1

I have two sub-domains which I want to link in the following way: https://suba.example.org/ is my main subdomain, https://subb.example.org/ is my secondary subdomain. On suba I have a server running a web application, subb is only for redirection. This server on suba has a url, lets call it https://suba.example.org/foo.php/bar.

All I want is, that whenever I type https://subb.example.org/ into my browser, the content of https://suba.example.org/foo.php/bar is shown, but the URL needs to say https://subb.example.org/.

As of right now, it will correctly show the content of https://suba.example.org/foo.php/bar but the browser will show the URL of content and not https://subb.example.org/. I have restarted the nginx-server several times and used an incognito-window, to be sure, that the browser won't cache any data.

What is happening is:

  • I open https://subb.example.org/ on a Chrome incognito-window on my desktop: it will show the correct output from https://suba.example.org/foo.php/bar, but showing https://suba.example.org/foo.php/bar in the URL bar
  • I open https://subb.example.org/ on any other browser/machine (including a Chrome incognito-window on another machine): it will show the content from https://suba.example.org/foo.php/bar with https://subb.example.org URL bar, but only the text, no css or picture. Like a 80s website.

Right before clicking enter: https://i.stack.imgur.com/Q5mgx.png

What is happening: https://i.stack.imgur.com/CfHM1.png

What should be happening: https://i.stack.imgur.com/5OxQ4.png

Any help is appreciated.

Attached is my nginx site-config for subb:

server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

### Server Name
server_name subb.example.org;

### SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

### Diffie–Hellman key exchange
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

### Extra Settings
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

### Add HTTP Strict Transport Security
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
proxy_pass https://suba.example.org/foo.php/bar;
}
}

Here is the nginx site-config for suba:

server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

### Server Name
server_name suba.example.org;

### SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

### Diffie–Hellman key exchange
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';


### Extra Settings
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

### Add HTTP Strict Transport Security
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
proxy_pass https://192.168.178.6:444/;
}
}

And here goes the response for curl -i https://subb.example.org:

HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Mon, 07 Aug 2017 19:24:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 11185
Connection: keep-alive
X-Powered-By: PHP/7.1.5
Set-Cookie: oc367h1rrnkw=i7l0tko9m9unbifqus6lqua1v2; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=eFmSS9gKBYJ4YP0MHDFhmxnhJZnmWTDAMjN4zkTrEenumTa66yy6SeWCs12oU2k2MbDN424ySgGeyyYbciCK7Fs3gmmjtwAJU3a3r87BXZ1Uk%2FmdLEXuZoFdy4mbPH67; path=/; secure; HttpOnly
X-Frame-Options: SAMEORIGIN
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Cache-Control: no-cache, no-store, must-revalidate
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src 'self'
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Strict-Transport-Security: max-age=63072000; includeSubdomains
Front-End-Https: on
Strict-Transport-Security: max-age=63072000; includeSubdomains
Front-End-Https: on

I pasted to output of the Live HTTP Header Plugin to pastbin: pastebin.com/a6kfqhMn

John
  • 31
  • 6
  • Config looks fine. Please 1) Restart Nginx 2) Do a curl that demonstrates the problem (curl -i I think shows response headers) 3) edit your post to show the relevant parts of your curl - command line and response lines of interest such as redirect. The only way I can see this happening is if there's a redirect cached somewhere. – Tim Aug 07 '17 at 19:15
  • Done, hope that what you meant. As stated in the text, I restarted the nginx-server several times. Please see my addition about cached browser windows – John Aug 07 '17 at 19:36
  • Yep, good. There's no redirect there. I can't see any reason the URL is changing. Grab Firefox and the "live http headers" extension. Turn the extension window on, give it a minute to stop making useless logs. Using Firefox open the "subb" URL. If the URL changes edit your post to include the relevant output. Also just to prove something that seems implausible perhaps do a screenshot of Firefox with the subb URL entered before you hit enter and then again after it's changed - just to show for sure what you're saying, since something weird is happening. – Tim Aug 07 '17 at 19:44
  • It looks to me like the subb domain is serving traffic just fine. I can't see any problem here. – Tim Aug 07 '17 at 20:24
  • I added the pictures and the nginx site-config for suba, maybe you can find whats wrong there – John Aug 07 '17 at 20:27
  • That's probably not relevant, but useful to have. Sorry but nothing on this question adds up, I can't help further. Hopefully someone else can spot the problem. – Tim Aug 07 '17 at 21:14
  • Found the solution. I added three redirects to redirect the content to the real url (`https://suba.example.org`). Maybe there is a more elegant way to do so, I don't know – John Aug 07 '17 at 22:20
  • Please post your own solution as an answer to the question in the field below, and accept it instead of including it in the question. Then it is better formatted for the site. – Tero Kilkanen Aug 08 '17 at 11:23
  • I would like to, but serverfault won't give me ability to do so – John Aug 08 '17 at 16:15

1 Answers1

0

The solution was to redirect the requests for the css, graphics and so on to https://suba.example.org. Thus, my new site-config for https://subb.example.org is as followed:

server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

### Server Name
server_name https://subb.exmaple.org;

### SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

### Diffie–Hellman key exchange
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';


### Extra Settings
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

### Add HTTP Strict Transport Security
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location ^~ /core/ {
proxy_pass https://suba.exmaple.org;
}

location ^~ /apps/ {
proxy_pass https://suba.exmaple.org;
}

location ^~ /index.php/ {
proxy_pass https://suba.exmaple.org;
}

location / {
proxy_pass https://suba.exmaple.org/foo.php/bar;
}
}

Here, the part with location ^~ ... is what was missing. I know that this is not the best practice, as I had to go through the whole source code to find whats missing and what I would have to redirect. Maybe some day someone will read these lines and tell me a better way to redirect the real content of the web server. But until then, this solution will work.

John
  • 31
  • 6