Wrong Proxy redirect Nginx breakes Site
Summary
Hello. I cannot access flectra because the redirects are broken. I have setup flectra following the Documentation for the deployment. If I connect to my Test Domain via HTTP I get redirected to HTTPs. Then the site breaks. Test Here by Clicking Blog.
Every time when flectra internally redirects me (301), eg. from / to web/database/selector it replaces the domain name with flectra (this is the upstream server).
Steps to reproduce
Go to the test Site. Click Blog. Then the server will redirect you to the wrong domain. This happens every time you get this kind of redirect
NGINX Config
Here you see my extended version of the nginx config. In the nginx part of the deploy (see /etc/nginx/sites-enabled/flectra.conf) you use flectra und flectrahq as variables where the proxy pass is pointing. This brakes nginx. That is why I changed flectrahq to flectra. Because flectrahq is not defined
upstream flectra {
server 127.0.0.1:7073;
}
upstream flectrachat {
server 127.0.0.1:8072;
}
server {
listen 80;
server_name {{ server_hostname }} www.{{ server_hostname }};
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name www.{{ server_hostname }};
ssl_certificate /etc/letsencrypt/live/{{ server_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_hostname }}/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256 TLS-AES-256-GCM-SHA384 TLS-AES-128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
return 301 https://{{ server_hostname }}$request_uri;
}
server {
listen 443;
server_name {{ server_hostname }};
# Add Headers for flectra proxy mode
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for flectra proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL Parameters
ssl on;
ssl_certificate /etc/letsencrypt/live/{{ server_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_hostname }}/privkey.pem;
ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256 TLS-AES-256-GCM-SHA384 TLS-AES-128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
#log
access_log /var/log/nginx/flectra_access.log;
error_log /var/log/nginx/flectra_error.log;
# Redirect requests to flectra backend server
location / {
proxy_redirect off;
proxy_pass http://flectra;
}
location /longpolling {
proxy_pass http://flectrachat;
}
# common gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
What is the current bug behavior?
redirects to non existing Domain.
What is the expected correct behavior?
Should stay on the correct domain.
Relevant logs and/or screenshots
As you see here the host still has the correct Domain. But the location points to the wrong URL.
This is wrong Location: https://flectra/blog/our-blog-1
This would be correct Location: https://u.nard.ca/blog/our-blog-1
~ # ❯❯❯ curl https://u.nard.ca/blog/1 -v
* Trying 116.203.119.174:443...
* TCP_NODELAY set
* Connected to u.nard.ca (116.203.119.174) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=u.nard.ca
* start date: Oct 24 12:37:12 2020 GMT
* expire date: Jan 22 12:37:12 2021 GMT
* subjectAltName: host "u.nard.ca" matched cert's "u.nard.ca"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET /blog/1 HTTP/1.1
> Host: u.nard.ca
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 MOVED PERMANENTLY
< Server: nginx/1.18.0 (Ubuntu)
< Date: Thu, 29 Oct 2020 10:55:08 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 239
< Connection: keep-alive
< Location: https://flectra/blog/our-blog-1
< Set-Cookie: frontend_lang=en_US; Path=/
< Set-Cookie: session_id=41f321b7aae807b882bc9c35d9e68630aa20869f; Expires=Wed, 27-Jan-2021 10:55:08 GMT; Max-Age=7776000; HttpOnly; Path=/
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
* Connection #0 to host u.nard.ca left intact
<p>You should be redirected automatically to target URL: <a href="/blog/our-blog-1">/blog/our-blog-1</a>. If not click the link.#
Possible fixes
This seems an error in the parsing of the proxy headers added to nginx. Otherwise I have misconfigured nginx
I currently want to migrate from odoo to flectra. This is the last breaking issue. Please help me solve this so I can use flectra for a non profit project.