Closed swtrse closed 2 years ago
swtrse
commented
2 years ago Ok, I found a solution. I still scratching my head whats the difference but whatever. I changed my nginx settings to
location /
{
proxy_set_header Host my.domain.com;
proxy_pass http://opendax;
}
sh4dowb
commented
2 years ago you can also try $http_host
swtrse
commented
2 years ago As a matter of fact I did. With no effect. it seems only giving the header hard coded does work. I have no idea why using $host or $http_host is not working. But since the domain does not change anyway it is acceptable
whatnowangga
commented
2 years ago Where you guys find the nginx config btw? im trying hard to find that file
swtrse
commented
2 years ago I just use my default setups for nginx. I have templates for static sites, wordpress (aka sites that need php) and https. I combine them as I need them. So nothing special about it. If you see at my config you will see "include custom.d/serverg*.conf;" this includes the following files. server_g_caching_static_content.conf
location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$
{
expires 365d;
log_not_found off;
access_log off;
}server_g_error_pages.conf
#redirect page not found to the static page /404.html
#
error_page 404 /custom_404.html;
location = /custom_404.html
{
root /usr/share/nginx/html;
}
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /custom_50x.html;
#location = /custom_50x.html
#{
# root /usr/share/nginx/html;
#}server_g_global_restrictions.conf
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico
{
log_not_found off;
access_log off;
}
location = /robots.txt
{
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\.
{
deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$
{
deny all;
}server_g_headers.conf
# Custom additional settings
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header Permissions-Policy "geolocation=(), midi=(), camera=(), usb=(), magnetometer=(), accelerometer=(), vr=(), speaker=(), ambient-light-sensor=(), gyroscope=(), microphone=()" always;
##
# Security
##
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block" always;
# Pass only the domain to the destination server, so instead of full url
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin" always;server_g_ssl.conf
# Copied from https://ssl-config.mozilla.org
# Direct Link: https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1c&guideline=5.6
# HTTPS Settings
ssl_certificate /etc/letsencrypt/live/animanga.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/animanga.at/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Perfect Forward Security
# Created by "openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096"
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# intermediate configuration
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_ecdh_curve secp521r1:secp384r1;
# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/animanga.at/chain.pem;
resolver 10.0.0.1 [2a01:190:163d:1::1] valid=300s;
resolver_timeout 5s;and for php sites i got server_w_php.conf
location ~ \.php$
{
try_files $uri =404;
fastcgi_read_timeout 120;
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass php-fpm;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}And thats it. You might need other settings based on your needs but I have this files and try to reuse them as often as possible. Since include supports wildcards I try to create groups of files so that I can easy include them without listing every singe one like serverg or serverw and so on. I thing you get the idea.
I followed the setup for running opendax. I configured the domain (domain.com) and subdomain (my). After starting the services I can connect to opendax if I put the domain (my.domain.com) and corresponding IP in my windows hosts file. Calling opentax with the IP gives me an "404 page not found" which as far I understand is by design.
Now I want to setup an nginx reverse proxy on an different server to reroute calls for that domain to the opendax server. However I can not get this to work. Instead of the opendax page I get "404 page not found"
My nginx settings are
What I am missing?