PROBLEM: All subdomains are forwarding to the first subdomain, including non defined addresses (which should instead give a 404)
I have a reverse proxy sitting in the cloud that has VPN connections back a DMZ zone in the infrastructure. It is successfully working for the 1 subdomain, but today I found out that if I type other subdomains (example sub2.domain.com or sub3.domain.com), that point to the same place in the CNAME record, they also go to this reverse proxied sub1.domain.com even though I have a =404 in the "default" server_name _; location.
My my understanding, NGINX Reverse Proxy is only supposed to forward if the HEADER matches (header being the domain typed into the browser by the user). So sub1.domain.com is typed by the end user, NGINX sees the header (sub1.nginx.com) and follows it's proxy rules. That is NOT what is happening, though
These webpages are on different machines in the DMZ and I prefer NOT to use custom ports. So 443 should to go 443, via the HEADER match.
What am I missing. I've read about 300000 examples all saying I have it right, but nope, it doesn't work.
- What am I missing?
- Why does sub1 own non defined subdomains?
- Am I required to use different ports internally than http/https (80/443)? If so, what is the point of the header forward?
Code: Select all
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name .domain.com;
proxy_redirect off;
### verified the path is accurate. If I move the files I get an error on systemctl reload nginx command
ssl_certificate /var/www/live/certificate.crt
ssl_certificate_key /var/www/live/certificate.key;
ssl_trusted_certificate /var/www//live/certificate.bundle.crt;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
### This is SUPPOSED to give a 404 page not found for all subdomains NOT found in this record, but that doesn't work. Instead when things hit the RP (Reverse Proxy) it goes to sub1.domain.com
}
}
### sub1.domain.com below
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
### this works TOO well, I ONLY want it to forward this subdomain. nothing more.
server_name sub1.domain.com;
ssl_certificate /var/www/live/certificate.crt;
ssl_certificate_key /var/www/live/certificate.key;
ssl_trusted_certificate /var/www//live/certificate.bundle.crt;
location / {
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass https://sub1.domain.com:443;
### again custom /etc/host record pointing to the internal IP on this RP machine and it works fine
}
}
### sub2.domain.com below
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name sub2.domain.com;
ssl_certificate /var/www/live/certificate.crt;
ssl_certificate_key /var/www/live/certificate.key;
ssl_trusted_certificate /var/www//live/certificate.bundle.crt;
location / {
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass https://sub2.domain.com:443;
### the above records has a custom DNS record on the reverse proxy, pointing to the "internal" ip and if I w3m to it from this same machine, it works great
}
}
Thank you,
Scott