I need your help correcting my nginx reverse-proxy configuration. Most resolutions work out, while some (equal configuration, different port) fail:
# custom code for hop by hop headers
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# DNS Update
resolver kube-dns.kube-system.svc.cluster.local;
# Shared memory zone
limit_req_zone $binary_remote_addr zone=limit:10m rate=2000r/m; # requests / min
limit_conn_zone $binary_remote_addr zone=addr:10m; # Connection limit
# Upgrade connection
server {
listen 8080 default_server;
listen [::]:8080 default_server;
server_name _;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
return 301 https://$host$request_uri;
}
# Landing Page
server {
listen 8443 ssl;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
server_name example.de portal.example.de;
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $upstream example.de;
proxy_pass https://$upstream:9443;
proxy_redirect off;
}
}
# Blog
server {
listen 8443 ssl;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
server_name blog.example.de;
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $upstream example.de;
proxy_pass https://$upstream:9443;
proxy_redirect off;
}
}
# Bastillion
server {
listen 8443 ssl;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
server_name bastillion.example.de;
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $upstream example.de;
proxy_pass https://$upstream:30900;
proxy_redirect off;
}
}
# Landscape
server {
listen 8443 ssl;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
server_name landscape.example.de;
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $upstream example.de;
proxy_pass https://$upstream:50080;
proxy_redirect off;
}
}
# DMS
server {
listen 8443 ssl;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
server_name dsm.example.de example.synology.me;
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $upstream example.de;
proxy_pass https://$upstream:5011;
proxy_redirect off;
}
}
# DMS TomCat 7
server {
listen 8443 ssl;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
server_name tomcat.example.de;
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
location / {
# Security Limits
limit_req zone=limit burst=20 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
set $upstream example.de;
proxy_pass https://$upstream:7070;
proxy_redirect off;
}
}
# Redirect Subdomains (incl. Web-Socket)
server {
listen 8443 ssl;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
server_name ~^(.*).example.de;
access_log /opt/bitnami/nginx/logs/access.log;
error_log /opt/bitnami/nginx/logs/error.log;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 3s;
location / {
# Security Limits
limit_req zone=limit burst=1000 nodelay; # or delay=15;
limit_conn addr 100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Buffer Limits
# https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
proxy_buffer_size 16k; # Default: 4k
proxy_buffers 64 16k; # Default 8 4k
proxy_busy_buffers_size 32k;
#proxy_read_timeout 30;
# Keycloak
#proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
set $upstream example.de;
proxy_pass https://$upstream:30000;
proxy_redirect off;
}
}
# Catch malicious requests
server {
listen 8443 default_server;
listen [::]:8443 default_server;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
server_name _;
# Security Limits (Connection slow-down)
client_body_timeout 3s;
client_header_timeout 30;
return 444;
}
- Connections are upgraded from HTTP to HTTPS
- Landing Page reachable
- blog is not resolved correctly. I want
blog.example.de
within the users browser bar, which resolves at blog.example.de:9443/drupal
.
- Bastillion is reachable
- Landscape is not in scope here
- DSM is reachable
- TomCat is reachable
- Wildcard is fine
- malicious requests are catched
Question
- How is blog.example.de/drupal reduced to blog.example.de?
- Is there a notation for reducing redundant data from
location
?
- Any other best practice you noticed, which I do not follow?
Big thanks!
question from:
https://stackoverflow.com/questions/65900911/nginx-reverse-proxy-multi-server-config 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…