Nginx – Https url appended with port 80 using CloudFlare, Nginx, and Thin

cloudflareforwardingnginxPROXYssl

I have a Nginx setup for my Thin server running a Ruby on Rails project. Nginx is currently the endpoint for my SSL.

I recently had some issues with attacks on my webserver, so I decided to add CloudFlare. It currently uses "Strict SSL" from cloudflare (ssl in client-CF link and CF-webserver link). This works now when browsing my website, but when I am using Oauth to facebook, G+ etc. The redirect link shows up as: https://example.com:80/destination/url(note the :80). This does not happen when I do not use CloudFlare.

What can I do to fix this? Is it an issue in CloudFlare, or Nginx? I found this post, but I was not able to reverse engineer it to nginx.

My current nginx-setup:

server {
      listen      80 default;
      server_name .example.com;
      ## redirect http to https ##
      return 301 https://example.com$request_uri;
}
server {
  listen      443 ssl;
  server_name .example.com;

  client_max_body_size 20M;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;


  ssl_certificate     /home/my_user/.ssl/example.crt;
  ssl_certificate_key /home/my_user/.ssl/example.key;

  access_log /var/www/example_server/log/access.log;
  error_log  /var/www/example_server/log/error.log;
  root     /var/www/example_server;
  index    index.html;

  if ($host != 'example.com' ) {
    return 301 https://example.com$request_uri;
  }

  location / {
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header  Host $http_host;
    proxy_set_header  X_FORWARDED_PROTO $scheme;
    proxy_redirect  off;
    try_files /system/maintenance.html $uri $uri/index.html $uri.html @ruby;
  }

  location @ruby {
    proxy_pass http://example.com;
  }
}

In my nginx.conf:

#default stuff

http{
set_real_ip_from *IP address for cloudflare*;
#....

port_in_redirect off;

#more default stuff

For reference, the current request path: Client Request -SSL-> CloudFlare -SSL-> Nginx -non-SSL-> Thin -non-ssl-> Nginx -SSL-> CloudFlare -SSL-> Client Response

Best Answer

It appears that there is an issue in the Omniauth gem which is causing this issue. Why it is only an issue when I use CloudFlare, and not an issue when it is turned off, beats me.

Anyway, here is the issue on github:

https://github.com/intridea/omniauth/issues/101

My solution:

In the rails app, create a new initializer (config/initializers/omniauth_fix.rb) with this content:

if Rails.env.production?
  module OmniAuth
    module Strategy
      def full_host
        uri = URI.parse(request.url)
        uri.path = ''
        uri.query = nil
        uri.port = (uri.scheme == 'https' ? 443 : 80)
        uri.to_s
      end
    end
  end
end

It is essentially a monkeypatch over the issue. Hopefully it will be fixed in future releases of omniauth.

Related Solutions

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

You could have multiple server blocks. So just add new server block for domains that need HSTS.

server {
    listen xx.xx.xxx.xxx:443 ssl default_server;

    # all ssl stuff
    # and other directives
}

server {
    listen xx.xx.xxx.xxx:443 ssl;
    server_name example.com other.example.com;

    # all ssl stuff
    # and other directives with HSTS enabled
}

Here first block will handle all https connections except example.com and other.example.com.

And you don't need ssl on directive if you have ssl flag in listen.

EDIT

There is another solution with only one server block:

map $scheme:$host $hsts_header {
    default "";
    https:example.com "max-age=31536000";
    https:other.example.com "max-age=31536000";
}

server {
    server_tokens off;

    listen xx.xx.xxx.xxx:80;
    listen xx.xx.xxx.xxx:443 ssl;

    ssl_certificate /etc/ssl/foo.crt;
    ssl_certificate_key /etc/ssl/private/foo.key;

    ssl_session_timeout 10m;

    # ... other ssl stuff

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header Host $host;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security $hsts_header;
    }
}

We use map to define HSTS header value and use the fact, than nginx will not add header with empty value.

Nginx – CodeIgniter nginx rewrite rules for i8ln URL’s

Found a much simpler solution. Following what CodeIgniter does behind the scenes for clean URL's; in Apache this rewrite works by sending each request as http://example.com/index.php?/controller/method which is then processed by CodeIgniter so your config.php should look like

$config['base_url'] = 'http://example.com'
$config['index_page'] = '';
$config['uri_protocol'] = 'REQUEST_URI';

To achieve the same in nginx you'd have to rewrite each request in identical way. Fine tuned my nginx configuration with:

location /example {

    root /var/www/html/;
    index index.php;

    location ~ ^/example/(.+\.php)$ {

        fastcgi_buffer_size 128k;
        fastcgi_buffers 256 4k;
        fastcgi_busy_buffers_size 256k;
        fastcgi_temp_file_write_size 256k;
        root /var/www/html/;
        include /etc/nginx/snippets/fastcgi-php.conf;
    }

    location ~* ^/example/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)) {
        root /var/www/html/;
    }

    # Enforce SSL
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }

    # CI rewrite rules
    if ($host ~* ^www\.(.*)) {
        set $host_without_www $1;
        rewrite ^/(.*)$ $scheme://$host_without_www/$1 permanent;
    }

    if ($request_uri ~* ^(/example/(US|EU|INT)/(en|de)(.*))?$) {
        rewrite ^/(.*)$ /example/index.php?/$1 last;
    }

    if ($request_uri ~* ^(/example/(US|EU|INT)/(en|de)/(.*))?$) {
        rewrite ^/(.*)$ /example/index.php?/$1 last;
    }

    # catch all
    error_page 404 /index.php;
}

The missing link existed in nginx rewrite debug log so if you want to know about your rewrite rules and whether they are matched against your rule set add this to your nginx configuration:

server{
  ...
  rewrite_log on;
  error_log /var/log/nginx/error.log info;
  ...
}

And nginx will give you each request log with a match or no match against your PCRE regex. From here on you can tweak your configuration. I had to prepend path (directory) example in nginx configuration file for rewrite rules to work as expected.

Best Answer

Related Solutions

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

Nginx – CodeIgniter nginx rewrite rules for i8ln URL’s

Related Topic