0

It's been few day as I try to figure out what I'm doing wrong.

DNS points to VPS on VPS I have nginx reverse proxy with ssl termination that forward request to home server on home server I have nginx without ssl with Wordpress installation (which is mirror from same page on other domain, this is a mirror page so I redirect people to new server)

As soon as I enter URL into browser I see broken site with blocked request because of mixed content and CORS.

I'm definitely doing something wrong and nginx just doing the thing I told him, but I don't know where I'm making the error.

server {
        listen 80;
        listen [::]:80;

        server_name mypage.dns;
        # rewrite ^(.*) https://$host$1 permanent;
        return 301 https://$host$request_uri; 
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name     mypage.dns;

        location / {
                add_header X-Served-By $host;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
                # proxy_set_header X-Forwarded-Ssl https;
                # proxy_set_header X-Url-Scheme https;
                proxy_set_header X-Forwarded-Port 443;
                proxy_set_header Proxy "";
                proxy_pass         http://172.16.100.100;
                proxy_redirect off;
                # proxy_redirect http://172.16.100.100/ https://$host/;
                # proxy_pass_request_headers      on;

        }
        ssl_certificate /etc/letsencrypt/live/mypage.dns/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/mypage.dns/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

Next I'm using config that worked before as stand alone www - and I want it to work as mirror of the original page.

type here

server { listen 80 default_server; listen [::]:80 default_server; server_name mypage.dns; keepalive_timeout 10; keepalive_disable msie6; keepalive_requests 200;

    include snippets/csp.conf;

    location / {
            #add_header X-Forwarded-Proto https;
            gzip on;
            gzip_static on;
            try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
            #add_header X-Forwarded-Proto https;

            include fastcgi_params;
            fastcgi_intercept_errors on;

            gzip on;

            fastcgi_cache MYPAGE;
            fastcgi_cache_valid 200 301 302 10h;
            fastcgi_cache_valid 404 5m;
            fastcgi_cache_bypass $no_cache;
            fastcgi_no_cache $no_cache;
            fastcgi_cache_lock on;
            fastcgi_cache_lock_age 5s;
            fastcgi_cache_lock_timeout 5s;
            fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
            fastcgi_cache_min_uses 1;

            fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
            add_header X-Cache-Status $upstream_cache_status;

            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

            fastcgi_read_timeout 600s;
            fastcgi_pass unix:/var/www/mypage.dns/php/php-mypage.sock;
    }
    location ~* .(webp|avif|webm|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
            sendfile           on;
            sendfile_max_chunk 1m;
            tcp_nopush on;
            expires max;
            log_not_found off;
            access_log off;

            include snippets/csp.conf;
            add_header Cache-Control public;
            open_file_cache                 max=10000 inactive=12h;
            open_file_cache_valid           5m;
            open_file_cache_min_uses        1;
            open_file_cache_errors          off;
    }

}

also the snippets/csp.conf

set $cors_origin "";
set $cors_cred   "";
set $cors_header "";
set $cors_method "";

if ($http_origin ~ '^https?://(mypage\.dns|cdn\.mypage\.dns|otherpage\.dns)$') {
        set $cors_origin $http_origin;
        set $cors_cred   true;
        set $cors_header $http_access_control_request_headers;
        set $cors_method $http_access_control_request_method;
}

add_header Access-Control-Allow-Origin      $cors_origin;
add_header Access-Control-Allow-Credentials $cors_cred;
add_header Access-Control-Allow-Headers     $cors_header;
add_header Access-Control-Allow-Methods     $cors_method;

add_header X-Frame-Options "SAMEORIGIN";

add_header X-XSS-Protection "1; mode=block";

add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer-when-downgrade";


Also code that I added in wp-config.php from wordpress.

if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
        $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
    if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
        $_SERVER['HTTPS'] = 'on';
    }
}

define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] );
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] );

Looking at it make sense and every tutorial/setup guide/know how, told me to only add headers into reverse proxy, add or not some lines in wp-config and it should be done.

I'm checking with curl / browser with incognito

each time i try with curl: curl -H 'Pragma: no-cache' https://mypage.dns I see http in source code not being change to https based on PROTO/SCHEMA.

I understand that I'm: CLIENT <---- ssl/443 ---> reverse proxy <---- http/80 ----> nginx wordpress so wordpress see the http, but from what I understand it should be overwriten by $_SERVER['HTTPS'] = 'on' Even with the if logic and with only: $_SERVER['HTTPS'] = 'on' I dont see any changes in source code, and from my understand this is the main issue I'm having.

I tried adding or editing both nginx confs, wp-config with forced ssl, some "magic" or non intuitive proxy parameters...

I tried the recommended posts from stackoverflow

I'm hoping to run the page successfully without mixed content/csp errors thru reverse proxy.

The only thing that I noticed is that when I try to access https://mypage.dns/wp-admin/ it get redirected to original page url that the mirror is made of - which is other problem (probably sql replacement or url?).

Edit:

I printed $_SERVER this is the result:

[USER] => www-data
[HOME] => /var/www
[HTTP_COOKIE] => sockem_cookie=d60e502ce4; _ga_5EEYGXVFRX=GS1.1.1709040937.2.1.1709043327.0.0.0; _ga=GA1.1.1067912476.1709025588; _ga_FW712V8LBG=GS1.1.1709040937.2.1.1709043327.55.0.0; _pk_id.11.90a2=5501b80dee4dc1cf.1709025588.; _pin_unauth=dWlkPU1EVmlZVEJpTmpndE1UZGpZUzAwTlRNNUxUaGpZMkl0TjJNd1ltSm1aak5tWkRNdw; _pk_ses.11.90a2=1
[HTTP_CACHE_CONTROL] => no-cache
[HTTP_PRAGMA] => no-cache
[HTTP_SEC_FETCH_USER] => ?1
[HTTP_SEC_FETCH_SITE] => none
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_DEST] => document
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_DNT] => 1
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_ACCEPT_LANGUAGE] => pl,en-US;q=0.7,en;q=0.3
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
[HTTP_CONNECTION] => close
[HTTP_X_FORWARDED_PORT] => 443
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_X_FORWARDED_FOR] => <HOME_IP>
[HTTP_X_REAL_IP] => <HOME_IP>
[HTTP_X_FORWARDED_HOST] => mypage.dns
[HTTP_HOST] => mypage.dns
[SCRIPT_FILENAME] => /var/www/mypage.dns/web/index.php
[REDIRECT_STATUS] => 200
[SERVER_NAME] => oldmypage.dns
[SERVER_PORT] => 80
[SERVER_ADDR] => 172.16.100.100
[REMOTE_USER] => 
[REMOTE_PORT] => 46954
[REMOTE_ADDR] => 172.16.100.1
[SERVER_SOFTWARE] => nginx/1.22.1
[GATEWAY_INTERFACE] => CGI/1.1
[REQUEST_SCHEME] => http
[SERVER_PROTOCOL] => HTTP/1.0
[DOCUMENT_ROOT] => /var/www/mypage.dns/web
[DOCUMENT_URI] => /index.php
[REQUEST_URI] => /?test=1
[SCRIPT_NAME] => /index.php
[CONTENT_LENGTH] => 
[CONTENT_TYPE] => 
[REQUEST_METHOD] => GET
[QUERY_STRING] => test=1
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1709043327.0155
[REQUEST_TIME] => 1709043327
[HTTPS] => on
2
  • Verify that your WP actually can see HTTP_X_FORWARDED_HOST.
    – AlexD
    Commented Feb 27 at 11:33
  • @AlexD Yes, [HTTP_X_FORWARDED_PORT] => 443 [HTTP_X_FORWARDED_PROTO] => https [HTTP_X_FORWARDED_FOR] => <HOME_IP> [HTTP_X_REAL_IP] => <HOME_IP> [HTTP_X_FORWARDED_HOST] => mypage.dns [HTTP_HOST] => mypage.dns the only http I see is [REQUEST_SCHEME] => http
    – Va_ni_tas
    Commented Feb 27 at 13:41

1 Answer 1

0
fastcgi_cache

For anyone (maybe that one guy in few years or more likely me in future) I enabled fastcgi_cache so the wordpress pages that are generated thru php are cached and fast delivered....

So testing if something is working would be best done with any caching mechanism DISABLED.

TL;DR: turn off cache before testing any changes.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .