Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Serve all traffic via Nginx reverse proxy #3057

Closed
nixgadget opened this issue Jul 17, 2018 · 2 comments

Comments

@nixgadget
Copy link

commented Jul 17, 2018

Has anyone been able to get Nginx to work as the reverse proxy ?

Ive got the following config however its failing to work as it keeps redirecting to http rather than https after authentication.

upstream deck {
    server 127.0.0.1:9000 fail_timeout=3;
}

upstream gate {
    server 127.0.0.1:8084 fail_timeout=3;
}

server {
    listen       80;
    listen       443 default ssl;

    #ssl on;
    ssl_certificate /etc/ssl/certs/nginx-spinnaker.crt;
    ssl_certificate_key /etc/ssl/private/nginx-spinnaker.key;

    server_name  devspinnaker.test.co;

    location /login {
        add_header ServerHostname $hostname;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_pass_header Server;
        proxy_redirect off;

        # We match = "http" rather than != "https" because we don't want it
        # to redirect if you're running docker locally.  And '=', not '=='
        # because nginx.
        if ($http_x_forwarded_proto = "http") {
            rewrite ^(.*)$ https://$http_host$1 permanent;
        }

        proxy_pass http://gate/login;
    }

    location /auth/redirect {
         rewrite ^(.*)$ https://$http_host$1 permanent;
    }

    location ~ /gate/(?<gate_path>.+) {
        add_header ServerHostname $hostname;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_pass_header Server;
        proxy_redirect off;

        # We match = "http" rather than != "https" because we don't want it
        # to redirect if you're running docker locally.  And '=', not '=='
        # because nginx.
        if ($http_x_forwarded_proto = "http") {
            rewrite ^(.*)$ https://$http_host$1 permanent;
        }

        proxy_pass http://gate/$gate_path$is_args$args;
    }

    location / {
        add_header ServerHostname $hostname;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_pass_header Server;
        proxy_redirect off;

        # We match = "http" rather than != "https" because we don't want it
        # to redirect if you're running docker locally.  And '=', not '=='
        # because nginx.
        if ($http_x_forwarded_proto = "http") {
            rewrite ^(.*)$ https://$http_host$1 permanent;
        }

        proxy_pass http://deck;
    }
}

And my hal configuration is as follows,

REDIRECT_URI=https://devspinnaker.test.co/login
hal config security authn oauth2 edit --pre-established-redirect-uri $REDIRECT_URI

hal config security ui edit \
    --override-base-url https://devspinnaker.test.co

hal config security api edit \
    --override-base-url https://devspinnaker.test.co/login

Apache2 configuration is not touched,

<VirtualHost 0.0.0.0:9000>
  <IfModule ssl_module>
    SSLEngine on
    SSLCertificateFile ""
    SSLCertificateKeyFile ""
  </IfModule>
  DocumentRoot /opt/deck/html

  <Directory "/opt/deck/html/">
     Require all granted
  </Directory>

@stewchen stewchen added the auth label Jul 17, 2018

@stewchen

This comment has been minimized.

Copy link
Contributor

commented Jul 17, 2018

This may be related to #1630, which has a suggested fix to handle the X-Forwarded proto in the Tomcat config:

server:
  tomcat:
    protocolHeader: X-Forwarded-Proto
    remoteIpHeader: X-Forwarded-For
    internalProxies: .*
    httpsServerPort: X-Forwarded-Port

An alternative setup that worked for me and best practice IMO is to set the location of Gate on the base /, and Deck on /ui/ instead. Gate has a redirect at base to Deck, created to address a SAML security issue, but useful in this setup, and it seems more intuitive for the API to be on the base url.

@nixgadget

This comment has been minimized.

Copy link
Author

commented Jul 18, 2018

Thanks for the tip @stewchen
Ended up doing the following. For anyone using the same setup as

Internet ----> Nginx ----> Apache2 ----> Spinnaker Gate/Deck

SSL terminates at Nginx.

Nginx configuration,

upstream deck {
    server 127.0.0.1:9000 fail_timeout=3;
}

upstream gate {
    server 127.0.0.1:8084 fail_timeout=3;
}

server {
    listen       80;
    listen       443 default ssl;

    ssl_certificate /etc/ssl/certs/nginx-spinnaker.crt;
    ssl_certificate_key /etc/ssl/private/nginx-spinnaker.key;

    server_name  devspinnaker.test.co;

    location /login {
        add_header ServerHostname $hostname;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_pass_header Server;
        proxy_redirect off;

        # We match = "http" rather than != "https" because we don't want it
        # to redirect if you're running docker locally.  And '=', not '=='
        # because nginx.
        if ($http_x_forwarded_proto = "http") {
            rewrite ^(.*)$ https://$http_host$1 permanent;
        }

        proxy_pass http://gate/login;
    }

    location /auth/redirect {
         rewrite ^(.*)$ https://$http_host permanent;
    }

    location ~ /gate/(?<gate_path>.+) {
        add_header ServerHostname $hostname;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_pass_header Server;
        proxy_redirect off;

        proxy_pass http://gate/$gate_path$is_args$args;
    }

    location / {
        add_header ServerHostname $hostname;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_pass_header Server;
        proxy_redirect off;

        # We match = "http" rather than != "https" because we don't want it
        # to redirect if you're running docker locally.  And '=', not '=='
        # because nginx.
        if ($http_x_forwarded_proto = "http") {
            rewrite ^(.*)$ https://$http_host$1 permanent;
        }

        proxy_pass http://deck;
    }
}

And then my hal configuration is as,

REDIRECT_URI=https://devspinnaker.test.co/login
hal config security authn oauth2 edit --pre-established-redirect-uri $REDIRECT_URI

hal config security ui edit \
    --override-base-url https://devspinnaker.test.co

hal config security api edit \
    --override-base-url https://devspinnaker.test.co/gate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.