nginx: exclude sub-location in reverse proxy configuration

Question

I want to build a http to https reverse proxy based on nginx for a graylog instance, let's say it's url is graylog.domain.local. Graylog does NOT serve ssl encrypted connections, just standard http over port 9000. The tricky thing about this is that Graylog makes calls to itself to the url http://graylog.domain.local:9000/api/.

So what I want to achive is this:

All calls to https://graylog.domain.local:443 are redirected to http://graylog.domain.local:900
All calls to http://graylog.domain.local:900/api/ are left untouched

This is my config. Opening the webpage looks good. The website now is SSL secured and loads correctly. Unfortunately Graylog greets me with an error, that it cant reach http://10.32.0.109:9000/api/.

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        server_name graylog.domain.local;

        location / {
                proxy_pass http://localhost:9000/;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        }

        ssl_certificate /etc/ssl/graylog.domain.local.crt;
        ssl_certificate_key /etc/ssl/graylog.domain.local.pem;
}

server {
        listen 80;
        listen [::]:80;
        server_name graylog.domain.local;

        location /api {
        }

        location / {
                return 301 https://$host$request_uri;
        }
}

How can I exclude the loaction /api from being redirected to https?

drookie · Answer 1 · 2018-12-19T21:42:22.073

1

Your config is basically correct except one thing - you forgot the proxy_pass to your localhost to port tcp/9000 inside the location /api {}.

You should probably also add rewrite ^/api/(.*)$ /$1 break line.

edited Dec 19 '18 at 21:42

answered Dec 19 '18 at 21:13

drookie

8,625
1
19
29

Nah, remove the trailing slash, it's wrong. Also check my updated answer. – drookie Dec 19 '18 at 21:42
1

Then it has nothing to do with nginx. – drookie Dec 20 '18 at 05:08

score 0 · Accepted Answer · answered Dec 19 '18 at 23:16

I just found out the solution to my problem buried somewhere in the Graylog documentation. I've copied the nginx configuration completely and just added the redirect for 80->443. It now looks like this and works as expected:

server {
    listen      443 ssl;
    server_name graylog.domain.local;
    ssl_certificate /etc/ssl/graylog.domain.local.crt;
    ssl_certificate_key /etc/ssl/graylog.domain.local.pem;

    location /
    {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL https://$server_name/api;
      proxy_pass       http://127.0.0.1:9000;
    }
}

server {
    listen 80;
    listen [::]:80;
    server_name graylog.domain.local;

    location / {
        return 301 https://$host$request_uri;
    }
}

Yes, as the /api calls go direct to port 9000 so don’t go near nginx at all and thus it doesn’t need any config to deal with them. — Gwyn Evans, Dec 20 '18 at 06:27

nginx: exclude sub-location in reverse proxy configuration

2 Answers2