How to tell nginx to use a forward proxy to reach a specific destination
Hello. I accidentally closed my previous post, so I recreate this discussion because of the following problem I'm encountering. Here is the situation : I have multiple servers which are in a secure network zone I have another server where nginx is installed and is used as a reverse proxy. The NGINX server has access to a remote destination (a gitlab server) through a forward proxy (squid) So the flow is the following : Servers in secure zone --> Server Nginx as reverse proxy --> Server squid as forward proxy --> an internal gitlab in another network zone. Is it possible to tell nginx to use the squid forward proxy to reach the gitlab server, please ? For the moment, I have this configuration : server { listen 443 ssl; server_name <ALIAS DNS OF NGINX SERVER>; ssl_certificate /etc/nginx/certs/mycert.crt; ssl_certificate_key /etc/nginx/certs/mykey.key; ssl_session_cache shared:SSL:1m; ssl_prefer_server_ciphers on; access_log /var/log/nginx/mylog.access.log; error_log /var/log/nginx/mylog.error.log debug; location / { proxy_pass https://the-gitlab-host:443; } } But it does not work. When I try to perform a git command from a server in secure zone, it fails and in the nginx logs I see a timeout, which is normal, because nginx does not use the squid forward proxy to reach the gitlab server. Thank you in advance for your help ! Best regards.Solved29KViews0likes12CommentsHow to rewrite a path to a backend service dropping the prefix and passing the remaining path?
Hello, I am not sure whether my posting is appropriate in this area, so please delete it if there is a violation of posting rules... This must be a common task, but I cannot figure out how to do the following fanout rewrite in our nginx ingress: http://abcccc.com/httpbin/anything-> /anything (the httpbin backend service) When I create the following ingress with a path of '/' and send the query, I receive a proper response. curl -I -k http://abczzz.com/anything apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: mikie-ingress namespace: mikie spec: ingressClassName: nginx rules: - host: abczzz.com http: paths: - path: / pathType: Prefix backend: service: name: httpbin-service port: number: 8999 What I really need is to be able to redirect to different services off of this single host, so I changed the ingress to the following, but the query always fails with a 404. Basically, I want the /httpbin to disappear and pass the path onto the backend service, httpbin. curl -I -k http://abczzz.com/httpbin/anything apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: mikie-ingress namespace: mikie annotations: nginx.ingress.kubernetes.io/rewrite-target: /$2 spec: ingressClassName: nginx rules: - host: abczzz.com http: paths: - path: /httpbin(/|$)(.*) pathType: Prefix backend: service: name: httpbin-service port: number: 8999 Thank you for your time and interest, Mike19KViews0likes15CommentsHelp with upstream prematurely closed!
Hello everyone! I'm trying to publish a blazor server app (just a template app for testing) on Nginx in debian 11. Actually i have like a week stucked with this problem, reading every post writted about this error, but nothing works for me. Someone can give me some light about what can be the problem? Nginx conf: user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } server blocks at sites-enabled/test server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate /etc/nginx/cert.pem; ssl_certificate_key /etc/nginx/cert.key; location / { proxy_pass http://dotnet; proxy_set_header Host $host; proxy_http_version 1.1; # you need to set this in order to use params below. proxy_temp_file_write_size 64k; proxy_connect_timeout 10080s; proxy_send_timeout 10080; proxy_read_timeout 10080; proxy_buffer_size 64k; proxy_buffers 16 32k; proxy_busy_buffers_size 64k; proxy_redirect off; proxy_request_buffering off; proxy_buffering off; } } upstream dotnet { zone dotnet 64k; server 127.0.0.1:7155; }Solved14KViews0likes3CommentsRedirecting public facing URL to an internal non public facing URL
Hi I am trying to set up a rule that will allow external users hitting an external facing URL that resolves to a VIP on our DMZ LTMs and redirects them to an internal non public facing URL on our internal pair of LTMs based on the URI. Is this possible?12KViews0likes1Commentdoes nginx (1.20 or newer) re-resolve DNS for proxy_pass?
Consider this nginx config snippet: location ^~ /_example/ { proxy_pass https://example.com/_example/; proxy_set_header Host my-site; } Assuming "example.com" DNS TTL is set to 60 seconds - will nginx re-resolve DNS after 60 seconds? Or does it only resolve the name on startup? I'm finding different info around the internet: - it will re-resolve only in the commercial nginx plus - it will re-resolve only in newer nginx releases; in older ones, one need to make some workarounds - it will only resolve once on startup and never again12KViews0likes5CommentsAMQP Cleartext Authentication
Description The remote Advanced Message Queuing Protocol (AMQP) service supports one or more authentication mechanisms that allow credentials to be sent in the clear. Solution Disable cleartext authentication mechanisms in the AMQP configuration in ubuntu or centos machines disable unencrypted access in the configuration file. >> unencrypted" here refers to client connections. https://www.rabbitmq.com/ssl.html Steps of disabling the AMQP: https://liquidwarelabs.zendesk.com/hc/en-us/articles/360019562832-Disable-cleartext-authentication-option-in-RabbitMQ The above link used for windows vulnerability. Please help in getting resolution for Centos or Ubuntu configuration file.11KViews0likes0CommentsDisable TLS 1.0 and 1.1 protocol on VIPS, Only TLS 1.2 should be on.
Suppose we have to disable TLS 1.0 and 1.1 protocol on a VIP. Only TLS 1.2 should be enabled. Consider client-ssl profile is having the existing ciphers as : ciphers DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!MD5:!RC4-SHA:!3DES Will modifying cipher to "TLSv1_2" fulfill the requirement.Solved9.1KViews0likes5CommentsConfigure syslog server in F5 with an irule to see actual internet IP in syslog server
Hi, we are using Big IP 3900 version 10.2 , We had network topolgy in this way that we need to enable SNAT as AutoMap , For this reason we are not been able to see the actual Internet IP / Client IP , in the servers . We want configure an irule in such a way that it will log the actual Internet/Client IP and send it to the syslog server . For that should we need to configure syslog server in F5 , or it can be configured or forward through irule itself. Our mail Aim is to see only the Actual Internet/Client IP. Please help Thanks in Advance for the help9.1KViews0likes22CommentsURL rewrite through iRule
Hi Guys, i have one "Performance (HTTP)" virtual server on F5-1600 series, and i want to change the URL "http://www.abc.com" to "http://partner.abc.com/xyz". i have tried all below scripts : 1- when HTTP_REQUEST { if {([string tolower [HTTP::host]] equals "http://www.abc.com")}{ HTTP::header replace Host "http://partner.abc.com/xyz" } } 2- when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/xyz") } { HTTP::uri /xyz[HTTP::uri] } } 3- when HTTP_REQUEST { if {[HTTP::uri] equals {http://www.abc.com}} {HTTP::uri {http://partner.abc.com/xyz} } } but i wasn't successful! can anyone help me how can i do this through iRule ?Solved9KViews0likes27CommentsAdding CORS response headers
Hey all, There are a number of other older (2013-era) threads about CORS headers, and I want to ask a specific question which has not been asked there: Can I add a response header using HTTP::header insert within an HTTP_REQUEST? In at least one CORS-related thread (https://devcentral.f5.com/questions/cors-irule-query), this is shown happening. However, in another thread (https://devcentral.f5.com/questions/access-control-allow-origin-on-f5) the answer includes code in the HTTP_REQUEST to set a variable and then in the HTTP_RESPONSE, a check is made on that variable and if it is set, the HTTP::header insert is used. Basically, I want to include all my CORS-related code in one place. Currently, I am doing basic CORS (adding the ACAO header for GET/POST requests from my domain where the Origin request header is present) using my CDN (Akamai) and I have this iRule for CORS preflight responses: when HTTP_REQUEST { if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::host] contains "mysite.com"] ) and ( [HTTP::header] exists "Access-Control-Request-Method") } { HTTP::respond 200 Access-Control-Allow-Origin "[HTTP::header Origin]" \ Access-Control-Allow-Methods "POST, GET, OPTIONS" \ Access-Control-Allow-Headers "[HTTP::header Access-Control-Request-Headers]" \ Access-Control-Max-Age "86400" return } } However, for simplification, I want to put all the CORS stuff (basic and preflight) in the iRule. So my question is, will this work: when HTTP_REQUEST { CORS preflight OPTIONS requests if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::host] contains "mysite.com"] ) and ( [HTTP::header] exists "Access-Control-Request-Method") } { HTTP::respond 200 Access-Control-Allow-Origin "[HTTP::header Origin]" \ Access-Control-Allow-Methods "POST, GET, OPTIONS" \ Access-Control-Allow-Headers "[HTTP::header Access-Control-Request-Headers]" \ Access-Control-Max-Age "86400" return } CORS GET/POST requests if { ( [HTTP::method] equals "GET" or [HTTP::method] equals "POST") and ( [HTTP::host] contains "mysite.com"] ) and ( [HTTP::header] exists "Origin") } { HTTP::header insert Access-Control-Allow-Origin "[HTTP::header Origin]" } } or do I need this: when HTTP_REQUEST { CORS preflight OPTIONS requests if { ( [HTTP::method] equals "OPTIONS" ) and ( [HTTP::host] contains "mysite.com"] ) and ( [HTTP::header] exists "Access-Control-Request-Method") } { HTTP::respond 200 Access-Control-Allow-Origin "[HTTP::header Origin]" \ Access-Control-Allow-Methods "POST, GET, OPTIONS" \ Access-Control-Allow-Headers "[HTTP::header Access-Control-Request-Headers]" \ Access-Control-Max-Age "86400" return } CORS GET/POST requests if { ( [HTTP::host] contains "mysite.com"] ) and ( [HTTP::header] exists "Origin") } { set cors_origin [HTTP::header Origin] } } when HTTP_RESPONSE { CORS GET/POST response - check variable set in request if { [info exists cors_origin] } { HTTP::header insert Access-Control-Allow-Origin $cors_origin } } Does this make sense, or am I getting too complex?Solved8.4KViews0likes13Comments