I have setup a reverse proxy with nginx to serve my frontend over port 80, which then gets redirected to 443 ssl https and my api backend node-express on port 5000 over /api. So far the basic works except that I can't authenticate myself through json-web-token. I always get a "unauthorized".
Tried it via postman and the access_token is 100% right.
I'm sorry if this question has been asked before (have googled for a few days already) but this whole topic is very new for me and I'd rather not do something half-baked when theres security involved.
My nginx config looks like this
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name example.com;
root /var/www/example.com/html;
location / {
auth_basic "Restricted";
auth_basic_user_file /var/www/example.com/.htpasswd;
try_files $uri $uri/ /index.html;
}
location /api {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:5000;
}
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
}
So my questions are:
1.) What do I change here so my jwt-token get's succesfully transfered through the api backend?
2.) Do I need to explicitaly enable https on my backend server too?
Thank you!!
Best Answer
Found the problem - json web token had an underscore included in the variable name - and nginx removes the whole variable.
Fix:
underscores_in_headers on;