Hi,
I'd appreciate advice on how to perform a proxy or rewrite rule in the below scenario. The public URL below sends the request onto the backend server (intserver) on port 443 which it listens on.
Public URL = https://wc029.domain.com
The internal server then redirects internally to various other internal URLs on port 40000 - https://intserver:40000/sld/saml2/idp/sso (being one) - but sends this back to the browser which obviously can't hit the public DNS of the internal host name. I need the block/rule to allow for any response to be changed back to the external URL.
I've used reverse proxy in IIS before and this is handled by the corresponding outbound rule but can't understand how to achieve this in Nginx.
I suspect this is quite easy and requires something in the server block but considering this is a production server with multiple other server blocks, i'd rather reach out for advice on here before paying around with the config and i can't seem to find something i understand in other scenarios.
I believe i need a rewrite line but unsure what exactly to use.
Can anyone show me the error of my ways! ;)
server {
listen 443 ssl;
listen [::]:443 ssl;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; frame-src 'self'; connect-src 'self' https://apis.google.com; object-src 'none'";
# The below allow and deny rules can be set to allow access.The Deny rule MUST be uncommented and then add multiple allow lines for the IP range required.
#allow;
#deny all;
server_name wc029.domain.com;
ssl_certificate /etc/pki/cert.crt;
ssl_certificate_key /etc/pki/priv.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
access_log /var/log/nginx/reverse-access.log;
error_log /var/log/nginx/reverse-error.log;
location /
{
limit_except GET POST {deny all;}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass https://intserver/;
proxy_set_header X-Forwarded-Proto https;
}
}