Score:1

NGNIX enforce HTTPS

ph flag

for my Webapp (Angular App) we are using NGNIX as web server. I have a task where I need to make sure all assets/images are loaded over HTTPS.

In the Browser Dev tools, I see the request is sent over HTTPS. However, the response location header is coming back as an HTTP URL (see screenshot below).

screenshot from browser dev tools

Here are the current NGNIX Configs:

server {
    listen       80;
    server_name  localhost;
    root         /usr/share/nginx/html;

    # kill cache
    add_header Last-Modified $date_gmt;
    add_header Cache-Control 'no-store, no-cache';
    if_modified_since off;
    expires off;
    etag off;

    # Enforce HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Disable iFrames
    add_header x-frame-options "SAMEORIGIN" always;

    # detect and reject CRLF
    if ($request_uri ~* "%0A|%0D" ) {
      return 400;
    }

    # Fallback to default language if no preference defined by browser
    if ($accept_language ~ "^$") {
      set $accept_language "de";
    }

    # Redirect "/" to Angular app in browser's preferred language
    rewrite ^/$ /$accept_language permanent;

    if ($uri !~ ^/(en-US|de)) {
      return 301 /$accept_language$uri$args;
    }

    # Everything under the Angular app is always redirected to Angular in the correct language
    location ~ ^/(en-US|de) {
        try_files $uri$args $uri$args/ /$1/index.html;

      # Add security headers from separate file
      # include /etc/nginx/security-headers.conf;
    }

    location /health {
      access_log off;
      return 200;
      add_header Content-Type text/plain;
      # Enforce HSTS
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    }
}

Any help is highly appreciated. Thanks

in flag
The server block for port 80 is pretty irrelevant here, you need to post the server block for port 443.
ph flag
@GeraldSchneider We have No Server Block for port 443 - The NGNIX lives behind a Load Balancer.
Richard Smith avatar
jp flag
Either use [`absolute_redirect off;`](http://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect) or specify `https` explicitly in your `rewrite` and `return` statements as described in the answer below.
Score:1
cn flag

I can see that nginx is redirecting to /en-US/ in your case.

if ($uri !~ ^/(en-US|de)) {
  return 301 /$accept_language$uri$args;
}

I assume that since the internal communication (between LB and nginx) is happening over http/80, nginx just redirects the load balancer over http, and that's why you see http in the location header.

I'm not sure if the .png files are actually delivered to the user via http. Can you access the .png files directly from http? If not, the access is actually delivered over https, and http communication is only happening internally. If you can, then you should set up redirecting from http to https on the load balancer side.

If you want to force https internally as well, I would try it like this:

return 301 https://$host/$accept_language$uri$args;

You can also check absolute_redirect as mentioned by Richard in the comments.

ph flag
Thanks for your insightful answer. I tried all them before and also set the LB to redirect HTTP to HTTPS, which is also working fine. I just made another discovery, The response headers are having different location value across multiple browsers. Chrome: location: http://host/en-US/assets/images/yammer.png FireFox: location: https://host/en-US/assets/images/yammer.png Edge: location: https://host/en-US/assets/images/yammer.png Any Idea what could be causing this behavior?
GChuf avatar
cn flag
Browsers do lots of stuff differently, from interpreting css to headers ... I can't answer your question, I usually just accept the fact that different browsers behave differently. If you can confirm (with curl, for example) that you cannot reach your files through http and that you're redirected, I wouldn't worry about what headers say.
ph flag
A curl behaves as expected. HTTP request is redirected to HTTPS and I see the redirection is done by the LB. Thanks for your support so far.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.