I have a django app that serves some user content in iframes. To avoid session hijacking I want to serve this up from a different subdomain.
I currently have the site hosted at subdomain.example.com with the particular iframe content at subdomain.example.com/foo/bar/ID. I'm now trying to set up nginx to make that specific content accessible through foo.example.com/bar/ID instead.
My nginx setup:
server {
listen 80;
server_name subdomain.example.com;
location / {
include proxy_params;
#Served with gunicorn:
proxy_pass http://unix:/home/example/example.sock;
}
}
server {
listen 80;
server_name foo.example.com;
location / {
include proxy_params;
#This is key:
rewrite ^/(.*?) /foo$request_uri last;
#Served with gunicorn:
proxy_pass http://unix:/home/example/example.sock;
}
}
This gives me the following error in the nginx error.log:
2016/01/24 14:10:41 [error] 24286#0: *17 rewrite or internal redirection cycle while processing "/foo/bar/66", client: xx.xx.xx.xx, server: foo.example.com, request: "GET /bar/66 HTTP/1.1", host: "foo.example.com"
Which makes sense; the redirect is being redirect again and again because it matches the rewrite regex.
I tried adding
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
to no avail.
Without the redirect it does host correctly, but I'd like to avoid having the url be foo.example.com/foo/bar/ID.
Is there a different way to approach this that would be better? Or a way to stop the redirects?
PS: Bonus question? Next up would be blocking subdomain.example.com/foo/bar and thus forcing access through foo.example.com/bar
EDIT: I solved the question by dropping the rewrite and take care of the subdomains in django using django-subdomains (https://django-subdomains.readthedocs.org)
