NGINX is forwarding HTTPS-traffic on some url's incorrectly to HTTP on port 443
Question
This is a Docker container with NGINX and Jenkins in the same container, running with supervisord. The Docker container is running behind an ELB in AWS ECS.
NGINX is supposed to forward traffic from http://jenkins to https://jenkins.
What happens is that traffic:
https://jenkins/computer/ --> goes to https ✅
https://jenkins/computer --> goes to http and port 443 ❌
Config:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /var/www/;
index index.html index.htm;
client_max_body_size 10M;
server_name jenkins;
ignore_invalid_headers off;
location / {
allow vpnip/32;
deny all;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the "It appears that your reverse proxy set up is broken" error.
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1:8080 https://jenkins;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
if ($http_x_forwarded_proto != "https") {
rewrite ^(.*)$ https://$server_name$1 permanent;
}
}
Output:
https://jenkins/computer
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
302 Found
Date: Tue, 21 Jul 2020 13:35:47 GMT
Location: http://jenkins:443/computer/
Server: nginx
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: keep-alive
What could be the reasons that this happens?
1 answers
solution1
0 2020-07-22 13:20:20
I use nginx and python/gunicon (production Flask service) in the same container and it looks to me like your config is simply way more complex than what you need
Here's what I have
http {
.... [other stuff] ....
upstream my_servers {
server unix:/ram/gunicon_1.sock;
server unix:/ram/gunicon_2.sock;
}
server {
listen 800 ssl;
server_name localhost;
ssl_certificate certkey.pem;
ssl_certificate_key certkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://my_servers;
}
}
In this set-up I am running two instances of gunicorn on two different unix sockets and getting nginx to load balance between them (round-robin).
If you only have a single Jenkins instance on a unix socket, you can
proxy_pass http://unix:/ram/my_socket.sock;
Or an IP Address, whatever you are running Jenkins on.
A unix socket is more efficient than a TCP socket, if you are having a lot of connect/disconnect cycles.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.