Hey Guys -

I have used Nginx for Windows for a while now in my home lab which I use for various purposes including hosting an internal website (uses Organizr v2) and reverse proxy. It listens on 80 & 443 but forwards all requests to 80 to 443 as I also have installed a 3rd party signed SSL vert for my home domain.

This worked well until a recent migration of my Nginx installation to a new system. Now when I visit my homepage, I can view the content loaded from the actual root of the site, but not anything reverse-proxy pulls from an HTTP source. The only way I can view it is to click the small shield icon to the right of Chrome's address bar and choose to "Load unsafe scripts." Although able to view it afterwards, the URL changes to "Not Secure." I didn't have this issue with my old install and for the most part, nginx.conf is the same even though there are minor differences with the version of Nginx & PHP.

Below are details of my environment, a few notes, and finally the beginning of my nginx.conf (assuming that's where the issue will be resolved.) Any assistance would be appreciated...

Environment
- Windows 10 x64 1809
- Nginx 1.15.8 (for Windows)
- PHP 7.3.0-nts-Win32-VC15-x64

Notes
- I compared the old and new conf files side by side using NotePad++ but didn't see anything notable which was different. I would have copied the exact old conf and use it, but was having issues with hosting being really slow on that old system recently which I know wasn't related to resources
- Following the "/files" location shown at the end of the snippet below, there are approximately 15 additional locations - each with fairly similar formatting and are the only parts of the conf file I left out to keep it clean. The only other change was changing the name of the domain
- I only apply PHP config to root instead of entire site as there is another app referenced by reverse proxy which has it's own different PHP installation. Prior to applying it only to the root, I was unable to use that app via RP
- Other than the issue described, the service starts & everything works well
- Windows Firewall is disabled (all 3) and there are no other firewalls on my PC
- Issue exists on multiple PCs & multiple browsers

nginx.conf Snippet
worker_processes 1;
events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;

#Redirect requests for port 80 to 443
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mydomain.com;
return 301 https://$host$request_uri;
}

# Configures Logging Options
log_format main 'site="$server_name" server="$host” dest_port="$server_port" dest_ip="$server_addr" '
'src="$remote_addr" src_ip="$realip_remote_addr" user="$remote_user" '
'time_local="$time_local" protocol="$server_protocol" status="$status" '
'bytes_out="$body_bytes_sent" bytes_in="$upstream_response_length" '
'http_referer="$http_referer" http_user_agent="$http_user_agent" '
'nginx_version="$nginx_version" http_x_forwarded_for="$http_x_forwarded_for" '
'http_x_header="$http_x_header" uri_query="$query_string" uri_path="$uri" '
'http_method="$request_method" response_time="$upstream_response_time" '
'cookie="$http_cookie" request_time="$request_time" ';
access_log logs/access.log;
error_log logs/error.log;

# Configures NGINX to listen on 443 with SSL
server {
listen 443 ssl;
server_name mydomain.com;
send_timeout 100m;
ssl_certificate c:/nginx/ssl/mydomaincombined.crt;
ssl_certificate_key c:/nginx/ssl/mydomain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-SHA;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security max-age=31536000;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
ssl_stapling off;
ssl_stapling_verify off;

#PHP Config in Root Only
location / {
root html;
index index.php index.html index.htm;
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

# Defines location of robots.txt
location /robots.txt {
alias C:/nginx/global/robots.txt;
}
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
gzip_disable "MSIE [1-6]\.";
client_max_body_size 100M;

# The below section configures reverse proxy for locally hosted services
#CrushFTP Configuration
location /files {
proxy_pass http://192.168.0.35:4333/files;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_buffering off;
}
...
...
...

Any suggestions? Happy to post more details if needed. Thanks!

IP address changed in your proxy_pass ?

---
nginx for Windows http://nginx-win.ecsds.eu/

Thanks for the reply, but no - all of the locations are correct. This only occurs on locations which direct to an http address. I have a couple that direct to an HTTP one (same SSL cert too) which work fine. For the HTTP ones, once I click the shield icon in Chrome's address bar then select "Load unsafe scripts"; everything including the HTTP locations work except that the site is shown as "Not Secure."

Any other suggestions? Thanks

Allow the not secure connection and see where it wants to connect to, this should be an address known to you. Also check the logfiles to see what nginx thinks is happening.

---
nginx for Windows http://nginx-win.ecsds.eu/

Thanks for the reply...

I just realized that reverse proxy doesnt have anything to do with it - sorry. Here's hopefully a better explaination.

The root of my website is Organizr v2. It allows you to put shortcuts to other websites on the side then when clicking on one, typically opens it using iframe to show the selected page in the main windows while keeping the Organizr shortcuts on the side. My shortcuts are all local pages which are linked using an HTTP source. When visiting my homepage, everything loads fine as its all Organizr and HTTPS as no content comes from HTTP address.

The issue is when I select one of the shortcuts with HTTP source, nothing appears in the main iframe pane. This is when the shield icon appears in the address bar. Clicking it mentions mixed content with an option to "Load unsafe scripts.". Clicking this allows the selected shortcut to properly display in the main iframe of the page.

Example
- Source URL: http://192.168.0.35:9000/portainer
- Homepage: https://mydomain.com

If browsing to my homepage above, there's a link to show Portainer via its source URL in the main iframe pane. Clicking it results in the issue above. Selecting option to "Load unsafe scripts" displays the page in the iframe properly.

Hope that explains it better. Thanks!

Due to the unsafe message it sounds like a DNS issue, or some other setting that believes the link is safe which now is no longer the case, if it works despite the unsafe message its not a nginx issue.

---
nginx for Windows http://nginx-win.ecsds.eu/