Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy_set_header does not support X-Forwarded-Proto and X-Forwarded-Port #476

Closed
epicwhale opened this issue Oct 14, 2014 · 8 comments
Closed

proxy_set_header does not support X-Forwarded-Proto and X-Forwarded-Port #476

epicwhale opened this issue Oct 14, 2014 · 8 comments

Comments

@epicwhale
Copy link 

location_custom_cfg => {
    'proxy_set_header' => {
      'X-Real-IP'         => '$remote_addr',
      'X-Forwarded-For'   => '$proxy_add_x_forwarded_for',
      'X-Forwarded-Proto' => 'https',
      'X-Forwarded-Port'  => '443',
      'Host'              => '$host'
    },
  }

Doing the above, removes the X-Forwarded-Proto and X-Forwarded-Port headers.

Is it because its missing here?
https://github.com/jfryman/puppet-nginx/blob/master/data/common.yaml#L26
@3flex
Copy link
Contributor

3flex commented Oct 23, 2014

Hi @epicwhale you should use proxy_set_header parameter for this, e.g.

$proxy_set_header = [
      'X-Real-IP         $remote_addr',
      'X-Forwarded-For   $proxy_add_x_forwarded_for',
      'X-Forwarded-Proto https',
      'X-Forwarded-Port  443',
      'Host              $host'
]

You can set this parameter either on the nginx class to have this as the default value for all vhosts, or you can set it on your vhost definitions for vhost specific setup.

@epicwhale
Copy link
Author

@3flex isn't the config of proxy header this --> https://github.com/jfryman/puppet-nginx/blob/master/data/common.yaml#L37 ?

Which allows only three headers.

nginx::config::proxy_set_header:
  - 'Host $host'
  - 'X-Real-IP $remote_addr'
  - 'X-Forwarded-For $proxy_add_x_forwarded_for'

I want the proxy config to be INSIDE a location { } nginx block.

@3flex
Copy link
Contributor

3flex commented Oct 24, 2014

Oh sorry, my mistake.

I'd expect the code you provided to work. Can you show more of your location/vhost declaration? Maybe something's missing from that and the location's not being declared correctly, so it doesn't end up rendering the config file.

@tizzo
Copy link

tizzo commented Dec 4, 2014

I'm having the same problem. My config file looks like this:

class { 'nginx': }
nginx::resource::vhost { 'example.com':
  listen_port               => 443,
  proxy                      => 'http://localhost:80',
  rewrite_to_https     => false,
  ssl                          => true,
  ssl_cert                  => '/some/path.crt',
  ssl_key                  => '/some/path.key',
  ssl_ciphers            => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5',
  proxy_set_header  => [
    'X-Real-IP         $remote_addr',
    'X-Forwarded-For   $proxy_add_x_forwarded_for',
    'X-Forwarded-Proto https',
    'X-Forwarded-Port  443',
    'Host              $host'
  ],
}

This yields the following configuration:

server {
  listen       *:443 ssl;
  server_name  example.com;

  ssl on;

  ssl_certificate           /some/path.crt;
  ssl_certificate_key       /some/path.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;


  client_max_body_size 25M;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/ssl-example.com.access.log combined;
  error_log             /var/log/nginx/ssl-example.com.error.log;

  proxy_set_header        Host $host;
  proxy_set_header        Connection close;
  proxy_set_header        X-FORWARDED-PROTO https;

  location / {
    proxy_pass            http://localhost:80;
    proxy_read_timeout    90;
    proxy_connect_timeout 90;
    proxy_redirect        off;

    proxy_set_header        Host $host;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

  }
}

I got this doing what I needed by moving the proxy_pass configuration into the global nginx class definition as @3flex 3flex suggested (I know I should be using hierra and got the warning but this illustrates the behavior very simply):

class { 'nginx':
  proxy_set_header     => [
    'X-Real-IP         $remote_addr',
    'X-Forwarded-For   $proxy_add_x_forwarded_for',
    'X-Forwarded-Proto https',
    'X-Forwarded-Port  443',
    'Host              $host'
  ],
}
nginx::resource::vhost { 'example.com':
  listen_port          => 443,
  proxy                => 'http://localhost:80',
  rewrite_to_https     => false,
  client_max_body_size => '25M',
  ssl                  => true,
  ssl_cert             => '/some/path.crt',
  ssl_key              => '/some/path.key',
  ssl_ciphers          => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5',
}

This config yelds:

server {
  listen       *:443 ssl;
  server_name  example.com;

  ssl on;

  ssl_certificate           /some/path.crt;
  ssl_certificate_key       /some/path.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;


  client_max_body_size 25M;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/ssl-example.com.access.log combined;
  error_log             /var/log/nginx/ssl-example.com.error.log;


  location / {
    proxy_pass            http://localhost:80;
    proxy_read_timeout    90;
    proxy_connect_timeout 90;
    proxy_redirect        off;

    proxy_set_header      X-Real-IP         $remote_addr;
    proxy_set_header      X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header      X-Forwarded-Proto https;
    proxy_set_header      X-Forwarded-Port  443;
    proxy_set_header      Host              $host;

  }
}

Specifying these proxy_set_header directives outside of the location directive does not work properly, it seems like this should be configurable outside the location resource but this workaround is working for me.

I don't have time to roll a PR at the moment but hopefully this example can be helpful to others.

@supernovae
Copy link

I have same problem, the above config pattern worked for me though..

@tizzo
Copy link

tizzo commented Mar 18, 2015

It's worth noting the above configuration pattern won't help you if you need to differentiate any two vhosts and have some proxies have certain headers and not others…

@sabretus
Copy link

For me it works like this perfectly fine:

  include nginx

  nginx::resource::vhost { "${domain}-ssl":
    server_name           => [ "${domain}" ],
    listen_port           => 443,
    proxy                 => $proxy_host,
    proxy_set_header      => [
      'X-Real-IP         $remote_addr',
      'X-Forwarded-For   $proxy_add_x_forwarded_for',
      'X-Forwarded-Proto https',
      'X-Forwarded-Port  443',
      'Host              $host' 
    ],
    ssl                   => true,
    ssl_cert              => "${cert_path}",
    ssl_key               => "${key_path}",
  }

And I could define my module as many times as needed

@wyardley
Copy link
Collaborator

Is anyone still seeing this problem as of now (with a recent version of the module? I have tested this recently and worked for me as expected, so I'm going to close this for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@3flex @tizzo @epicwhale @supernovae @sabretus @wyardley