Skip to content

endless redirect when trying to access webclient

Hi,

I installed psono server, the webclient, the admin client and the reverse proxy using nginx. Everything seems to work, the docker containers are up and running and I can access the admin website under /portal. But when I try to access the webclient I get into a redirect loop and my url looks like this: https://psono.example.com/psono.example.com/psono.example.com/psono.example.com/psono.example.com/...

I assume my nginx config is broken and checked it like 10 times, but cannot figure out what exactly is wrong. Any ideas?

    server {
    listen 80;
    server_name psono.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name psono.example.com;    
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_timeout 1d;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    ssl_ciphers '';

    # Comment this in if you know what you are doing
    # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    add_header Referrer-Policy same-origin;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    # If you have the admin fileserver installed too behind this reverse proxy domain, add your fileserver URL e.g. https://fs01.example.com as connect-src too:
    add_header Content-Security-Policy "default-src 'none';  manifest-src 'self'; connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://*.digitaloceanspaces.com https://*.blob.core.windows.net https://*.s3.amazonaws.com; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self'";

    ssl_certificate /etc/letsencrypt/live/psono.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/psono.example.com/privkey.pem;

    client_max_body_size 256m;

    gzip on;
    gzip_disable "msie6";
    
gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
    
    root /var/www/html;
    
    location /server {
                rewrite ^/server/(.*) /$1 break;
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;

        add_header Last-Modified $date_gmt;
        add_header Pragma "no-cache";
        add_header Cache-Control "private, max-age=0, no-cache, no-store";
        if_modified_since off;
        expires off;
        etag off;
    
                proxy_pass          http://localhost:10100;
    }
    
    location ~* ^/portal.*\.(?:ico|css|js|gif|jpe?g|png|eot|woff|woff2|ttf|svg|otf)$ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public";

        # Remove the leading # from the following lines if you have the admin webclient running in a docker container
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;

        proxy_pass          http://localhost:10102;
        proxy_redirect      http://localhost:10102 https://psono.example.com;
    }
 location ~* \.(?:ico|css|js|gif|jpe?g|png|eot|woff|woff2|ttf|svg|otf)$ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public";
    
        # Remove the leading # from following lines if you have the webclient running in a docker container
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;

        proxy_pass          http://localhost:10101;
        proxy_redirect      http://localhost:10101 https://psono.example.com;
    }
    
    # Remove the leading # from following lines if you have the admin webclient running in a docker container
     location /portal {
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;

                proxy_read_timeout  90;

                proxy_pass          http://localhost:10102;
     }
    
    # Remove the leading # from following lines if you have the admin webclient NOT running in a docker container
    # location /portal {
    #     index  index.html index.htm;
    #     try_files $uri /portal/index.html;  # forward all requests to index.html
    # }
    
    # Remove the leading # from following lines if you have the webclient running in a docker container
    location / {
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;

                proxy_pass          http://localhost:10101;
                proxy_read_timeout  90;
        #
                proxy_redirect      http://localhost:10101 https://psono.example.com;
    }
}

Thanks for looking into this.

Edited by Sven Richter