_HOST;
proxy_set_header X-Real-IP $REMOTE_ADDR;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
if (!-f $request_filename) {
proxy_pass http://myproject_server;
break;
}
}
}
/etc/nginx/sites-available/myproject (this one DOES NOT WORK)
upstream myproject_server {
unix server: /home/myproject/run/gunicorn.sock fail_timeout = 0;
}
server {
listen 80;
server_name 192.168.200.100;
root /home/myproject;
location /media/ {}
location /static/ {}
location / {
proxy_set_header Host $HTTP_HOST;
proxy_set_header X-Real-IP $REMOTE_ADDR;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
try_files $uri #myproject_backend;
}
location #myproject_backend {
proxy_pass $scheme://myproject_server;
}
}
What am I doing wrong?
Thanks in advance any help.
PS: English is not my native language so I apologize for the (many) errors.
proxy_set_header should be in the same location as proxy_pass.
location / {
try_files $uri #myproject_backend;
}
location #myproject_backend {
proxy_set_header Host $HTTP_HOST;
proxy_set_header X-Real-IP $REMOTE_ADDR;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://myproject_server;
}