getting a redirect loop. worked for years, not sure what changed. about docker-nginx-ssl-proxy HOT 16 CLOSED

I did update all my packages and I got the latest docker image

from docker-nginx-ssl-proxy.

Request URL: https://support.cocoatech.com/discussions
Request Method: GET
Status Code: 302
Remote Address: 68.183.165.239:443
Referrer Policy: strict-origin-when-cross-origin
cache-control: no-cache, private
content-security-policy: default-src https: http: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://.tawk.to .tawk.to nrpc.olark.com hooks.slack.com; img-src 'self' http: https: data:; report-uri https://help.tenderapp.com/csp_report
content-type: text/html; charset=utf-8
date: Tue, 17 Aug 2021 22:40:30 GMT
location: https://support.cocoatech.com/discussions
p3p: CP="ALL DSP COR CUR ADM DEV OUR IND UNI"
server: nginx
set-cookie: anon_token=c4e40fd12; path=/; expires=Wed, 17-Aug-2022 22:40:30 GMT; HttpOnly; SameSite=Lax
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: allowall
x-permitted-cross-domain-policies: none
x-rack-cache: miss
x-request-id: 412a50de0138deccb8636b31a70e05e1
x-runtime: 0.018587
x-ua-compatible: IE=Edge,chrome=1
x-xss-protection: 1; mode=block
:authority: support.cocoatech.com
:method: GET
:path: /discussions
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
cookie: anon_token=c4e40fd12
pragma: no-cache
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-site
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

from docker-nginx-ssl-proxy.

My guess would be that your origin server is not recognizing the headers passed by the proxy which indicate that the connection is over SSL. It's probably trying to redirect to SSL, when the connection is already happening over SSL (it just doesn't know it). The log output from the docker container might help debug, as would logs from the origin server.

from docker-nginx-ssl-proxy.

docker logs
192.99.13.186 - - [17/Aug/2021:23:06:16 +0000] "GET /discussions/problems/33066-path-finder-715-wont-start/toggle_access HTTP/1.1" 302 174 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)" "-"
178.63.87.197 - - [17/Aug/2021:23:06:19 +0000] "GET /discussions/problems/120728-refresh-of-tags HTTP/1.1" 302 150 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)" "-"
45.17.138.136 - - [17/Aug/2021:23:06:19 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:19 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:19 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
45.17.138.136 - - [17/Aug/2021:23:06:20 +0000] "GET /discussions HTTP/2.0" 302 107 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"

from docker-nginx-ssl-proxy.

but it seems the server is getting hit by other users?

178.63.87.197 - - [17/Aug/2021:23:06:49 +0000] "GET /discussions/problems/120728-refresh-of-tags HTTP/1.1" 302 150 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)" "-"
54.36.148.248 - - [17/Aug/2021:23:06:51 +0000] "GET /discussions/problems/31933-pf712-fail-on-boot-segfault-error/comments/1 HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)" "-"
178.63.87.197 - - [17/Aug/2021:23:06:55 +0000] "GET /discussions/problems/120728-refresh-of-tags HTTP/1.1" 302 150 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)" "-"
178.63.87.197 - - [17/Aug/2021:23:07:01 +0000] "GET /discussions/problems/120728-refresh-of-tags.atom?category=problems&discussion=120728-refresh-of-tags HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)" "-"

from docker-nginx-ssl-proxy.

server is here: https://support.cocoatech.com/discussions

from docker-nginx-ssl-proxy.

nginx-ssl-proxy:
image: danieldent/nginx-ssl-proxy
restart: always
environment:
SECURITY_HEADERS: skip
UPSTREAM: cocoatech.tenderapp.com
SERVERNAME: support.cocoatech.com
ports:
- "80:80"
- "443:443"
volumes:
- "./cert:/etc/letsencrypt"

from docker-nginx-ssl-proxy.

A few hours ago I deleted the docker image and did another docker-compose up -d, so it should be fresh.
And it worked for years.

I had to update it because I was using an old ACME v1? So I updated everything.

from docker-nginx-ssl-proxy.

I just restarted removing that SECURITY_HEADERS just to test. No difference

from docker-nginx-ssl-proxy.

Here's what I'm trying to do. I have this support server at cocoatech.tenderapp.com (3rd party service)
But I wanted the users to go through my own domain support.cocoatech.com
So I set up a digital ocean server and run your docker image to forward to tenderapp.com
68.183.165.239
is my ip address of the digital ocean

from docker-nginx-ssl-proxy.

The cocoatech.tenderapp.com service has stopped honouring the X-Forwarded-Proto header and/or has implemented https for themselves. This is probably for the best, as you've been passing your traffic unencrypted to them, presumably over a public network. This proxy image connects to the upstream server over http. You'd need to create a custom configuration /build to connect to the origin over https.

url -v -H "X-Forwarded-Proto: https" http://cocoatech.tenderapp.com
*   Trying 192.228.96.17:80...
* Connected to cocoatech.tenderapp.com (192.228.96.17) port 80 (#0)
> GET / HTTP/1.1
> Host: cocoatech.tenderapp.com
> User-Agent: curl/7.72.0
> Accept: */*
> X-Forwarded-Proto: https
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx/1.16.0
< Date: Tue, 17 Aug 2021 23:27:53 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< P3P: CP="ALL DSP COR CUR ADM DEV OUR IND UNI"
< Location: https://cocoatech.tenderapp.com/
< X-UA-Compatible: IE=Edge,chrome=1
< Cache-Control: no-cache
< Set-Cookie: anon_token=6e2ad6daa; path=/; expires=Wed, 17-Aug-2022 23:27:53 GMT; HttpOnly; SameSite=Lax
< X-Request-Id: 990b1ed6ff1a10a4806d29563bb8f606
< X-Runtime: 0.017960
< X-Rack-Cache: miss
< Content-Security-Policy: default-src https: http: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://*.tawk.to *.tawk.to nrpc.olark.com hooks.slack.com; img-src 'self' http: https: data:; report-uri https://help.tenderapp.com/csp_report
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: allowall
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 1; mode=block
< 
* Connection #0 to host cocoatech.tenderapp.com left intact
<html><body>You are being <a href="https://cocoatech.tenderapp.com/">redirected</a>.</body></html>

from docker-nginx-ssl-proxy.

I know almost nothing about this. How do I configure your docker image to do this?

from docker-nginx-ssl-proxy.

If it's difficult, I could just remove the whole thing and use their url.

from docker-nginx-ssl-proxy.

But I'm kind of worried about existing links that people might have saved or referred to in the forums.

from docker-nginx-ssl-proxy.

hey, I got it working!

I changed this:
upstream origin {
server cocoatech.tenderapp.com:443;
}

And this:

    proxy_pass https://origin;

from docker-nginx-ssl-proxy.

😄

from docker-nginx-ssl-proxy.