Friday, December 21, 2018

reverse proxy - Nginx Redirect all location block to https except 1




I have a nginx config where everything is forced to https. I wanted to add a location block which is served over http. I get a "Too many redirects" with my current config.



Here's the config



# HTTP
server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    server_name example.com;


    # redirect non-SSL to SSL
    location / {
        return 301      https://$server_name$request_uri;
    }
    location /blog {
        rewrite ^/blog/(.*)$ /$1 break;

        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header Host $host;

        proxy_pass http://remote-ip;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }   
}

#HTTPS server
server{
     listen 443 ssl spdy;

     server_name example.com;

     ssl_certificate /path/to/pem/file/fullchain.pem;
     ssl_certificate_key /path/to/private/key/privkey.pem;

     # performance enhancement for SSL
    ssl_stapling on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;


    # safety enhancement to SSL: make sure we actually use a safe cipher
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';

    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    add_header Strict-Transport-Security "max-age=31536000;";

    # If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update

    # This works because IE 11 does not present itself as MSIE anymore
    if ($http_user_agent ~ "MSIE" ) {
        return 303 https://browser-update.org/update.html;
    }

    location /blog {
        return 301 http://$host$request_uri;
    }
    # pass all requests to Meteor
    location /{

        # meteor application config
    }
}


As you can see in the config, all request to block /blog are reverse proxied to another server. I do not want to enforce https here.



As mentioned before, if I go to example.com/blog, I get a "Too many redirects". Other location block is working as expected.


Answer



You cannot do this because you're enabling HSTS and thus telling the browser to only browse your domain via HTTPS. If you need to do this remove this line and clear your browser cache:




add_header Strict-Transport-Security "max-age=31536000;";

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...