Yes, that's what I tried originally, and it worked for external traffic, but it also made it impossible to use the Devpi client locally on the same machine Devpi is running. The Devpi client would only work remotely through the load balancer.

In case this helps out anyone else, this is how I solved this problem dynamically. First, I placed these "map" blocks just within the "http" block (above the "server" block) in nginx.conf:

    map $http_x_forwarded_proto $the_scheme {
        default $scheme;
        https https;
    }

    map $http_x_forwarded_host $the_host {
        default $host;
        ~. $http_x_forwarded_host;
    }

    map $http_x_forwarded_port $the_port {
        default $server_port;
        443 443;
    }

Then, I updated "location @proxy_to_app" to look like this:

        location @proxy_to_app {
            proxy_pass http://unix:/tmp/devpi-server.sock:;
            proxy_pass_request_headers on;
            proxy_set_header X-outside-url     $the_scheme://$the_host:$the_port;
            proxy_set_header X-Forwarder-Proto $the_scheme;
            proxy_set_header X-Forwarded-Host  $the_host;
            proxy_set_header X-Forwarded-Port  $the_port;
            proxy_set_header X-Forwarded-For   $remote_addr;
            proxy_set_header X-Real-IP         $remote_addr;
            expires -1;  # no-cache
        }

It works perfectly this way. Devpi web and client both work correctly remotely through the load balancer, and the Devpi client still works correctly locally on the same machine on which Devpi is running.

Thanks,

Nick

On Thu, Dec 19, 2019 at 3:17 AM Florian Schulze <mail@florian-schulze.net> wrote:

Hi!

In the nginx config set the X-outside-url header with something like this (didn't test, might need to be adjusted):

proxy_set_header X-outside-url $http_x_forwarded_proto://$http_x_forwarded_host:$http_x_forwarded_port;

Regards,
Florian Schulze

On 18 Dec 2019, at 22:10, Nicholas Williams wrote:

I'm having trouble with a reverse-proxy config and could use some assistance.

We have the following setup:

LOAD BALANCER
Accepts requests via the official hostname and HTTPS (port 443)
Forwards requests to Devpi Nginx server
Sends headers X-Forwaded-Port, X-Forwarded-Host, X-Forwarded-Proto matching the official hostname, HTTPS, and 443.

DEVPI NGINX SERVER
Accepts requests via port 80
Serves requests for +f files directly (works perfectly)
Forwards remaining requests to Devpi Python server
DOES NOT override headers X-Forwaded-Port, X-Forwarded-Host, X-Forwarded-Proto (I have those proxy_set_header values from the recommended nginx.conf commented out so that Nginx doesn't override them)
DOES NOT send header X-Outside-Url (I also have that commented out)

The behavior is that all links, CSS tags, and JavaScript tags point to http://localhost/... instead of https://the.correct.domain.name/...

What do I need to change to make Devpi properly use the X-Forwaded-Port, X-Forwarded-Host, X-Forwarded-Proto headers coming from the load balancer?

Thanks,

Nick

_______________________________________________
devpi-dev mailing list -- devpi-dev@python.org
To unsubscribe send an email to devpi-dev-leave@python.org
https://mail.python.org/mailman3/lists/devpi-dev.python.org/