NGINX reverse proxy & Absolute Paths

Hello,

I am having an issue with absolute paths and HTTP/HTTPS redirects. My blog is deployed with http so that I can reverse proxy it to HTTPS. However, this poses the issue of embeds such as images being deployed with HTTP and as such modern browsers reject loading the content.

Information:

  • What’s your URL? https://blog.jamdoog.com
  • What version of Ghost are you using? Latest (3.40.1)
  • What configuration? CentOS 8 + NGINX + systemd
  • What browser? Firefox/Edge
  • What errors or information do you see in the console? Blocked loading mixed active content
  • What steps could someone else take to reproduce the issue you’re having? I’m not sure how to describe this but essentially double reverse proxy mismatch

I have a interesting topology inof that I deploy my website with a reverse proxy, which is then proxied once more acrros multiple other servers to help reduce latency. I will attach an image of this topology below.

To simplify this post, I am asking for help with my NGINX HTTPS rewrites and/or how to configure ghost. The error exists because it tries to rewrite HTTPS too many times. Too many redirects - docker + nginx proxy_pass highlights the issue perfectly with the waterfall of redirects.

How should I deploy ghost in this case? As mentioned, using https://blog.jamdoog.com for the address will break it.

My NGINX configuration:

server {
listen 80;

server_name blog.jamdoog.com;
root /var/www/ghost/blog.jamdoog.com/system/nginx-root;

location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host blog.jamdoog.com;
    proxy_pass http://127.0.0.1:2368;

}

location ~ /.well-known {
allow all;
}

client_max_body_size 50m;

}

Please let me know if I can provide any more information.

Thank you.

Apologies I couldn’t post my edge node NGINX config. Please find:

upstream blog.jamdoog.com
{
        server blog.jamdoog.com;
}
server {
        server_name blog.jamdoog.com;
        access_log /var/log/nginx.access.log;
        location / {
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://IPOfBlog;
                proxy_set_header Host blog.jamdoog.com;
                client_max_body_size 10m;
                client_body_buffer_size 128k;
                proxy_connect_timeout 90;
                proxy_send_timeout 90;
                proxy_read_timeout 90;
                proxy_buffers 32 4k;
                proxy_cache proxy-cache;
                proxy_cache_valid 200 302 30m;
                proxy_cache_valid 404 1m;
                proxy_cache_use_stale  error timeout invalid_header updating http_500 http_502 http_503 http_504;
        }

        location ^~ /ghost {
                proxy_ignore_headers Cache-Control;
                add_header X-Cache-Status $upstream_cache_status;
        }
        listen 443 ssl;
        ssl_certificate /path/to/fullchain.cer;
        ssl_certificate_key /path/to/the.key;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
    if ($host = blog.jamdoog.com) {
        return 301 https://$host$request_uri;
    }
        listen 80;
        server_name blog.jamdoog.com;
    return 404; # managed by Certbot
}
1 Like