0

I configured Nginx as a reverse proxy on my server for a site, say example.com

I want the client to access my site using an IP address, something like http://192.0.2.67

The problem is that there is a redirection on the example.com site setting HTTP to redirect to HTTPS. (This example.com using Cloudflare)
When the client accesses my site from http://192.0.2.67 they are redirected to https://example.com

How do I disable HTTP redirect to HTTPS on my Nginx reverse proxy?

My code is like below :

server {
   listen 80;

   location / {
       proxy_pass http://example.com;
   }
}
Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
setiawan
  • 1
  • 3

3 Answers3

0

I don't see the redirection in the code you have post in the question. It mean that the redirection is done on side example.com.

Depends how is the redirection done. In case the redirection is done simply "http TCP/80 => https TCP/433" and no following checks you can try to proxy directly to https:

server {
   listen 80;

   location / {
       proxy_pass https://example.com;
   }
}

In case this will not help I am afraid you have not much chances to success as you are not the node realizing the force for https redirect.

In case there is HTTP Strict Transport Security (HSTS) header in the page the redirection is done on browser level and there you have also minimal chances to skip ip (in theory you can try to filter out this header).

Kamil J
  • 1,587
  • 1
  • 4
  • 10
  • I had try ```proxy_pass https://example.com;``` but fail with return message ```502 bad gateway``` How to filter out this header? @Kamil J – setiawan Jan 23 '20 at 11:37
  • In case of https it may depend on trust on the certs on the remote side... The syntax is in general correct - see e.g. ``https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/``. For the hiding of the header you can try **proxy_hide_header** (see ``https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header``) but to be honest I am not sure removing hsts header is the correct approach. Once HSTS header is in place it may have some reason - e.g. transporting sensitive information ;-). – Kamil J Jan 23 '20 at 12:28
0

It seems to me that the page is making a redirect, not the webserver. Through PHP, that can be achieved with something like this:

<?php header('Location: http://google.com') ?>

In that case, it's hard to prohibit that kind of behavior through the webserver itself.

Stefano Martins
  • 1,131
  • 7
  • 10
0

Nginx doesn't redirect here. It's the origin server that is sending this HTTP redirect. With Nginx you can replace sent redirects with your own redirect target:

server {
    listen 80;

    location / {
        proxy_pass http://example.com;
        # replace redirects
        proxy_redirect http://example.com http://192.0.2.67;
    }
}

For more details see documentation of ngx_http_proxy_module

Jens Bradler
  • 6,133
  • 2
  • 16
  • 13
  • I had try to set it like this but return an error message too many redirects – setiawan Jan 27 '20 at 08:21
  • Browser don't like http anymore. They prefer https and if there are has been sent a Strict-Transport-Security header a browser doesn't allow http and you have to use https. Additionally some web applications and web sites doesn't like access without a hostname and will always redirect to a configured hostname (e.g. WordPress). If thats the case you have to use more tricks. – Jens Bradler Jan 30 '20 at 08:37