i’ve installed userFrosting behind a front-end nginx v1.19.2 proxy
the config’s straightforward
@ front-end proxy
server {
listen xx.xx.xx.xx:443 ssl http2;
server_name example.com;
location /admin/users {
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_certificate "/srv/ssl/userfrosting.client.EC.crt";
proxy_ssl_certificate_key "/srv/ssl/userfrosting.client.EC.key";
proxy_ssl_trusted_certificate "/srv/ssl/myCA_chain.crt";
proxy_pass https://userfrosting.example.com/;
proxy_ssl_server_name on;
proxy_ssl_name userfrosting.example.com;
}
@ UserFrosting backend
server {
listen 10.0.0.1:443 ssl http2;
server_name userfrosting.example.com;
root /srv/UserFrosting/public/;
index index.php;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate "/srv/ssl/myCA_chain.crt";
ssl_certificate "/srv/ssl/userfrosting.server.EC.crt";
ssl_certificate_key "/srv/ssl/userfrosting.server.EC.key";
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ \.(php)$ {
location ~ \..*/.*\.php$ {
return 404;
}
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_keep_conn on;
fastcgi_pass phpfpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi.conf;
}
location ~* \.(png|gif|jpg|jpeg|svg|ico|css|js|woff|ttf|otf|woff2|eot)$ {
include mime.types;
expires max;
index index.php;
try_files $uri $uri/ /index.php?$query_string;
}
location / {
include mime.types;
index index.php;
try_files $uri $uri/ /index.php?$query_string;
}
}
both direct nav to the backend, from internal lan,
https://userfrosting.example.com
and to the proxy, via public IP,
https://example.com/admin/users
work as expected, presenting 1st UF login, then on-success access to the auth’d portal
when accessing via the front-end proxy, nav to
https://example.com/admin/users
brings up the “Welcome to UserFrosting!” generic page. The displayed URL remains
https://example.com/admin/users
All the links on the page refer instead to the backend server name,
https://userfrosting.example.com/account/sign-in
e.g., click on Sign-In redirects to
https://userfrosting.example.com/account/sign-in
and all subsequent page navs are at the same, backend path – exposing it to the ‘external’ visitor.
I suspect some change to proxy_pass et al is needed.
Above, the
proxy_pass https://userfrosting.example.com/;
proxy_ssl_server_name on;
proxy_ssl_name userfrosting.example.com;
config is currently what I needed to keep the cert verification operational …
What config’s required to get the UF backend to use the proxy’s URL/paths AND preserve cert checking/verification ?