Configuration of reverse proxy and https

Now I am implementing a server machine and install several applications, indico, plone, gitlab, and so on in the machine.
However, network security section in my institute permits me to open only 443 (https) ports.
Then, I assign the applications to individual port, and implement reverse proxy by using nginx.
For example, I assign the indico to 8086 port, and if the URL is include “indico” like “https://mydomain/indico”, the packets are transferred to “http://localhost:8086/”.
(Applying the same manner, the gitlab is also transferred to 8084 ports like “https://mydomain/gitlab” -> “http://localhost:8084”)
But the indico web page does not show figures and icons due to wrong link.
Please let me know how I can solve it.

In the local machine, I can see the indico page correctly to fill “http://localhost:8084/” in URL.
My configuration of nginx in /etc/nginx/conf.d/default.conf is

server {
   listen 443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;

  server_name localhost;
  ignore_invalid_headers off;
  ssl_certificate "/etc/pki/tls/certs/mydomain.pem";
  ssl_certificate_key "/etc/pki/tls/certs/mydomain.key";
  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 10m;
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;
  location ^~ /indico {
    sub_filter_once off;
    sub_filter 'http://mydomain/' 'https://mydomain/indico/';
    sub_filter 'src="/'  'src="https://mydomain/';
    sub_filter 'href="/' 'href="https://mydomain/indico/';
  location ^~ /gitlab {
  location ^~ /plone {


and /etc/nginx/conf.d/indico.conf is changed as following,

server {
  listen 8086;
  listen [::]:8086;
  server_name mydomain;

  access_log            /opt/indico/log/nginx/access.log combined;
  error_log             /opt/indico/log/nginx/error.log;

  location /.xsf/indico/ {
    alias /opt/indico/;

 location ~ ^/static/assets/(core|(?:plugin|theme)-[^/]+)/(.*)$ {
    alias /opt/indico/assets/$1/$2;
    access_log off;

  location ~ ^/(images|fonts)(.*)/(.+?)(__v[0-9a-f]+)?\.([^.]+)$ {
    alias /opt/indico/web/static/$1$2/$3.$5;
    access_log off;

  location ~ ^/(css|dist|images|fonts)/(.*)$ {
    alias /opt/indico/web/static/$1/$2;
    access_log off;

  location /robots.txt {
    alias /opt/indico/web/htdocs/robots.txt;
    access_log off;

  location / {
    root /var/empty/nginx;
    include /etc/nginx/uwsgi_params;
    uwsgi_pass unix:/opt/indico/web/uwsgi.sock;
    uwsgi_param UWSGI_SCHEME $scheme;
    uwsgi_read_timeout 15m;
    uwsgi_buffers 32 32k;
    uwsgi_busy_buffers_size 128k;
    uwsgi_hide_header X-Sendfile;
    uwsgi_hide_header X-Sendfile;
    client_max_body_size 1G;

I’ve edited the post to add a code block.

What’s does your indico.conf look like? Did you set BaseURL to fit mydomain/indico?
By the way, we highly advise against using https://yourmachine/indico. You should definitely consider https://indico.yourmachine. And having all those services run on the same machine may be a little bit too heavy on it, too.

The problem lies in the locations rules in your indico.conf file which match ^/(images|fonts)(.*)/(.+?) which doesn’t match against something like /indico/images/...

The ngx_http_sub_module module is a filter that modifies a response by replacing one specified string by another.

You do not need this, and it sounds like something rather fragile to rewrite paths in Indico.
Simply configure your backend machine to also serve on /indico and then just proxy to it. Just make sure your BASE_URL is the same URL your end users will use to access Indico, and that your backend server accepts requests for that same host name.

Example: is what users use, and your internal server is In this case configure the nginx on to serve requests for and configure it to forward requests in /indico/... to uwsgi / the aliases. On the nginx you configure the reverse proxy to send a Host header for, even if you make it connect to the machine

This aside, we strongly recommend to use a sub domain for Indico. You can still use proxying - just point the external to your internet-exposed load balancer, and add a server block for it with server_name;. Then configure it to forward requests to https://yourinternalindicoserver on whatever port you are running it.