Nginx Alias configuration

fabrizio9 years ago

I'm trying to use traccar under an alias directory in my webserver as I need to secure it with HTTPS. The problem is that I have a certificate only for my domain so I have to use https://mydomain.com/track as address. I use nginx 1.9 with the following configuration:

location /track/ {
 proxy_redirect http://mydomain.com:8082/ https://mydomain.com/track/;
 proxy_pass http://localhost:8082/;
 proxy_set_header Host $host;
}

The error I am getting in console is the following:

Failed to load resource: the server responded with a status of 404 (),
https://mydomain.com/l10n/en.json?_dc=1458724365411

So the nginx config is not redirecting properly.

Any help is appreciated.

Anton Tananaev9 years ago

Here is documentation for Apache:

https://www.traccar.org/secure-connection/

I guess you should do something similar for nginx.

fabrizio9 years ago

This solution works. At least for me. You might want to add it to the docs?

server {
    listen 80; 
    server_name demo.traccar.org;
    return 301 https://demo.traccar.org$request_uri;
} 

server {
    add_header Strict-Transport-Security max-age=63072000;
    listen 443 ssl http2; # use http2 on nginx 1.9, if old change to spdy (or leave empty)
    server_name demo.traccar.org;
    root /var/www/html;
    index index.html index.htm;

    ssl on; 
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_dhparam /etc/ssl/dhparam.pem; # Build as per docs
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  # drop SSLv3 (POODLE vulnerability)    
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_prefer_server_ciphers on; 
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

        # Security features
         if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
                 return 403;
         }   
         if ($http_user_agent ~* msnbot|scrapbot) {
                 return 403;
         }   
         if ($request_method !~ ^(GET|HEAD|POST)$ ) { 
                 return 444;
         }   
   
     # Traccar Setup
     location / { 
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    
        proxy_redirect http://demo.traccar.org:8082/ /;
        proxy_redirect ws://demo.traccar.org:8082/api/socket /api/socket;
        proxy_pass http://localhost:8082/;
        proxy_set_header Host $host;
     }   
}
fabrizio9 years ago

Actually this is a proper configuration:

server {
    listen 80; 
    server_name demo.traccar.org demo.traccar.org;
    return 301 https://demo.traccar.org$request_uri;
} 

server {
    add_header Strict-Transport-Security max-age=63072000;
    #client_max_body_size 200M;
    listen 443 ssl http2;
    server_name demo.traccar.org;
   
    ssl on; 
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_dhparam /etc/ssl/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  # drop SSLv3 (POODLE vulnerability)    
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_prefer_server_ciphers on; 
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

        # Security features
         if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
                 return 403;
         }   
         if ($http_user_agent ~* msnbot|scrapbot) {
                 return 403;
         }   
   
     # Traccar Setup
     location / { 
        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
            
        proxy_redirect http://localhost:8082/ /;
        proxy_redirect ws://localhost:8082/api/socket /api/socket;
        proxy_pass http://localhost:8082/;
     }   
}

Fine tuned a little..

Jaoued8 years ago

hello

I'm trying to use your configuration but with another location. some request pass with 200 code but some other do not pass (401 or 404) don't know why. here is my modified conf :

    location /traccar/ {
        proxy_set_header    Host         $host;

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_http_version 1.1;
        
        proxy_set_header    Upgrade      $http_upgrade;
        proxy_set_header    Connection   "upgrade";

        proxy_redirect      http://127.0.0.1:8082/ /traccar/;
        proxy_redirect      ws://127.0.0.1:8082/api/socket /traccar/api/socket;
        proxy_pass          http://127.0.0.1:8082/;
        access_log          /var/log/nginx/traccar-access.log;
        error_log           /var/log/nginx/traccar-error.log;
    }
==> /var/log/traccar-access.log <==
127.0.0.1 - - "GET /traccar/api/session?_dc=1488918321721 HTTP/1.1" 404 71 "https://***/traccar/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
127.0.0.1 - - "POST /traccar/fake-login.html HTTP/1.1" 404 101 "https://***/traccar/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
127.0.0.1 - - "GET /traccar/api/groups?_dc=1488918328392&page=1&start=0&limit=25 HTTP/1.1" 401 81 "https://***/traccar/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
127.0.0.1 - - "GET /traccar/api/attributes/aliases?_dc=1488918328395&page=1&start=0&limit=25 HTTP/1.1" 401 81 "https://***/traccar/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
127.0.0.1 - - "GET /traccar/api/geofences?_dc=1488918328394&page=1&start=0&limit=25 HTTP/1.1" 401 81 "https://***/traccar/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
127.0.0.1 - - "GET /traccar/api/devices?_dc=1488918328404&page=1&start=0&limit=25 HTTP/1.1" 401 81 "https://***/traccar/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
127.0.0.1 - - "GET /traccar/api/socket HTTP/1.1" 503 99 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
127.0.0.1 - - "GET /traccar/api/positions?_dc=1488918328440 HTTP/1.1" 401 81 "https://***/traccar/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
127.0.0.1 - - "GET /traccar/api/devices?_dc=1488918328440 HTTP/1.1" 401 81 "https://***/traccar/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

I will appreciate your help.

Jaoued8 years ago

I've some news :)
first, my config is not working because of using location /traccar in my config. the cookie don't know it and use /api instead of /traccar/api.
to resolve this, you can add a rewrite rule :

proxy_cookie_path /api /traccar/api;

this will not resolve everything, the file app.min.js contain hardcoded path :

new WebSocket(b+"//"+window.location.host+c+"api/socket");
b.onclose=function() {
    Ext.toast(Strings.errorSocket,Strings.errorTitle,"br");
    Ext.Ajax.request({
        url:"api/devices",
        success:function(b) {
            a.updateDevices(Ext.decode(b.responseText))
        }
    });

please can you add a config properties to specify a a root path for all requests ?

Anton Tananaev8 years ago

It looks like you are using outdated version of Traccar.

Jaoued8 years ago

I'm using the 3.10 version

Anton Tananaev8 years ago

There is no hardcoded path in version 3.10.

Jaoued8 years ago

ok, do you have an idea why I'm getting this error :
failed: Error during WebSocket handshake: Unexpected response code: 200

Anton Tananaev8 years ago

I can only guess that your proxy configuration is incorrect.