Nginx proxy pass to reverse proxy

Question

I'm fairly new to nginx and stuck with the current configuration.

I also checked ssl - nginx does redirect, nginx as proxy for web app, nginx proxy_pass, nginx proxy rewrite and another post related to my question.

I also looked into some other posts which didn't help me right now. I didn't read all of the approximately 21500 posts around the topics nginx and proxy.

Google also failed directing me to the solution.

Current setup is:

[CMS (Plone in LAN)]<--->[Reverse-Proxy (Apache / http://oldsite.foo)]

This is the old site setup. Basically we need a redesign of the CMS. But it has grown with plenty of dependencies and self written modules by at least two developers (who never met each other). It will be a task for merely a year to get it replaced properly. There is also some weird stuff in the Apache config, so we can't avoid using Apache at the moment.

Unfortunately we need an optical redesign as soon as we can.

So we came with the idea to use Diazo/XSLT in Nginx to redesign the old website and show our assessors some results.

Therefore I try the following setup:

[Plone]<--->[Apache]<--->[Proxy (XSLT in Nginx / https://newsite.foo)]

Here is my xslt_for_oldsite config file (Cache-Control only off for debugging):

add_header Cache-Control no-cache;

server {
  server_name newsite.foo;
  server_tokens off;

  listen b.b.b.b:80;

  return 301 https://$server_name$request_uri;

  access_log /var/log/nginx/newsite.port80.access.log;
  error_log /var/log/nginx/newsite.port80.error.log;
}

server {
  server_name newsite.foo;
  server_tokens off;

  listen b.b.b.b:443 ssl;

  access_log /var/log/nginx/newsite.port443.access.log;
  error_log /var/log/nginx/newsite.port443.error.log;

  ssl_certificate /etc/ssl/certs/nginx.crt;
  ssl_certificate_key /etc/ssl/private/nginx.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers HIGH:!aNULL:!MD5:!ADH:!AECDH;
  ssl_session_cache shared:SSL:5m;

  proxy_http_version 1.1;

  #proxy_set_header X-Forwarded-Host $host:$server_port;
  #proxy_set_header X-Forwarded-Server $host;
  #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#  proxy_set_header Connection "";
#  proxy_ignore_headers Expires;

#  proxy_set_header X-Real-IP $remote_addr;
#  proxy_set_header X-forwarded-host $host;

  sub_filter_types *;
  sub_filter_once off;
  sub_filter "http://oldsite.foo" "https://newsite.foo";

  location / {
    proxy_pass http://oldsite.foo/;
    proxy_redirect off;
    #proxy_redirect http://oldsite.foo/ https://newsite.foo/;
    proxy_set_header Host $host;
  }
}

If I start my browser to connect to http://oldsite.foo then it loads:

• 1 HTML document from oldsite
• 3 CSS files from oldsite
• 9 JS files from oldsite
• 10 graphic files from oldsite

But if I use my browser to get https://newsite.foo then it loads:

• 1 HTML document from newsite
• only 5 graphic files from oldsite (direct request from my browser)
• everything else is missing

While the HTML document received with wget https://newsite.foo -o index.html has all links modified to https://newsite.foo (correctly replacing http://oldsite.foo with https://newsite.foo) the browser shows all links unmodified: http://oldsite.foo instead of https://newsite.foo.

I get the following server header with curl -I https://newsite.foo:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Sep 2020 10:28:15 GMT
Content-Type: text/html
Connection: keep-alive
Accept-Ranges: none
Accept-Ranges: bytes
X-Varnish: 1216306480
Age: 0
Via: 1.1 varnish
Set-Cookie: I18N_LANGUAGE="de"; Path=/
Via: 1.1 oldsite.foo
Vary: Accept-Encoding
Cache-Control: no-cache

I played around with the add_header, proxy_set_header and proxy_redirect. I tried also

location ~* .* {
  proxy_pass http://oldsite.foo$request_uri;
  proxy_redirect off;
  proxy_set_header Host $host;
}

but none of my changes changed the behaviour of nginx that it redirects the GET requests to http://oldsite.foo and shows the answers as if they would come from https://newsite.foo .

I have no answer to these questions:

• Why my browser keeps connecting to http://oldsite.foo? It should connect to https://newsite.foo .
• Why are the links in the HTML different between the version from wget and my browser?
• Why over the half of the website doesn't reach the browser over https://newsite.foo?
• How can I fix this?

Is anyone out there who may point me in the right direction?

Thanks in advance. At least thank you for reading my post.

Best regards.

Answer 1

Meanwhile I found the solution.

Apache sent the data gzipped and sub_filter couldn't handle it (see official documentation: sub_filter).

Indeed I tried to avoid this by using proxy_set_header Accept-Encoding ""; but it didn't work. The reason is that this part must be set in location context.

Hence the correct configuration for Ubuntu 20.04 LTS, Nginx 1.14.0 at the time of writing (2020-09-15) is:

...
server {
  server_name newsite.foo;
  server_tokens off;
  
  listen b.b.b.b:443 ssl;

  access_log /var/log/nginx/newsite.port443.access.log;
  error_log /var/log/nginx/newsite.port443.error.log;

  ssl_certificate /etc/ssl/certs/nginx.crt;
  ssl_certificate_key /etc/ssl/private/nginx.key;

  # Double check and modify this part BEFORE using in production:
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers HIGH:!aNULL:!MD5:!ADH:!AECDH;
  ssl_session_cache shared:SSL:5m;

location / {
  proxy_http_version 1.1;
  proxy_set_header Accept-Encoding "";  # MUST be written HERE in this context!
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_pass http://oldsite.foo;
  proxy_redirect off;
  sub_filter_types text/html text/css text/javascript;  # If unsure you may use '*'
  sub_filter_once off;
  sub_filter http://oldsite.foo https://newsite.foo;
}
...

Thanks to adrianTNT who pointed out the crucial part for me (see the missing detail).