1

I have an nginx.conf with four different hosts and an http to https redirect. All the hosts are similar configured, therefore I'm only including the parts that are different for hosts 2,3 and 4.

events {}
http {

  proxy_send_timeout 120;
  proxy_read_timeout 300;
  proxy_buffering    off;
  keepalive_timeout  5 5;
  tcp_nodelay        on;

  server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
  }

  server {
    listen       443 ssl;
    server_name  confluence6.company.com;

    # allow large uploads of files
    client_max_body_size 1G;

    # optimize downloading files larger than 1G
    #proxy_max_temp_file_size 2G;

    ssl_certificate      /etc/letsencrypt/live/confluence6.company.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/confluence6.company.com/privkey.pem;

    # from Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
      resolver 127.0.0.11;
      set $confluence_old "confluence6:8090/";
      proxy_pass http://$confluence_old;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto "https";
    }
  }

  server {
    listen       443 ssl;
    server_name  confluence7.company.com;
    ...
    location / {
      resolver 127.0.0.11;
      set $confluence "confluence7:8090/";
      proxy_pass http://$confluence;
      ...
    }
  }

  server {
    listen       443 ssl;
    server_name  jira7.company.com;
    ...
    location / {
      resolver 127.0.0.11;
      set $jira_old "jira7:8080/";
      proxy_pass http://$jira_old;
      ...
    }
  }

  server {
    listen       443 ssl;
    server_name  jira8.company.com;
    ...
    location / {
      resolver 127.0.0.11;
      set $jira "jira8:8080/";
      proxy_pass http://$jira;
      ...
    }
  }

}

In the location part I'm using the combo with the resolver and the proxy_pass as variable so that the nginx starts when not all hosts are up (solution from here). Unfortunately I'm getting the ERR_TOO_MANY_REDIRECTS with any host now.

Setting the the proxy_pass directly removes the redirect loop:

    location / {
      resolver 127.0.0.11;
      proxy_pass http://jira8:8080/;
      ...
    }

But then I can't start nginx if all hosts are not up. Currently I have a workaround always commenting out all the hosts that do not work.

All of the hosts are docker containers, which are configured to deliver https like this:

  jira8:
    container_name: jira8
    environment:
      ATL_PROXY_NAME: jira8.company.com
      ATL_PROXY_PORT: "443"
      ATL_TOMCAT_SCHEME: https
      ATL_TOMCAT_SECURE: "true"
      JVM_MAXIMUM_MEMORY: 3072m
    expose:
      - "8080"
    image: atlassian/jira-software:8.11
    networks:
      atlassian-network:
        aliases:
          - jira8
    ports:
      - "8081:8080"
    restart: always
    volumes:
      - /root/jira-home:/var/atlassian/application-data/jira
      - /root/mysql-connector-java-5.1.45-bin.jar:/opt/atlassian/jira/lib/mysql-connector-java-5.1.45-bin.jar

How does my nginx.conf have to look like in order to not have a redirect loop and still be able to start nginx even if not all hosts are up?

mles
  • 115
  • 7
  • I'm guessing your Confluence service are set to redirect from HTTP to HTTPS. Try accessing HTTP site on `confluence6:8090`, e.g. `http://confluence6.company.com:8090`. If my guess is correct, you should be redirected to `confluence6`'s HTTPS site, and you should change your `proxy_pass http...` to `proxy_pass https...` here. – mforsetti Aug 05 '20 at 16:17
  • `confluence6:8090` is only accessible on the internal docker network on the server. If I set the `proxy_pass` to `https` I get an `502 Bad Gateway` error. Even if my Atlassian / Confluence Services also do redirect to `https`, this shouldn't create a loop. – mles Aug 07 '20 at 09:48
  • if your Atlassian do redirect to HTTPS, it **will** create a loop, as it is sending HTTP to HTTPS redirection response and only receives HTTP requests from **nginx**. When you set `proxy_pass` to `https` and receiving `502 Bad Gateway`, can you show your nginx's error log entry? – mforsetti Aug 07 '20 at 09:52
  • 1
    experienced the same behaviour with nginx as reverse proxy for a Spring Boot app inside an Embedded Tomcat server, and I've come across [another mention relating to Nextcloud](https://help.nextcloud.com/t/proxy-pass-variable-causes-redirect-loop/63703). Always, it seems, "the `proxy_pass` as variable so that the nginx starts when not all hosts are up" interferes. My working solution is to [define static IP-addresses for the docker container(s)](https://docs.docker.com/compose/compose-file/compose-file-v3/#ipv4_address-ipv6_address) and use these IP-addresses in the `proxy_pass` stanza. – iiegn Nov 18 '21 at 07:49

1 Answers1

0

The only redirect I see is the 301 from HTTP to HTTPS. Don't use 301 in testing phase! Better use temporary 303. Can you configure your Confluence at all places to deliver HTTPS instead of HTTP? Then you shouldn't get endless redirection. Otherwise, you can also intercept and rewrite the redirects coming from your back end - sent to (and executed by) the client. https://serverfault.com/a/986034/304842

uav
  • 534
  • 5
  • 20
  • Confluence is configured to only deliver HTTPS. – mles Aug 04 '20 at 20:03
  • I don't think so or Confluence is somewhat buggy. Can you please deactivate the 301 forwarding and open the page in your browser with HTTPS. Then please check with [F12] -> Network if any resources are opened with HTTP. – uav Aug 04 '20 at 22:21