Configuration of reverse proxy and https

snowcrux · July 30, 2018, 12:36pm

Now I am implementing a server machine and install several applications, indico, plone, gitlab, and so on in the machine.
However, network security section in my institute permits me to open only 443 (https) ports.
Then, I assign the applications to individual port, and implement reverse proxy by using nginx.
For example, I assign the indico to 8086 port, and if the URL is include “indico” like “https://mydomain/indico”, the packets are transferred to “http://localhost:8086/”.
(Applying the same manner, the gitlab is also transferred to 8084 ports like “https://mydomain/gitlab” -> “http://localhost:8084”)
But the indico web page does not show figures and icons due to wrong link.
Please let me know how I can solve it.

In the local machine, I can see the indico page correctly to fill “http://localhost:8084/” in URL.
My configuration of nginx in /etc/nginx/conf.d/default.conf is

server {
   listen 443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;

  server_name localhost;
  ignore_invalid_headers off;
  ssl_certificate "/etc/pki/tls/certs/mydomain.pem";
  ssl_certificate_key "/etc/pki/tls/certs/mydomain.key";
  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 10m;
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;
  location ^~ /indico {
    sub_filter_once off;
    sub_filter 'http://mydomain/' 'https://mydomain/indico/';
    sub_filter 'src="/'  'src="https://mydomain/';
    sub_filter 'href="/' 'href="https://mydomain/indico/';
    proxy_pass http://127.0.0.1:8086/;
  }
  location ^~ /gitlab {
    proxy_pass http://127.0.0.1:8084;
  }
  location ^~ /plone {
    proxy_pass http://127.0.0.1:8092/;
  }

}

and /etc/nginx/conf.d/indico.conf is changed as following,

server {
  listen 8086;
  listen [::]:8086;
  server_name mydomain;

  access_log            /opt/indico/log/nginx/access.log combined;
  error_log             /opt/indico/log/nginx/error.log;

  location /.xsf/indico/ {
    internal;
    alias /opt/indico/;
  }

 location ~ ^/static/assets/(core|(?:plugin|theme)-[^/]+)/(.*)$ {
    alias /opt/indico/assets/$1/$2;
    access_log off;
  }

  location ~ ^/(images|fonts)(.*)/(.+?)(__v[0-9a-f]+)?\.([^.]+)$ {
    alias /opt/indico/web/static/$1$2/$3.$5;
    access_log off;
  }

  location ~ ^/(css|dist|images|fonts)/(.*)$ {
    alias /opt/indico/web/static/$1/$2;
    access_log off;
  }

  location /robots.txt {
    alias /opt/indico/web/htdocs/robots.txt;
    access_log off;
  }

  location / {
    root /var/empty/nginx;
    include /etc/nginx/uwsgi_params;
    uwsgi_pass unix:/opt/indico/web/uwsgi.sock;
    uwsgi_param UWSGI_SCHEME $scheme;
    uwsgi_read_timeout 15m;
    uwsgi_buffers 32 32k;
    uwsgi_busy_buffers_size 128k;
    uwsgi_hide_header X-Sendfile;
    uwsgi_hide_header X-Sendfile;
    client_max_body_size 1G;
  }
}

pferreir · July 30, 2018, 12:38pm

I’ve edited the post to add a code block.

What’s does your indico.conf look like? Did you set BaseURL to fit mydomain/indico?
By the way, we highly advise against using https://yourmachine/indico. You should definitely consider https://indico.yourmachine. And having all those services run on the same machine may be a little bit too heavy on it, too.

kolodzie · July 30, 2018, 12:42pm

The problem lies in the locations rules in your indico.conf file which match ^/(images|fonts)(.*)/(.+?) which doesn’t match against something like /indico/images/...

ThiefMaster · July 30, 2018, 5:13pm

The ngx_http_sub_module module is a filter that modifies a response by replacing one specified string by another.

You do not need this, and it sounds like something rather fragile to rewrite paths in Indico.
Simply configure your backend machine to also serve on /indico and then just proxy to it. Just make sure your BASE_URL is the same URL your end users will use to access Indico, and that your backend server accepts requests for that same host name.

Example:

https://example.com/indico is what users use, and your internal server is indico.example.com. In this case configure the nginx on indico.example.com to serve requests for example.com and configure it to forward requests in /indico/... to uwsgi / the aliases. On the example.com nginx you configure the reverse proxy to send a Host header for example.com, even if you make it connect to the machine indico.example.com

This aside, we strongly recommend to use a sub domain for Indico. You can still use proxying - just point the external indico.example.com to your internet-exposed load balancer, and add a server block for it with server_name indico.example.com;. Then configure it to forward requests to https://yourinternalindicoserver on whatever port you are running it.