Skip to content

nginx

nginx add header

These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level

That means you should add it to the most appropriate block.

That means if you use the add_header directive inside location, the other add_header directives under server are ignored

nginx headers on proxied server

  • proxy_set_header is to set a request header
  • add_header is to add a header to the response
  • proxy_hide_header is to hide a response header

If you want to replace a header that already exists in the response it is not enough with add_header because it will stack the values (from server and the one you added).

You have to do this in two steps:

  • remove header:
proxy_hide_header Access-Control-Allow-Origin;
  • add your custom header value:
add_header Access-Control-Allow-Origin "*" always;

proxy_cookie_flags ~ secure samesite=None

React JS App is in a subdirectory and the root path is being used by another site.

  • Add this to your root app to your root app
<BrowserRouter basename="/webapp">
  • Update nginx location
location ^~ /webapp {
   alias /var/www/myapp/build;
   try_files $uri $uri/ /webapp/index.html;
}

nginx proxy_pass URL

Nginx proxies request to Jira/Bitbucket with proxy_pass. Depending on the product it might have unpredicted effects.

nginx

  • If proxy_pass is specified with URI, when passing a request to the server, part of a normalized request URI matching the location is replaced by a URI specified in the directive
  • If proxy_pass is specified without URI, a request URI is passed to the server in the same form as sent by a client when processing

BitBucket

  • Search for special symbols fails with 400 Bad Request

    The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

  • Working nginx configuration 

    proxy_pass http://127.0.0.1:{{ bitbucket_port }};
    No forward slash

Jira

  • REST API call fails with 404

    POST https://jira-dev.company.com//admin/uploadplugin_action Note double slash -Working nginx configuration 

    proxy_pass http://127.0.0.1:{{ jira_port }}/;
    Forward slash

nginx dynamic modules

Dynamic modules must be compiled against the same version of NGINX they are loaded into. You will need to use exactly the same ./configure arguments as your Nginx configuration and append –with-compat –add-dynamic-module=/path/to/ngx_brotli to the end, otherwise you will get a “module is not binary compatible” error on startup. You can run nginx -V to get the configuration arguments for your Nginx installation.

nginx cross-origin resource sharing (CORS) support to reverse proxied APIs

https://gist.github.com/Stanback/7145487

nginx HTTP secure headers

server {  
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;  
    add_header X-Frame-Options "deny" always;  
    add_header X-XSS-Protection "1; mode=block" always;  
    add_header X-Content-Type-Options "nosniff" always;  
    add_header Content-Security-Policy "default-src 'self'" always;  
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;  
}

nginx cache

location / {
    root /var/www/html/;
    location ~* \.(tpl|php.?)$ {
        fastcgi_hide_header "Cache-Control";
        fastcgi_hide_header "Expires";
        fastcgi_ignore_headers "Cache-Control" "Expires";
    }
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|webp|webm|avif|woff|woff2|ttf)$ {
        add_header Cache-Control "public, max-age=1y";
    }
}

Nginx ssl reverse proxy with SNI to HTTPS backend

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yourdomain
    ssl_certificate           /etc/ssl/localcerts/yourdomain.crt;
    ssl_certificate_key       /etc/ssl/localcerts/yourdomain.key;
    ssl_ecdh_curve prime256v1;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE+aECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:ECDHE+aECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+aECDSA+AES256+SHA384:ECDHE+aRSA+AES256+SHA384:ECDHE+aECDSA+AES256+SHA:ECDHE+aRSA+AES256+SHA';
    location / {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          https://1.2.3.4;
      proxy_read_timeout  60;
      proxy_ssl_name $host;
      proxy_ssl_server_name on;
      proxy_ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
      proxy_ssl_session_reuse off;
    }
}