search

linuxserver / reverse-proxy-confs

These confs are pulled into our SWAG image: https://github.com/linuxserver/docker-swag
GNU General Public License v3.0
1.33k stars 299 forks source link

This seems to fix a lot of issues #63

Closed STaRDoGG closed 5 years ago

STaRDoGG commented 5 years ago

I was having a lot of issues getting these sample proxies to work on my docker setup (using the LS LetsEncrypt container) because I needed to have the port included in each request as well, for example, I need this:

https://my.domain.rocks:1234/someotherstuff

in every call, but the samples always removed the port, so it became this:

https://my.domain.rocks/someotherstuff

which broke a lot of things.

Editing the following 2 lines in proxy.conf to look like this seemed to magically make all of the .sample scripts work again.

proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;

Thought I'd pass the tip along, since after a few days of Google-Fu and even a stop into the LS Discord chan came up empty. Other than that, great container!

aptalca commented 5 years ago

That's for the heads up, we'll look into it

aptalca commented 5 years ago

Can you go back to the stock proxy.conf and just replace the line proxy_set_header X-Forwarded-Host $host; with proxy_set_header X-Forwarded-Host $host:$server_port; and see if that solves it?

STaRDoGG commented 5 years ago

No luck changing that one to $host:$server_port;, but keeping it as $http_host, and leaving the other one as it originally was: proxy_set_header Host $host:$server_port; seems ok at a quick test.

I'll keep that one that way and come back and update if that broke anything else that I'm not noticing right now, while also keeping X Forwarded Host as $http_host. I've only tested with Tautulli so far, which had a problem with keeping the port in tact through requests.

btw, side note, I'm setting up Calibre using the LS container and noticed that the container page on docker hub says there's supposed to be some calibre sample confs included in the LE container, but I don't see any there? Only reason I mention it is because the sample on that page doesn't follow the same patterns as the samples that come with it. i.e. the include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ stuff.

image

aptalca commented 5 years ago

Tried a few configs like radarr, sonarr, etc. and cannot reproduce the behavior you described. The only one that exhibits it is calibre-web, which doesn't use the proxy.conf we supply. And even after making your suggested changes, it still doesn't work over a non-443 port

STaRDoGG commented 5 years ago

Maybe my setup is just a bit complicated. Here's how mine goes:

When I make the change that I mention above, it works great; when I used the original code (or the code ya gave me to test) it removed the port.

aptalca commented 5 years ago

I get it, I set up the same environment for testing. I cannot reproduce the behavior you're observing. I tried radarr, sonarr, and a few others and they all resolve fine at addresses like https://domain.com:444/radarr

You need to give me more specifics on what exactly doesn't work and how they are set up

STaRDoGG commented 5 years ago

I forget offhand now, since I've gotten them all working, but I think the Tautulli container along with the original tautulli subfolder sample was one of them. Other than what I've already mentioned I can't really think of anything else configuration-wise that's out of the ordinary.

I am still having a problem getting a Sourcegraph subdomain RP working using the samples as a template, but for that I have a feeling it might be something other than just the port issue alone, though I could very easily be wrong, I'm still pretty n00bish at Nginx.

STaRDoGG commented 5 years ago

Update: I just realized something after typing out this post; I forgot to include some details that may (or may not) also help.

My port 3333 is added to the letsencrypt Docker run cmd:

docker run --restart always -p 3333:443 -d --name nginx --network=my-bridge --cap-add=NET_ADMIN -e PUID=197609 -e PGID=197121 -e "TZ=America/Chicago" -e "URL=domain.rocks" -e "SUBDOMAINS=my,sourcegraph,grafana,prometheus,resilio-sync,syncthing" -e VALIDATION=dns -e ONLY_SUBDOMAINS=true -e DNSPLUGIN=cloudflare -v "/d/Sites/MyWeb/.config/Nginx:/config" linuxserver/letsencrypt

My current (working) Tautulli Subfolder conf looks like this:

# first go into tautulli settings, under "Web Interface", click on show advanced, set the HTTP root to /tautulli and restart the tautulli container

location /tautulli {
    return 301 $scheme://$http_host/tautulli/;
}

location ^~ /tautulli/ {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_tautulli tautulli;
    proxy_pass http://$upstream_tautulli:8181;
}

location ^~ /tautulli/api {
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_tautulli tautulli;
    proxy_pass http://$upstream_tautulli:8181;
}

My current default file in site-confs looks like this:

server {

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.php index.html index.htm;

       # my.domain.rocks
    server_name my.*;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    client_max_body_size 0;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }
}

include /config/nginx/proxy-confs/*.subdomain.conf;

proxy_cache_path cache/ keys_zone=auth_cache:10m;

And my current proxy.conf looks like this:

client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
#proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $http_host;
#proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
owine commented 5 years ago

I think your issue is not that the port is being removed, but since nginx is only setup to listen on port 443, that is what it thinks is being accessed and the trimming is more of a browser function as https defaults to port 443. You'd probably want to add listen blocks for port 3333 and setup your container with port 3333:3333 instead of 3333:443.

I experienced a similar issue and finally figured this out as the solution. All of the headers take the server listen port into account only and nginx can only forward port information it knows about.

aptalca commented 5 years ago

Can't reproduce