It's been few day as I try to figure out what I'm doing wrong.
DNS points to VPS on VPS I have nginx reverse proxy with ssl termination that forward request to home server on home server I have nginx without ssl with Wordpress installation (which is mirror from same page on other domain, this is a mirror page so I redirect people to new server)
As soon as I enter URL into browser I see broken site with blocked request because of mixed content and CORS.
I'm definitely doing something wrong and nginx just doing the thing I told him, but I don't know where I'm making the error.
server {
listen 80;
listen [::]:80;
server_name mypage.dns;
# rewrite ^(.*) https://$host$1 permanent;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mypage.dns;
location / {
add_header X-Served-By $host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# proxy_set_header X-Forwarded-Ssl https;
# proxy_set_header X-Url-Scheme https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Proxy "";
proxy_pass http://172.16.100.100;
proxy_redirect off;
# proxy_redirect http://172.16.100.100/ https://$host/;
# proxy_pass_request_headers on;
}
ssl_certificate /etc/letsencrypt/live/mypage.dns/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mypage.dns/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Next I'm using config that worked before as stand alone www - and I want it to work as mirror of the original page.
type here
server { listen 80 default_server; listen [::]:80 default_server; server_name mypage.dns; keepalive_timeout 10; keepalive_disable msie6; keepalive_requests 200;
include snippets/csp.conf;
location / {
#add_header X-Forwarded-Proto https;
gzip on;
gzip_static on;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
#add_header X-Forwarded-Proto https;
include fastcgi_params;
fastcgi_intercept_errors on;
gzip on;
fastcgi_cache MYPAGE;
fastcgi_cache_valid 200 301 302 10h;
fastcgi_cache_valid 404 5m;
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
fastcgi_cache_lock on;
fastcgi_cache_lock_age 5s;
fastcgi_cache_lock_timeout 5s;
fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
fastcgi_cache_min_uses 1;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
add_header X-Cache-Status $upstream_cache_status;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 600s;
fastcgi_pass unix:/var/www/mypage.dns/php/php-mypage.sock;
}
location ~* .(webp|avif|webm|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
expires max;
log_not_found off;
access_log off;
include snippets/csp.conf;
add_header Cache-Control public;
open_file_cache max=10000 inactive=12h;
open_file_cache_valid 5m;
open_file_cache_min_uses 1;
open_file_cache_errors off;
}
}
also the snippets/csp.conf
set $cors_origin "";
set $cors_cred "";
set $cors_header "";
set $cors_method "";
if ($http_origin ~ '^https?://(mypage\.dns|cdn\.mypage\.dns|otherpage\.dns)$') {
set $cors_origin $http_origin;
set $cors_cred true;
set $cors_header $http_access_control_request_headers;
set $cors_method $http_access_control_request_method;
}
add_header Access-Control-Allow-Origin $cors_origin;
add_header Access-Control-Allow-Credentials $cors_cred;
add_header Access-Control-Allow-Headers $cors_header;
add_header Access-Control-Allow-Methods $cors_method;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer-when-downgrade";
Also code that I added in wp-config.php from wordpress.
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['HTTPS'] = 'on';
}
}
define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] );
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] );
Looking at it make sense and every tutorial/setup guide/know how, told me to only add headers into reverse proxy, add or not some lines in wp-config and it should be done.
I'm checking with curl / browser with incognito
each time i try with curl: curl -H 'Pragma: no-cache' https://mypage.dns I see http in source code not being change to https based on PROTO/SCHEMA.
I understand that I'm:
CLIENT <---- ssl/443 ---> reverse proxy <---- http/80 ----> nginx wordpress
so wordpress see the http, but from what I understand it should be overwriten by $_SERVER['HTTPS'] = 'on'
Even with the if logic and with only: $_SERVER['HTTPS'] = 'on' I dont see any changes in source code, and from my understand this is the main issue I'm having.
I tried adding or editing both nginx confs, wp-config with forced ssl, some "magic" or non intuitive proxy parameters...
I tried the recommended posts from stackoverflow
I'm hoping to run the page successfully without mixed content/csp errors thru reverse proxy.
The only thing that I noticed is that when I try to access https://mypage.dns/wp-admin/ it get redirected to original page url that the mirror is made of - which is other problem (probably sql replacement or url?).
Edit:
I printed $_SERVER this is the result:
[USER] => www-data
[HOME] => /var/www
[HTTP_COOKIE] => sockem_cookie=d60e502ce4; _ga_5EEYGXVFRX=GS1.1.1709040937.2.1.1709043327.0.0.0; _ga=GA1.1.1067912476.1709025588; _ga_FW712V8LBG=GS1.1.1709040937.2.1.1709043327.55.0.0; _pk_id.11.90a2=5501b80dee4dc1cf.1709025588.; _pin_unauth=dWlkPU1EVmlZVEJpTmpndE1UZGpZUzAwTlRNNUxUaGpZMkl0TjJNd1ltSm1aak5tWkRNdw; _pk_ses.11.90a2=1
[HTTP_CACHE_CONTROL] => no-cache
[HTTP_PRAGMA] => no-cache
[HTTP_SEC_FETCH_USER] => ?1
[HTTP_SEC_FETCH_SITE] => none
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_DEST] => document
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_DNT] => 1
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_ACCEPT_LANGUAGE] => pl,en-US;q=0.7,en;q=0.3
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
[HTTP_CONNECTION] => close
[HTTP_X_FORWARDED_PORT] => 443
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_X_FORWARDED_FOR] => <HOME_IP>
[HTTP_X_REAL_IP] => <HOME_IP>
[HTTP_X_FORWARDED_HOST] => mypage.dns
[HTTP_HOST] => mypage.dns
[SCRIPT_FILENAME] => /var/www/mypage.dns/web/index.php
[REDIRECT_STATUS] => 200
[SERVER_NAME] => oldmypage.dns
[SERVER_PORT] => 80
[SERVER_ADDR] => 172.16.100.100
[REMOTE_USER] =>
[REMOTE_PORT] => 46954
[REMOTE_ADDR] => 172.16.100.1
[SERVER_SOFTWARE] => nginx/1.22.1
[GATEWAY_INTERFACE] => CGI/1.1
[REQUEST_SCHEME] => http
[SERVER_PROTOCOL] => HTTP/1.0
[DOCUMENT_ROOT] => /var/www/mypage.dns/web
[DOCUMENT_URI] => /index.php
[REQUEST_URI] => /?test=1
[SCRIPT_NAME] => /index.php
[CONTENT_LENGTH] =>
[CONTENT_TYPE] =>
[REQUEST_METHOD] => GET
[QUERY_STRING] => test=1
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1709043327.0155
[REQUEST_TIME] => 1709043327
[HTTPS] => on
HTTP_X_FORWARDED_HOST.[HTTP_X_FORWARDED_PORT] => 443[HTTP_X_FORWARDED_PROTO] => https[HTTP_X_FORWARDED_FOR] => <HOME_IP>[HTTP_X_REAL_IP] => <HOME_IP>[HTTP_X_FORWARDED_HOST] => mypage.dns[HTTP_HOST] => mypage.dnsthe only http I see is[REQUEST_SCHEME] => http