Welcome! Log In Create A New Profile

Advanced

Proxy advice

Posted by s_78 
Proxy advice
July 08, 2021 05:10AM
Hi,

I'd appreciate advice on how to perform a proxy or rewrite rule in the below scenario. The public URL below sends the request onto the backend server (intserver) on port 443 which it listens on.

Public URL = https://wc029.domain.com

The internal server then redirects internally to various other internal URLs on port 40000 - https://intserver:40000/sld/saml2/idp/sso (being one) - but sends this back to the browser which obviously can't hit the public DNS of the internal host name. I need the block/rule to allow for any response to be changed back to the external URL.

I've used reverse proxy in IIS before and this is handled by the corresponding outbound rule but can't understand how to achieve this in Nginx.

I suspect this is quite easy and requires something in the server block but considering this is a production server with multiple other server blocks, i'd rather reach out for advice on here before paying around with the config and i can't seem to find something i understand in other scenarios.
I believe i need a rewrite line but unsure what exactly to use.

Can anyone show me the error of my ways! ;)

server {
listen 443 ssl;
listen [::]:443 ssl;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; frame-src 'self'; connect-src 'self' https://apis.google.com; object-src 'none'";

# The below allow and deny rules can be set to allow access.The Deny rule MUST be uncommented and then add multiple allow lines for the IP range required.
#allow;
#deny all;

server_name wc029.domain.com;
ssl_certificate /etc/pki/cert.crt;
ssl_certificate_key /etc/pki/priv.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

access_log /var/log/nginx/reverse-access.log;
error_log /var/log/nginx/reverse-error.log;

location /
{
limit_except GET POST {deny all;}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass https://intserver/;
proxy_set_header X-Forwarded-Proto https;
}
}
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 52
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready