ssl – Nginx fails to proxy to Node

I have a running Node app that is live and works fine on http and https.

I setup Nginx and it is also running fine, tested with an sshtunnel, and it is getting a correct response from static files (such as MyPath/index.html).

However, I am trying to get Nginx to work as a reverse-proxy for Node.
Because I want to make another app on my machine, and Nginx should sort the incoming requests for each app.

But there seems to be an issue with Nginx I cannot figure out. I suspect it is a config problem. When I try to reach my Node app, I always get an error page from my browser, saying that there is an SSL issue.

Nginx config

server {
        listen (::):4444 default_server;
        server_name localhost mysite.com www.mysite.com;    

        access_log /home/mysite/access-log;    

        location / {
            proxy_pass http://127.0.0.1:5555;
        }
}    

I tried changing http://127.0.0.1:5555 to https://127.0.0.1:6666 but that didn’t change anything.

Node app

const port = 5555;
const secureport = 6666;    

const privateKey = fs.readFileSync('PATHTOCERT');
const certificate = fs.readFileSync('PATHTOKEY');
const credentials = {key: privateKey, cert: certificate};    


I use an express app instance here, also configured CSP with helmet. But I don’t think that’s the problem, because I disabled helmet and that did not solve anything.

const httpServer = http.createServer(app);
const httpsServer = https.createServer(credentials, app);    

httpServer.listen(port);
httpsServer.listen(secureport);

linux – Create subdomains under a single IP/domain in an Nginx Reverse Proxy?

I’d like to be able to create a subdomain in Nginx Reverse proxy. As it stands right now, I have a properly configured and usable reverse proxy that resolves properly. The problem arises when I try to get it to play nice with an apache server that I need multiple subdomains for. I’d like to create a subdomain such as johnsmith.example.com. My main domain example.com points to an apache2 server, which is currently up, pinging, and loads the default apache page. I’m currently unable to figure out the necessary reverse proxy configuration to point the reverse proxy to the subdomain properly. Am I supposed to create separate site-enabled configurations for the subdomain, as I have with example.com.conf? Or do I need to add subdomain configuration inside of example.com.conf in /etc/nginx/sites-available?

Here is the nginx reverse proxy example.com.conf in /etc/nginx/sites-available (changed names for domains, assume everything EXCEPT for johnsmith.example.com resolves and is set up properly. Also ignore SSL stuff, as this isn’t a certbot oriented problem/question):

#example.com
server {
    listen                  443;# ssl http2;
    listen                  (::):443;# ssl http2;
    server_name             example.com;

    # reverse proxy
    location / {
        proxy_pass "http://internal.DNS.URL";
        include    nginxconfig.io/proxy.conf;
    }

    # additional config
    include nginxconfig.io/general.conf;
}

# HTTP redirect
server {
    listen      80;
    listen      (::):80;
    server_name example.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://example.com$request_uri;
    }
}


##johnsmith.example.com
server {
    listen                  443;# ssl http2;
    listen                  (::):443;# ssl http2;
    server_name             johnsmith.example.com;


    # security
    include                 nginxconfig.io/security.conf;

    # reverse proxy
    location / {
        proxy_pass "internal.DNS.URL";
        include    nginxconfig.io/proxy.conf;
    }

    # additional config
    include nginxconfig.io/general.conf;
}

# HTTP redirect
server {
    listen      80;
    listen      (::):80;
    server_name johnsmith.example.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://johnsmith.example.com$request_uri;
    }
}

Note: I have created a seperate configuration (/etc/nginx/sites-available/johnsmith.example.com.conf) and it did not work. This is just what I’ve tried last.

My DNS record for this subdomain is:

Type: CNAME Record | Host: johnsmith | Target: example.com
Type: CNAME Record | Host: www.johnsmith | Target: example.com

Like I’ve said above, assume everything resolves except for this particular subdomain. Please let me know what other information would be useful for solving this problem.

Thank you for your time.

Feature-rich SEO Proxy Server – MyDreams.cz – 100% Customer Satisfaction! | NewProxyLists

MyDreams innovations s.r.o. is a company that has been operating in the field of hosting services since 2004. First as a self-employed person and now as a company. MyDreams team members are people with many years of experience.

The SEO Proxy Server service contains one proxy server account.
Click here for more details: https://www.mydreams.cz/en/saas-servers/proxy-server.html
Price – 100 CZK/each

Parameters:

  • Web proxy server
  • One Czech IP address assigned to a specific user
  • IP address secured via login information
  • Unlimited traffic
  • 100Mbps redundant full-duplex connectivity

Suitable for:

  • Anonymous web browsing
  • Foreign approaches through Czech IP addresses

If you have any questions, you are free to CONTACT US!

Android phone as 4g proxy server

I am trying to turn my old phone (xiaomi mi5) into a 4g proxy server which i can use with different apps. for scraping data etc. I have been searching how to setup and i found some articles but they are not very clear. I am really a newbie and i have no idea how to set it up. I have bought 2 android apps Proxy Server pro and Servers Ultimate pro having trouble configuring it. These are the steps i have followed:

Servers Ultimate pro
-add a proxy server
in general tab i didn´t touch anything

-rules tab and added a new rule HOST CONTAINS: i put my public ip address which i found at myip.com
REPLY WITH THIS IP: 127.0.0.1 Port: 1080

now when i try to test it i got no connection.

Easy to configure deny all except proxy?

I’m trying to setup a proxy in a very small enterprise setting (< 10 employees)

I’m looking for something that allows me to:

  • refuse requests by default …
  • … unless in the exception list (eg only allow some domains)
  • logs all url, who asked for it, and whether it was accepted or denied (I don’t need content)
  • Is based on client/server and not “same machine”, yet is fairly easy to setup (which is where I’m having issues, I find stuff that do everything but seem overly complex to configure, or simple stuff that are made to use on the computer doing the requests)

I don’t need cache
I don’t need path filtering (simple ip/domain will do)
I don’t need authentification (every user will have the same permissions, log by source ip is enough)

What would you recommend for that ?

I can´t redirect HTTP to HTTPS in my Apache server proxy

(Sorry for my bad english)
Hi, i know that this is not the first question about redirect to a secure conection in a proxy server but i have no ideas how to resolv it.

this is my config

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN Off
SSLCertificateFile /etc/ssl/certs/certificado.pem
SSLProtocol -all +TLSv1.2

<VirtualHost *:80 *:443>
Redirect permanent / https://dev.domain.com/

ServerName domain.com
serveralias dev.domain.com

ProxyPass /workflow http://172.16.1.105/workflow
ProxyPassReverse /workflow http://172.16.1.105/workflow

ProxyPass /redmine http://172.16.1.109/redmine
ProxyPassReverse /redmine http://172.16.1.109/redmine

ProxyPass /SucursalVirtual http://172.16.1.105/SucursalVirtual
ProxyPassReverse /SucursalVirtual http://172.16.1.105/sucursalvirtual

ProxyPass /WebCliente http://172.16.1.105/WebCliente
ProxyPassReverse /WebCliente http://172.16.1.105/WebCliente

</virtualhost>



<virtualhost *:443 *:80>

Redirect permanent / https://devbi.primuscapitalsf.com/
ServerName domain.com
serveralias devbi.domain.com

ProxyPass /app/ wss://172.16.0.252:443/app/ retry=0
ProxyPassReverse /app/ wss://172.16.0.252:443/app/ retry=0

ProxyPass /hub/qrsData wss://172.16.0.252:443/hub/qrsData retry=1 acquire=300 timeout=600 Keepalive=On
ProxyPassReverse /hub/qrsData wss://172.16.0.252:443/hub/qrsData

ProxyPass /windows_authentication/ https://172.16.0.252:4244/windows_authentication/ retry=1 acquire=300 timeout=600 Keepalive=On
ProxyPassReverse /windows_authentication/ https://172.16.0.252:4244/windows_authentication/

ProxyPass / https://172.16.0.252/ retry=1 acquire=300 timeout=600 Keepalive=On
ProxyPassReverse / https://172.16.0.252/

</virtualhost>

<Directory /var/www>
Options -Indexes
AllowOverride All
Order allow,deny
Allow from all
</Directory>

<Directory /usr/local/apache2/htdocs>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

But if a redirect for example from http://google.com to https://google.com or another web page it works!!
and if a redirect my owns *.domain.com to https doesnt work

i don have a .htaccess file and my apache2.conf is clean (no edit)

ERROR 400 Redictering to my owns domains to HTTPS

proxy – Setup ssh tunnleing to access private resources using client side javascript

I want a js code to run on the browser and access a private resource on the client machine behind ssh proxy, a few software does this such as MongoDB compass allows you to setup ssh if the MongoDB server is not publically accesssible. Is this possible to make an ssh tunnel just by using js and route further XHR calls through that tunnel?

Nginx Reverse Proxy Incredibly Slow

I’m using a pretty basic Nginx Config to forward to my React Project

         location / {
    proxy_redirect                      off;
    proxy_set_header Host               $host;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_read_timeout          1m;
    proxy_connect_timeout       1m;
    proxy_pass      http://127.0.0.1:3000/; # set the address of the Node.js
}

Up until now it was fine, but the Page Loads are now over 30000ms+ (30 seconds)

Setup: CloudFlare > Nginx > NodeJS

Wondering if this is something I managed to mess up unknowingly, CloudFlare has no issues, and my host seems fine.

Request sent    0.38 ms
Waiting (TTFB)  18.54 s​
Content Download 8.27 ms
Explanation     18.56 s

reverse proxy – Why has connection to my minecraft server (via nginx) been lost after setting up new network, while all other nginx served services work fine?

I host a bunch of services (via subdomains) in nginx, e.g. mine.mydomain.com, doku.mydomain.com, etc. This has run smoothly for years (Ubuntu Server, now on 20.04 LTS, almost everything, including nginx itself running in Docker). But after setting up a new network (new hardware, segregate stuff in VLANs), the kids minecraft server is not accessible via the subdomain/domain (mine.mydomain.com), though all other services I have tested are still working fine.

I did a port forward of port 25565 (minecraft) to see if I could access using my externalIP:port, bypassing nginx. This works fine. What is weird is, now I could also access the minecraft server though my external mine.mydomain.com. I don’t see how that’s even relevant, since I forward ports 80, 443 for nginx, and that should be what’s needed (it was on my old setup). But it’s consistent, as soon as I remove the port forward, the access (via nginx, mine.mydomain.com) is gone, and I get the error:

io.netty.channel.AbstractChannel$AnnotatedConnecttException: Connection refused:

I have separated a lot of the nginx config, but the different files are below. First is the minecraft-specific one, then one for a dokuwiki instance (that works fine) for comparison, as well as the ssl, nginx, proxy confs.

minecraft

server {
    listen 443 ssl;

    root /config/www;
    index index.html index.htm index.php;

    server_name mine.mydomain.com;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://10.0.30.21:25565;
    }
}

dokuwiki

server {
    listen 443 ssl;

    root /config/www;
    index index.html index.htm index.php;

    server_name doku.mydomain.com;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://10.0.30.21:8844;
    }
}

default
(I have other_domain.com because I host stuff on two different domains. But other_domain.com is only a website, all other services are on the mydomain.com domain, with subdomains for each service, like the two examples above).

## Version 2021/01/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

error_page 502 /502.html;

# redirect all traffic to https
server {
    listen 80 default_server;
    listen (::):80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen (::):443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name other_domain.com; ### ADD AFTER UPDATE!

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    # enable for geo blocking
    # See /config/nginx/geoip2.conf for more information.
    #if ($allowed_country = no) {
    #return 444;
    #}

    client_max_body_size 0;

    location / {
        try_files $uri $uri/ /index.html /index.php?$args =404;
    }

    location ~ .php$ {
        fastcgi_split_path_info ^(.+.php)(/.+)$;
        # fastcgi_pass 127.0.0.1:9000;
        fastcgi_pass 10.0.30.21:9000; ### ADD AFTER UPDATE!
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#   location ^~ /cp {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
#       include /config/nginx/proxy.conf;
#       proxy_pass http://192.168.1.50:5050/cp;
#   }

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#   listen 443 ssl http2;
#   listen (::):443 ssl http2;
#
#   root /config/www;
#   index index.html index.htm index.php;
#
#   server_name cp.*;
#
#   include /config/nginx/ssl.conf;
#
#   client_max_body_size 0;
#
#   location / {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
#       include /config/nginx/proxy.conf;
#       proxy_pass http://192.168.1.50:5050;
#   }
#}

# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
#   listen 443 ssl http2;
#   listen (::):443 ssl http2;
#
#   root /config/www;
#   index index.html index.htm index.php;
#
#   server_name heimdall.*;
#
#   include /config/nginx/ssl.conf;
#
#   include /config/nginx/ldap.conf;
#
#   client_max_body_size 0;
#
#   location / {
#       # the next two lines will enable ldap auth along with the included ldap.conf in the server block
#       auth_request /auth;
#       error_page 401 =200 /ldaplogin;
#
#       include /config/nginx/proxy.conf;
#       resolver 127.0.0.11 valid=30s;
#       set $upstream_app heimdall;
#       set $upstream_port 443;
#       set $upstream_proto https;
#       proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#   }
#}

# sample reverse proxy config for "heimdall" via subdomain, with Authelia
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
# notice this is a new server block, you need a new server block for each subdomain
#server {
#   listen 443 ssl http2;
#   listen (::):443 ssl http2;
#
#   root /config/www;
#   index index.html index.htm index.php;
#
#   server_name heimdall.*;
#
#   include /config/nginx/ssl.conf;
#
#   include /config/nginx/authelia-server.conf;
#
#   client_max_body_size 0;
#
#   location / {
#       # the next line will enable Authelia along with the included authelia-server.conf in the server block
#       include /config/nginx/authelia-location.conf;
#
#       include /config/nginx/proxy.conf;
#       resolver 127.0.0.11 valid=30s;
#       set $upstream_app heimdall;
#       set $upstream_port 443;
#       set $upstream_proto https;
#       proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#   }
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

ssl.conf

# session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE cipher suites
ssl_dhparam /config/nginx/dhparams.pem;

# ssl certs
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

# protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers REDACTED;

# HSTS, remove # from the line below to enable HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;


# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;

# Optional additional headers
#add_header Content-Security-Policy "upgrade-insecure-requests";
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-XSS-Protection "1; mode=block" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-UA-Compatible "IE=Edge" always;
#add_header Cache-Control "no-transform" always;
#add_header Referrer-Policy "same-origin" always;

proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

nginx.con

user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    client_max_body_size 0;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    access_log /config/log/nginx/access.log;
    error_log /config/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.rules;

    ##
    # nginx-passenger config
    ##
    # Uncomment it if you installed nginx-passenger
    ##

    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;

    ##
    # Virtual Host Configs
    ##
    include /etc/nginx/conf.d/*.conf;
    include /config/nginx/site-confs/*;
  
}


#mail {
#   # See sample authentication script at:
#   # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#   # auth_http localhost/auth.php;
#   # pop3_capabilities "TOP" "USER";
#   # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#   server {
#       listen     localhost:110;
#       protocol   pop3;
#       proxy      on;
#   }
#
#   server {
#       listen     localhost:143;
#       protocol   imap;
#       proxy      on;
#   }
#}
daemon off;

docker-compose.yaml file; minecraft and nginx parts (nginx is aprt of the “swag” container):

  swag:
    image: linuxserver/swag
    container_name: swag
    volumes:
      - /mnt/data/docker/letsencrypt/config:/config
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "10.0.30.21:80:80"
      - "10.0.30.21:443:443"
    environment:
      - PUID=1000
      - PGID=1004
      - EMAIL=READCTED
      - TZ=REDACTED
      - URL=mydomain.com
      - SUBDOMAINS=hass,dash,mqtt,enter,doku,print,mail,panel,mine,rcon,next,hassos 
      - DHLEVEL=4096
      - VALIDATION=http
      - EXTRA_DOMAINS=other_domain.com
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    networks:
      mynet:
        ipv4_address: 172.11.0.2

  minecraft_server:
    image: itzg/minecraft-server:latest
    container_name: minecraft_server
    ports:
      - "10.0.30.21:25565:25565"
    volumes:
      - "/mnt/data/docker/minecraft:/data"
    environment:
      EULA: "TRUE"
      ENABLE_RCON: "TRUE"
      RCON_PASSWORD: "REDACTED"
      RCON_PORT: 28016
      CONSOLE: 'FALSE'
    restart: always

How to setup a server in Azure that requires all network traffic to go through an outbound Proxy?

I need to setup a server running Windows Server 2016 in Azure where all network traffic is required to go through an outbound proxy server.

So my questions are:

  • How to configure the network to do this?
  • How to deploy a proxy server in Azure and then connect the two together?

Note that this is NOT a question about setting up a reverse proxy. This is a question about setting up an outbound proxy server (a forward proxy).

Any help with this would be greatly appreciated.