bloben-app icon indicating copy to clipboard operation
bloben-app copied to clipboard

Published 20 hours ago verified publisher icon nibdo

nginx redirect troubles

Open drJeckyll opened this issue 2 years ago • 2 comments

This is not problem in normal conditions, but become problem when for example shared calendar is embedded in another page with iframe.

Let's say we access bloben which is behind reverse proxy with https redirect. Our URL is https://calendar.test.com, so:

curl -IL https://calendar.test.com
HTTP/2 302 
access-control-allow-credentials: true
content-type: text/html
date: Thu, 08 Sep 2022 15:06:12 GMT
location: http://calendar.test.com/calendar
server: nginx/1.18.0
service-worker-allowed: /
content-length: 145

Here we reach bloben without ssl redirect from reverse proxy, since we specified https. But then bloben nginx redirect us to http location: http://calendar.test.com/calendar. When this is iframe in https page, this result mixed content and request is rejected. Since we use curl here, we can continue.

Then:

HTTP/1.1 308 Permanent Redirect
Location: https://calendar.test.com/calendar
Date: Thu, 08 Sep 2022 15:06:12 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8

Our reverse proxy kick in and redirect up to https again.

Next:

HTTP/2 301 
access-control-allow-credentials: true
content-type: text/html
date: Thu, 08 Sep 2022 15:06:12 GMT
location: http://calendar.test.com/calendar/
server: nginx/1.18.0
service-worker-allowed: /
content-length: 169

Here nginx again drop us to http.

And again reverse proxy kick to https:

HTTP/1.1 308 Permanent Redirect
Location: https://calendar.test.com/calendar/
Date: Thu, 08 Sep 2022 15:06:12 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8

Finally:

HTTP/2 200 
accept-ranges: bytes
access-control-allow-credentials: true
content-type: text/html
date: Thu, 08 Sep 2022 15:06:12 GMT
etag: "6314fa5f-306"
last-modified: Sun, 04 Sep 2022 19:19:59 GMT
server: nginx/1.18.0
service-worker-allowed: /
content-length: 774

It's similar story when we use http

HTTP/1.1 308 Permanent Redirect
Location: https://calendar.test.com/
Date: Thu, 08 Sep 2022 15:15:27 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8

reverse proxy kick us to https

Next:

HTTP/2 302 
access-control-allow-credentials: true
content-type: text/html
date: Thu, 08 Sep 2022 15:15:27 GMT
location: http://calendar.test.com/calendar
server: nginx/1.18.0
service-worker-allowed: /
content-length: 145

Again we are back to http. It continue in similar fashion like above example.

So in the end there too many redirects, but bad thing is that http redirect when we are behind reverse https proxy make embedding shared calendars a no go.

May be better solution is to remove redirect and put /calendar, /taska, /adamin also behind reverse proxy like /api?

drJeckyll avatar Sep 08 '22 15:09 drJeckyll

Hi,

I don't think internal nginx config in container is issue here, it looks more like real server nginx config issue when using subpaths like /calendar. I had same result as you for iframe.

For example here: https://www.digitalocean.com/community/questions/https-not-working-for-webpath-links-error-mixed-contents-nginx

nibdo avatar Sep 12 '22 20:09 nibdo

If "real server nginx" mean reverse proxy, then I don't use nginx as reverse proxy before bloben container. I use traefik for that purpose.

drJeckyll avatar Oct 30 '22 05:10 drJeckyll