Welcome! Log In Create A New Profile

SSL and port number [was: Rewrite -- failure]

Forum List Message List New Topic Print View

Paul

April 21, 2020 07:10PM

Thanks for your input. I have spent quite some time on this, and have
failed on "rewrite".

It all works using a different port number but *without* SSL -- the
moment I add the Certbot back in (see config below) I get "Error code:
SSL_ERROR_RX_RECORD_TOO_LONG".

Also, same server, on default port 80, works perfectly as https, but if
I add :80 to the requested URL, I get the same "Error code:
SSL_ERROR_RX_RECORD_TOO_LONG"...

All suggestions warmly welcomed, thanks. ...and stay well - Paul.

server {

listen 8084;
# listen 443 ssl;

# ssl_certificate
/etc/letsencrypt/live/serv1.example.com/fullchain.pem; # managed by Certbot
# ssl_certificate_key
/etc/letsencrypt/live/serv1.example.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

server_name my_app;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/ships-error_log;

proxy_buffering off;

location / {
proxy_pass http://192.168.xxx.yyy:8084;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

}

#server {
# if ($host = serv1.example.com) {
# return 301 https://$host$request_uri;
# } # managed by Certbot

# automatically sets to https if someone comes in on http
# listen 8084;
# listen 443 ssl;
# server_name serv1.example.com;
# rewrite ^ https://$host$request_uri? permanent;
#}

On 2020-04-14 6:39 p.m., Francis Daly wrote:
> On Tue, Apr 14, 2020 at 04:38:51PM -0400, Paul wrote:
>
> Hi there,
>
>> My problem is that I need to split serv1.example.com to two physical servers
>> (both fully functional on LAN). The first (192.168.aaa.bbb) serving static
>> https works fine. But I cannot "rewrite" (redirect, re-proxy?) to the second
>> server (192.168.xxx.yyy, Perl cgi) where the request comes in as
>> https://serv1.example.com/foo and I need to get rid of "foo"
>
> http://nginx.org/r/proxy_pass -- proxy_pass can (probably) do what
> you want, without rewrites. The documentation phrase to look for is
> "specified with a URI".
>
>> "rewrite ^(.*serv1\.example\.com\/)foo\/(.*) $1$2 permanent;" (tried
>> permanent, break, last and no flags)
>
> "rewrite" (http://nginx.org/r/rewrite) works on the "/foo" part, not the
> "https://" or the "serv1.example.com" parts of the request, which is why
> that won't match your requests.
>
>> location /foo { # big db server, perfect on LAN, PERL, cgi
>> # rewrite ^/foo(.*) /$1 break; #tried permanent, break, last and
>> no flags
>
> That one looks to me to be most likely to work; but you probably need
> to be very clear about what you mean when you think "it doesn't work".
>
> In general - show the request, show the response, and describe the response
> that you want instead.
>
>> # rewrite ^/foo/(.*)$ /$1 last; #tried permanent, break, last and
>> no flags
>> rewrite ^(.*serv1\.example\.com\/)foo\/(.*) $1$2 permanent; #tried
>> permanent, break, last and no flags
>> proxy_pass http://192.168.xxx.yyy:8084;
>> proxy_set_header Host $host;
>> proxy_http_version 1.1;
>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> }
>
> I suggest trying
>
> location /foo/ {
> proxy_pass http://192.168.xxx.yyy:8084/;
> }
>
> (note the trailing / in both places) and then seeing what else needs to
> be added.
>
> Note also that, in any case, if you request /foo/one.cgi which is really
> upstream's /one.cgi, and the response body includes a link to /two.png,
> then the browser will look for /two.png not /foo/two.png, which will
> be sought on the other server. That may or may not be what you want,
> depending on how you have set things up.
>
> That is: it is in general non-trivial to reverse-proxy a service at a
> different places in the url hierarchy from where the service believes
> it is located. Sometimes a different approach is simplest.
>
>> server {
>>
>> # automatically sets to https if someone comes in on http
>> listen 80;
>> listen 8084;
>
> Hmm. Is this 8084 the same as 192.168.xxx.yyy:8084 above? If so, things
> might get a bit confused.
>
> Good luck with it,
>
> f
>

\\\||//
(@ @)
ooO_(_)_Ooo__________________________________
|______|_____|_____|_____|_____|_____|_____|_____|
|___|____|_____|_____|_____|_____|_____|_____|____|
|_____|_____| mailto:paul@stormy.ca _|____|____|
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Rewrite -- failure	Paul	April 14, 2020 04:40PM
Re: Rewrite -- failure	gariac	April 14, 2020 06:04PM
Re: Rewrite -- failure	Francis Daly	April 14, 2020 06:40PM
SSL and port number [was: Rewrite -- failure]	Paul	April 21, 2020 07:10PM
Re: SSL and port number [was: Rewrite -- failure]	Francis Daly	April 22, 2020 03:16AM
Re: SSL and port number [was: Rewrite -- failure]	Paul	April 28, 2020 02:58PM
Re: SSL and port number [was: Rewrite -- failure]	Francis Daly	April 29, 2020 12:48PM
Re: SSL and port number [was: Rewrite -- failure]	J.R.	April 29, 2020 07:58AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 211

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018