Reverse proxy with nginx

Question

Reverse proxy with nginx

Closed this issue 3 years ago · 4 comments

Hi!

I'm trying to run podify behind a nginx reverse proxy but I'm getting an error in Safari:

Too many redirects occurred trying to open “https://podify.hogwarts.zone”. This might occur if you open a page that is redirected to open another page, which then is redirected to open the original page.

Any idea how I should configure podify to make this work?

Here's my docker-compose.yml

version: '3.4'

x-app-defaults: &app-defaults
  restart: always
  environment: &app-env
    URL_HOST: https://podify.hogwarts.zone
    DATABASE_URL: postgres://podify:verysecurepassword@db/podify
    REDIS_URL: redis://redis
    SECRET_KEY_BASE: SECRET
    RAILS_LOG_TO_STDOUT: "yes"
    STORAGE_DIR: /storage
    INITIAL_USER_EMAIL: SECRET
    INITIAL_USER_PASSWORD: SECRET
    ENABLE_SIGNUP: "no"

  volumes:
    - storage:/storage

  depends_on:
    - db
    - redis

services:
  web:
    <<: *app-defaults
    image: maxhollmann/podify-web:latest
    #ports:
      #- 3000:3000
    environment:
      <<: *app-env

  worker:
    <<: *app-defaults
    image: maxhollmann/podify-worker:latest
    environment:
      <<: *app-env

  db:
    image: postgres:12.3
    restart: always
    environment:
      POSTGRES_USER: podify
      POSTGRES_PASSWORD: verysecurepassword
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - pgdata:/var/lib/postgresql/data/pgdata

  redis:
    image: redis:6
    restart: always

volumes:
  pgdata:
  storage:

networks:
  default:
    external:
      name: nginx-certbot_default

Answer 1 · 2020-12-02T16:07:02.000Z

Can you share your nginx config?

Answer 2 · 2020-12-02T21:55:09.000Z

Here is my site config for nginx:


server {
    # this is the internal Docker DNS, cache only for 30s
    resolver 127.0.0.11 valid=30s;

    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             podify.hogwarts.zone;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/podify.hogwarts.zone/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/podify.hogwarts.zone/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/podify.hogwarts.zone/chain.pem;

    # security headers
    add_header X-Frame-Options           "SAMEORIGIN" always;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # . files
    location ~ /\.(?!well-known) {
        deny all;
    }

    # reverse proxy
    location / {
        set $upstream podify_web_1;
        proxy_pass http://$upstream:3000;
        proxy_http_version	1.1;
        proxy_cache_bypass	$http_upgrade;
        proxy_set_header Upgrade			$http_upgrade;
        proxy_set_header Connection 		"upgrade";
        proxy_set_header Host				$host;
        proxy_set_header X-Real-IP			$remote_addr;
        proxy_set_header X-Forwarded-For	$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto	$scheme;
        proxy_set_header X-Forwarded-Host	$host;
        proxy_set_header X-Forwarded-Port	$server_port;

        # Proxy timeouts
        proxy_connect_timeout              60s;
        proxy_send_timeout                 60s;
        proxy_read_timeout                 60s;

    }

    # favicon.ico
    location = /favicon.ico {
    	log_not_found off;
    	access_log off;
    }

    # robots.txt
    location = /robots.txt {
    	log_not_found off;
    	access_log off;
    }

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

    # brotli
    #brotli on;
    #brotli_comp_level 6;
    #brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
}

# HTTP redirect
server {
    listen  80;
    listen  [::]:80;
    server_name             podify.hogwarts.zone;

    # ACME-challenge
    location ^~ /.well-known/acme-challenge/ {
    	root /var/www/certbot;
    }

    location / {
        return 301 https://podify.hogwarts.zone$request_uri;
    }
}

Answer 3 · 2020-12-07T19:58:06.000Z

See anything strange in my proxy config? :)

Answer 4 · 2020-12-07T20:03:17.000Z

Not really, looks good to me. Can you check what the logs of the web service say when this happens?