Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Visit Stack Exchange

Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.

Sign up to join this community

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

New to nginx. Played with it for 2 days and cannot figure out how to solve this:

I have a bunch of VMs running in one box, the box is behind my router obviously, one of the VMs is running nginx(my reverse proxy) and is set as DMZ.

I have got SSL certificate installed on that VM properly, now I want all incoming traffic to be directed according to their path, e.g.:

domain.com/service1->192.168.1.101

domain.com/service2->192.168.1.102

And so on. Idea is to let nginx work as the SSL layer and nginx talks to other VMs via HTTP or whatever protocols unencrypted. Then of course when nginx talks back to the client, the messages shall be encrypted.

I have got that partially working. If I access via HTTP everything is fine except not encrypted, but if I access via HTTPS the web pages are broken and I got this kind of error: Mixed Content: The page at 'https://domain.com/service1' was loaded over HTTPS, but requested an insecure stylesheet 'http://domain.com/service1/blahblah.css'. This request has been blocked; the content must be served over HTTPS.

I also got this kind of warning: The page at 'https://domain.com/service1/' was loaded over HTTPS, but is submitting data to an insecure location at 'http://domain.com/service1/': this content should also be submitted over HTTPS.

Now, for some of the services I can hack the service itself so it can get fixed...but I do not want to do that, because then I have to hack every service which is time consuming and can potentially break something. I want to touch the services as little as possible.

My current configuration works with the hack but does not work without hack. It covers the whole service1:

location /service1/ {
    proxy_pass              http://192.168.1.101/;
    proxy_read_timeout      3500;
    proxy_connect_timeout   3250;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        Host $host;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_set_header        SSL_PROTOCOL $ssl_protocol;
I looked around the internet for a general solution but only found one hack that worked for one service. Other nginx examples/howtos did not help much(still getting the errors and warnings).
Many thanks in advance!
                This has nothing to do with nginx, using a reverse proxy or anything directly web-server related. The problem is the contents of served html. There is, for example <form action="http://domain.com/service1/" in the html page source served over https.
– AD7six
                Jan 13, 2015 at 15:30
                If you are still looking for a solution please see the answer by Henry Chan in this thread serverfault.com/a/1070930/979086
– MarkAddison
                Aug 7, 2022 at 11:29
You have to go through the sites' code, and replace all occurences of http://domain.com/resource with either /resource or //domain.com/resource.
This ensures that all the dependent web page resources are loaded with the same protocol as the website itself is loaded.
                Does it mean nginx cannot rewrite outgoing packets? I hate tinkering every site behind it...
– anetworknoobie
                Jan 14, 2015 at 3:06
                There could be a 3rd party module that might be able to do something like that. The problem is that it is much more complex and CPU intensive to rewrite links in a bytestream coming out from a backend than rewriting HTTP requests coming from a client. It is best to fix the sites.
– Tero Kilkanen
                Jan 14, 2015 at 3:10
This worked for nginx https proxy >> nginx http serving Django backend   
Inside a location directive:
proxy_set_header X-Forwarded-Proto $scheme;
For more details it's worth to read this excellent article: https://www.metaltoad.com/blog/running-drupal-secure-pages-behind-proxy
                You have cracked the code. Thank you for putting an end to many days of struggling! 💰 My wordpress setup was failing to load completely due to mixed content. This fixes that.
– Flat Cat
                May 20 at 16:43
                For this header, it depends on whether the upstream server support handling X-Forwarded-Proto or not. In the case of Apache adding SetEnvIf X-Forwarded-Proto "^https$" HTTPS is necessary.
– Mohamed Allal
                Jul 18 at 15:10
                @djdomi The upgrade-insecure-requests declare that browsers should transparently upgrade HTTP resources on a website to HTTPS.
– Annahri
                Nov 13, 2021 at 22:22
                If one is using Nginx as reverse-proxy, this should be put inside the server block (not inside the location block where proxy_pass is put). By using this header, one would skip editing the app source code.
– Annahri
                Nov 13, 2021 at 22:24
But bootstrap will show you error on it, so change the below code in /var/www/includes/bootstrap.inc
if (isset($base_url)) { 
//change to 
if (isset($base_url) && $base_url!='') {
I might be late by half a decade, but I faced the issue recently and for me the solution was setting in HTML page:
<base href="/" />
                Sometimes the nginx configuration or any server configuration setup is not the issue. Especially if you work with single page applications like AngularJS. In my case adding the above code into index.html solved this issue.
– Sree Menon
                Jul 27, 2020 at 3:31