docker – Grafana local CORS bypass using nginx

I’m trying to work with a grafana server in an environment I can’t change.

I need CORS to be enabled to develop locally. I’m trying to start a local docker nginx server to solve it when developing locally

My nginx.conf:

server {
        listen 5000;
        server_name localhost;

        add_header 'Access-Control-Allow-Origin' $http_origin;
        add_header 'Access-Control-Allow-Methods' 'GET, POST';
        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type';
        add_header 'Access-Control-Allow-Credentials' 'true';

        location / {
            proxy_pass                 http://10.53.162.9;
            proxy_set_header           X-Real-IP   $remote_addr;
            proxy_set_header           X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header           X-Forwarded-Proto  $scheme;
            proxy_set_header           X-Forwarded-Server  $host;
            proxy_set_header           X-Forwarded-Host  $host;
            proxy_set_header           Host  $host;
        
            if ($request_method = 'OPTIONS' ) {
                # if request method is options we immediately return with 200 OK.
                return 200;
            }
        }                       
}        

In nginx I’m getting:

*1 upstream prematurely closed connection while reading response header from upstream, client: 172.17.0.1, server: localhost

In the browser when trying to load a path:

Access to XMLHttpRequest at ‘http://localhost:5000/grafana/path’ from origin ‘http://localhost:3000’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Tried everything I can think of but the request is still getting blocked. Where am I going wrong?

proxy – nginx and wordpress – site2.com need to load content of of site1.com/site2 without url change

  • I have 1st domain name site1.com – self-hosted wordpress and contains posts and pages. (everything good, no issue at all)
  • I have 2nd domain name site2.com – nothing hosted (dns pointing to same server as site1.com domain)

I need to configure the nginx server in such a way that, when users access site2.com, they should get the content of site1.com/site2 wordpress page. (Then the others pages links inside that page are fine as site2.com is considered part of site1.com and users can click the load content with site1.com links)

Details

  • I have tried proxy_pass etc but didn’t worked any.
  • site2.com -> site1.com/site2 redirection is working with several techniques but I dont need that as I need site2.com landed with same url on top but site1.com/site2 content.
  • nginx version: nginx/1.14.2
  • OS – Debian GNU/Linux 10 (buster)
  • If there are other ways (non-nginx), still acceptable.

Thanks in advance.

security – What are sane values for Nginx Rate Limiting?

I’m trying to limit the number of concurrent connections to my site using Nginx limit_req. My goal is to defend the website against some users with a heavy hand on HTTRack, some aggressive bots and a couple of script kiddie. Nothing too hard, really.

I understood the whole leaky bucket analogy, but what I’m not so sure is how deep the bucket should be.

I understand that a tipical browser opens less than 10 concurrent connections to each host. So this would be approx. 15 requests per second, just to err on the side of caution:

limit_req_zone $binary_remote_addr zone=myzone:10m rate=15r/s;

Since these requests are more or less concurrent, I make them burstable:

limit_req zone=myzone burst=30 nodelay;

What do you think? Are these good values or are they too limiting/too broad?

nginx – How to run a WordPress-CMS and an Angular 9 distribution in one domain?

I’m trying to install my Angular universal app and my CMS in a single domain. Therefore I would like to put the CMS (which is WordPress) in a subdirectory.
My current directory structure looks like this:

/httpdocs
|---dist        ...contains the Angular app
|---rest        ...contains backend REST-API files written in PHP
|---cms         ...contains the CMS WordPress installation

My ngxinx configuration is:

location ~ /rest {
    try_files $uri $uri/ /rest/index.php$is_args$args;
}

location ^~ .php$ {
    try_files $uri /index.php =404;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}

location ~ / {
    proxy_pass http://127.0.0.1:4000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

And my .htaccess:

RewriteEngine On

RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f (OR)
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d
RewriteRule ^ - (L)

RewriteCond %{REQUEST_URI} ^/rest/
RewriteRule ^(.*)$ /rest/index.php#  (QSA,L,NC)

RewriteBase /cms/

RewriteRule ^wp-(.*)$ /cms/wp-$1 (QSA,L,NC)
RewriteRule ^packages/(.*)$ /cms/packages/$1 (QSA,L,NC)
RewriteRule ^?page_id=(.*)$ /cms/index.php?page_id=$1 (QSA,L,NC)
RewriteRule ^news/(.*)$ /cms/news/(.*)$1 (QSA,L,NC)

RewriteRule ^index.php$ - (L)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /cms/index.php (L)

# If the requested resource doesn't exist, use index.html
RewriteRule ^ /index.html

What I would like to achieve is:

https://MYURL.com/                  -> opens my Angular app
https://MYURL.com/rest/xxx          -> calls the REST-API of my Angular app
https://MYURL.com/wp-admin          -> opens my CMS Admin
https://MYURL.com/wp-json/wp/v2/... -> calls the CMS REST-API

But whatever I try, wheather the Angular app is running or the CMS, but not both. Does anybody see where I do the error? Is there also maybe a possibility to do all in ngnix. Unfortunately, I’m not really familiar with it.

One single Nginx 301 redirect to HTTPS + with WWW subdomain

please I don’t know what I am doing wrong. I have removed a default file entry from /etc/nginx/sites-enabled and there is only one enabled site:

server {
    listen              80;
    listen              443 ssl;
    server_name         example.com;
    
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

    return 301          https://www.$server_name$request_uri;
}

server {
    listen              443 ssl;
    server_name         www.example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location = /favicon.ico { access_log off; log_not_found off; }

    location /static/ {
        root /django/example;
    }

    location /media/ {
        root /django/example;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/mydomain.sock;
    }
}

When I try a CURL test, it is still doing two 301 redirects, instead of one. It first redirects from http to https and then to www:

HTTP/1.1 301 Moved Permanently
Date: Tue, 24 Nov 2020 13:29:24 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Tue, 24 Nov 2020 14:29:24 GMT
Location: https://example.com/
...
...
Server: cloudflare

HTTP/2 301 
date: Tue, 24 Nov 2020 13:29:24 GMT
content-type: text/html
set-cookie: __cfduid=d750a6e7c1d415accb428ff6431220db01606224564; expires=Thu, 24-Dec-20 13:29:24 GMT; path=/; domain=.example.com; HttpOnly; SameSite=Lax; Secure
location: https://www.example.com/
cf-cache-status: DYNAMIC
...
...
server: cloudflare

HTTP/2 200 
date: Tue, 24 Nov 2020 13:29:25 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=d075d1d072fd35d4ec365037a68bb30cdb608224565; expires=Thu, 24-Dec-20 13:29:25 GMT; path=/; domain=.example.com; HttpOnly; SameSite=Lax; Secure
...
...
server: cloudflare

Is there something wrong, with my nginx configuration? Is possible to do one single 301 redirect from http and non-www to https + www?

Thank you for any advice!

https – Nginx: could not allocate new session in SSL session shared cache “SSL” while SSL handshaking

What to make of this error? I get it a few times a day, often in a clump. 14 of them yesterday, scattered throughout, but with a cluster of 9 within a few seconds of each other.

My first thought was that my cache wasn’t big enough, but at 50m I think that’s good enough for 200,000 sessions. I have a timeout of 24h and typically get 1,000,000 page views per month, so I don’t think that’s likely to be the issue.

Furthermore, if the cache WERE to run out of space, I’m pretty sure it would just silently purge the oldest entry and add the new one, with no message in the error log.

So what causes this error? I feel it can’t be a problem with the system being IO-bound – I have NVMe drives that are barely tickled by the level of traffic I have.

Any ideas?

Thank you

server – Understanding the importance of Gunicorn and Nginx for Django web development

I’m entirely uninitiated to the world of web development, and only have a tentative grasp on Django and web development through the test server it works through.

From the guide I’m reading, the author turns to using Nginx once he starts working on site deployment, because Django is “not designed for real-life workloads.” What does that mean, and why doesn’t it? In terms of justification for using Gunicorn, the author remarks:

Do you know why the Django mascot is a pony? The story is that Django
comes with so many things you want: an ORM, all sorts of middleware,
the admin site…​ “What else do you want, a pony?” Well, Gunicorn
stands for “Green Unicorn”, which I guess is what you’d want next if
you already had a pony…​

Well and good, but I don’t really know what the two are doing for the server. I know for web developers this is like asking what multiplication is to a maths professor, so please excuse the naivety. In your please keep in mind I have almost no knowledge of web development other than what I’ve thus far learned from this guide, doing my best to understand as much as I can for the previously entirely uninitiated (I’m from a computational programming background).

server – Understanding the importance of Gunicorn and Nginx for Django web development

I’m entirely uninitiated to the world of web development, and only have a tentative grasp on Django and web development through the test server it works through.

From the guide I’m reading, the author turns to using Nginx once he starts working on site deployment, because Django is “not designed for real-life workloads.” What does that mean, and why doesn’t it? In terms of justification for using Gunicorn, the author remarks:

Do you know why the Django mascot is a pony? The story is that Django
comes with so many things you want: an ORM, all sorts of middleware,
the admin site…​ “What else do you want, a pony?” Well, Gunicorn
stands for “Green Unicorn”, which I guess is what you’d want next if
you already had a pony…​

Well and good, but I don’t really know what the two are doing for the server. I know for web developers this is like asking what multiplication is to a maths professor, so please excuse the naivety. In your please keep in mind I have almost no knowledge of web development other than what I’ve thus far learned from this guide, doing my best to understand as much as I can for the previously entirely uninitiated (I’m from a computational programming background).

nginx – GLPI appending :80 to CAS Callback URL

Problem:

GLPI is appending :80 to the callback URL for CAS authentication using Keycloak. After logging in successfully on Keycloak, user gets redirected to the GLPI URL which containers :80 in the URL, and is faced with SSL_ERROR_RX_RECORD_TOO_LONG on firefox and similar error pages on other browsers.

Details:

I have deployed GLPI 9.1.3 using docker with the following configurations:

Environment: AWS EC2 Instance (Ubuntu 18.04)
Reverse-Proxy: Nginx
GLPI mapped to port 6969

Here is my docker-compose.yaml file:

    version: "3.2"

    services:
    #Mysql Container
      mysql:
        image: mysql:5.7.23
        container_name: mysql
        hostname: mysql
        command: --default-authentication-plugin=mysql_native_password
        volumes:
          - ./mysql_data:/var/lib/mysql
        environment:
          - MYSQL_ROOT_PASSWORD=password
          - MYSQL_DATABASE=glpidb
          - MYSQL_USER=glpi_user
          - MYSQL_PASSWORD=glpi_password
        restart: always

    #GLPI Container
      glpi:
        build: .
        container_name : glpi
        hostname: glpi
        depends_on:
          - mysql
        ports:
          - 127.0.0.1:6969:80
        volumes:
          - /etc/timezone:/etc/timezone:ro
          - /etc/localtime:/etc/localtime:ro
          - ./html/glpi/:/var/www/html/glpi
          - ./plugins:/var/www/html/glpi/plugins
        environment:
          - TIMEZONE=Europe/Brussels
        restart: always
        links:
          - "mysql:mysql"

You might notice that this does not use the official GLPI image. Below is my Dockerfile to build the image:

    FROM diouxx/glpi

    RUN echo 'ServerName glpi.jai-kisan.com' >> /etc/apache2/apache2.conf

Command for deploying the containers:
docker-compose up --build

I also have a Keycloak service CAS Authentication enabled using github/jacekkow’s project.

The GLPI service is running behind an Nginx proxy listening on port 80:

    server {
            listen 80;
            server_name glpi.example.com;
            location / {
                    proxy_pass http://localhost:6969;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host $host;
                    proxy_cache_bypass $http_upgrade;
                    proxy_buffering off;
            }
    }

python – NGINX uwsgi_pass to flask websocket server on linux getting “Error during WebSocket handshake: Unexpected response code: 502”

im trying to connect to flask websocket and getting “Error during WebSocket handshake: Unexpected response code: 502”

my nginx configuration is

server {
    listen 8001{
    location / {
        include uwsgi_params;
        uwsgi_pass unix:/home/myuser/run/project_uwsgi.sock;
    }
    location /socket.io/{
            include uwsgi_params;
            uwsgi_pass unix:///home/myuser/run/project_uwsgi.sock;
            proxy_http_version 1.1;
            proxy_buffering off;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Host $host
    }
}