getting a redirect loop. worked for years, not sure what changed.

[sgehrman]

Someone recommended removing the host?

https://stackoverflow.com/questions/32362396/nginx-reverse-proxy-causing-infinite-loop

I have no idea.

[sgehrman]

I did update all my packages and I got the latest docker image

[sgehrman]

Request URL: https://support.cocoatech.com/discussions Request Method: GET Status Code: 302 Remote Address: 68.183.165.239:443 Referrer Policy: strict-origin-when-cross-origin cache-control: no-cache, private content-security-policy: default-src https: http: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://.tawk.to .tawk.to nrpc.olark.com hooks.slack.com; img-src 'self' http: https: data:; report-uri https://help.tenderapp.com/csp_report content-type: text/html; charset=utf-8 date: Tue, 17 Aug 2021 22:40:30 GMT location: https://support.cocoatech.com/discussions p3p: CP="ALL DSP COR CUR ADM DEV OUR IND UNI" server: nginx set-cookie: anon_token=c4e40fd12; path=/; expires=Wed, 17-Aug-2022 22:40:30 GMT; HttpOnly; SameSite=Lax strict-transport-security: max-age=31536000 x-content-type-options: nosniff x-download-options: noopen x-frame-options: allowall x-permitted-cross-domain-policies: none x-rack-cache: miss x-request-id: 412a50de0138deccb8636b31a70e05e1 x-runtime: 0.018587 x-ua-compatible: IE=Edge,chrome=1 x-xss-protection: 1; mode=block :authority: support.cocoatech.com :method: GET :path: /discussions :scheme: https accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9 cache-control: no-cache cookie: anon_token=c4e40fd12 pragma: no-cache sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92" sec-ch-ua-mobile: ?0 sec-fetch-dest: document sec-fetch-mode: navigate sec-fetch-site: same-site sec-fetch-user: ?1 upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

[DanielDent]

My guess would be that your origin server is not recognizing the headers passed by the proxy which indicate that the connection is over SSL. It's probably trying to redirect to SSL, when the connection is already happening over SSL (it just doesn't know it). The log output from the docker container might help debug, as would logs from the origin server.

[sgehrman]

docker logs 192.99.13.186 - - [17/Aug/2021:23:06:16 +0000] "GET /discussions/problems/33066-path-finder-715-wont-start/toggle_access HTTP/1.1" 302 174 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)" "-" 178.63.87.197 - - [17/Aug/2021:23:06:19 +0000] "GET /discussions/problems/120728-refresh-of-tags HTTP/1.1" 302 150 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)" "-" 45.17.138.136 - - [17/Aug/2021:23:06:19 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:19 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:19 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-" 45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"

[sgehrman]

but it seems the server is getting hit by other users?

178.63.87.197 - - [17/Aug/2021:23:06:49 +0000] "GET /discussions/problems/120728-refresh-of-tags HTTP/1.1" 302 150 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)" "-" 54.36.148.248 - - [17/Aug/2021:23:06:51 +0000] "GET /discussions/problems/31933-pf712-fail-on-boot-segfault-error/comments/1 HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)" "-" 178.63.87.197 - - [17/Aug/2021:23:06:55 +0000] "GET /discussions/problems/120728-refresh-of-tags HTTP/1.1" 302 150 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)" "-" 178.63.87.197 - - [17/Aug/2021:23:07:01 +0000] "GET /discussions/problems/120728-refresh-of-tags.atom?category=problems&discussion=120728-refresh-of-tags HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)" "-"

[sgehrman]

server is here: https://support.cocoatech.com/discussions

[sgehrman]

nginx-ssl-proxy: image: danieldent/nginx-ssl-proxy restart: always environment: SECURITY_HEADERS: skip UPSTREAM: cocoatech.tenderapp.com SERVERNAME: support.cocoatech.com ports:

• "80:80"
• "443:443" volumes:
• "./cert:/etc/letsencrypt"

[sgehrman]

A few hours ago I deleted the docker image and did another docker-compose up -d, so it should be fresh. And it worked for years.

I had to update it because I was using an old ACME v1? So I updated everything.

[sgehrman]

I just restarted removing that SECURITY_HEADERS just to test. No difference

[sgehrman]

Here's what I'm trying to do. I have this support server at cocoatech.tenderapp.com (3rd party service) But I wanted the users to go through my own domain support.cocoatech.com So I set up a digital ocean server and run your docker image to forward to tenderapp.com 68.183.165.239 is my ip address of the digital ocean

[DanielDent]

The cocoatech.tenderapp.com service has stopped honouring the X-Forwarded-Proto header and/or has implemented https for themselves. This is probably for the best, as you've been passing your traffic unencrypted to them, presumably over a public network. This proxy image connects to the upstream server over http. You'd need to create a custom configuration /build to connect to the origin over https.

url -v -H "X-Forwarded-Proto: https" http://cocoatech.tenderapp.com
*   Trying 192.228.96.17:80...
* Connected to cocoatech.tenderapp.com (192.228.96.17) port 80 (#0)
> GET / HTTP/1.1
> Host: cocoatech.tenderapp.com
> User-Agent: curl/7.72.0
> Accept: */*
> X-Forwarded-Proto: https
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx/1.16.0
< Date: Tue, 17 Aug 2021 23:27:53 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< P3P: CP="ALL DSP COR CUR ADM DEV OUR IND UNI"
< Location: https://cocoatech.tenderapp.com/
< X-UA-Compatible: IE=Edge,chrome=1
< Cache-Control: no-cache
< Set-Cookie: anon_token=6e2ad6daa; path=/; expires=Wed, 17-Aug-2022 23:27:53 GMT; HttpOnly; SameSite=Lax
< X-Request-Id: 990b1ed6ff1a10a4806d29563bb8f606
< X-Runtime: 0.017960
< X-Rack-Cache: miss
< Content-Security-Policy: default-src https: http: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://*.tawk.to *.tawk.to nrpc.olark.com hooks.slack.com; img-src 'self' http: https: data:; report-uri https://help.tenderapp.com/csp_report
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: allowall
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 1; mode=block
< 
* Connection #0 to host cocoatech.tenderapp.com left intact
<html><body>You are being <a href="https://cocoatech.tenderapp.com/">redirected</a>.</body></html>

[sgehrman]

I know almost nothing about this. How do I configure your docker image to do this?

[sgehrman]

If it's difficult, I could just remove the whole thing and use their url.

[sgehrman]

But I'm kind of worried about existing links that people might have saved or referred to in the forums.

[sgehrman]

hey, I got it working!

I changed this: upstream origin { server cocoatech.tenderapp.com:443; }

And this:

    proxy_pass https://origin;

[DanielDent]

:smile: