Join Log in
Score:0
suprovsky avatar Server

Prevent nginx from rewriting a port in location header

hu flag
suprovsky

so I run a Laravel application in an nginx container, to which I give access to through another nginx acting as a reverse proxy. The container exposes a port 8123/tcp for accessing the service. The problem is that for some reason nginx adds a port to the address at some point, so let's say I access https://app.example.com, then the container redirects to http://app.example.com/docs and then redirects to http://app.example.com:8123/docs/. Here is the configuration I use for the reverse proxy:

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name app.example.com;
        access_log /var/log/nginx/app.example.com-access.log;
        error_log /var/log/nginx/app.example.com-errors.log;
        add_header Referrer-Policy same-origin;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Frame-Options "SAMEORIGIN";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

        location / {
                proxy_redirect off;
                port_in_redirect off;
                proxy_pass http://127.0.0.1:8123;
                proxy_http_version 1.1;
                proxy_set_header Host $http_host;
                proxy_set_header Location $http_host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
        }
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_dhparam /etc/letsencrypt/dhparams_4096.pem;
}
server {
        listen 80;
        listen [::]:80;
        server_name app.example.com;
        return 302 https://app.example.com$request_uri;
}

This one is for the container with nginx inside:

worker_processes 1;
error_log stderr debug;
pid /run/nginx.pid;

user  www-data; #user must be the same as the one running php

events {
    worker_connections 1024;
}

http {
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    fastcgi_keep_conn on;
    fastcgi_buffering on;
    fastcgi_buffer_size 512k;
    fastcgi_buffers 128 256k;

    # Tune nginx keepalives to work with the GCP HTTP(S) Load Balancer:
    keepalive_timeout 65;

    # Define custom log format to include reponse times
    log_format main_timed '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for" '
                          '$request_time $upstream_response_time $pipe $upstream_cache_status';

    access_log /dev/stdout main_timed;
    error_log /dev/stderr debug;

    # Write temporary files to /tmp so they can be created as a non-privileged user
    client_body_temp_path /tmp/client_temp;
    proxy_temp_path /tmp/proxy_temp_path;
    fastcgi_temp_path /tmp/fastcgi_temp;
    uwsgi_temp_path /tmp/uwsgi_temp;
    scgi_temp_path /tmp/scgi_temp;



    # Default server definition
    server {
        listen 8123;
        server_name _;
        access_log /dev/stdout main_timed;
        error_log /dev/stderr debug;
        index index.php index.html;

        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";

        # Defined in Cloud run
        client_max_body_size 300M;

        root /var/www/app/public;

        location / { try_files $uri $uri/ try_files $uri $uri/ /index.php$is_args$args; }

        location ~ .php$ {
                include /etc/nginx/fastcgi_params;
                fastcgi_pass unix:/tmp/php-fpm.sock;

                fastcgi_index index.php;
                fastcgi_read_timeout 300;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }

        location ~ /\. {
                deny all;
        }

        location = /favicon.ico {
            access_log     off;
            log_not_found  off;
        }
        location ~*  \.(woff|woff2|svg|jpg|jpeg|png|gif|ico)$ {
            expires 1d;
        }
        location ~* \.(js|css)$ {
            expires 20m;
        }
        location ^~ /storage/app/docs {
                    deny all;
        }
        # Allow fpm ping and status from localhost
        # location ~ ^/(fpm-status|fpm-ping)$ {
        #     access_log off;
        #     allow 127.0.0.1;
        #     deny all;
        #     #allow all;
        #     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #     include fastcgi_params;
        #     fastcgi_pass unix:/tmp/php-fpm.sock;
        # }
    }

    gzip on;
    gzip_proxied any;
    gzip_types text/plain application/xml text/css text/js text/xml application/x-javascript text/javascript application/json application/xml+rss;
    gzip_vary on;
    gzip_disable "msie6";

    # Include other server configs
    include /etc/nginx/conf.d/*.conf;

EDIT 1: I haven't noticed that I'm including other config files, so here are they:

fastcgi_params


fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

/etc/nginx/conf.d folder is empty.

What do I do wrong?

29
0 + 0
in flag
Gerald Schneider
The second redirection does not happen in nginx, but in your application. Configure your application with the correct base url (without the port).
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.