Configure Nginx Proxy On Openwrt

Nidday · February 9, 2025, 11:23pm

Hi there i have a beryl ax router and what i want it to do, is to add a cutom header e.g “X-CLIENT-NAME: MYNAME”, and so with the help of ai i was able to add this to nginx config on top of glinet’s basic config:

index gl_home.html;

lua_shared_dict shmem 12k;
lua_shared_dict nonces 16k;
lua_shared_dict sessions 16k;

init_by_lua_file /usr/share/gl-ngx/oui-init.lua;

# SSL Configuration for api.wifiyanidday.com
server {
    listen 443 ssl;
    server_name api.wifiyanidday.com;

    # SSL Configuration
    ssl_certificate /etc/nginx/api.wifiyanidday.com.crt;
    ssl_certificate_key /etc/nginx/api.wifiyanidday.com.key;

    # Add custom header with client's local IP address
    add_header X-ROUTER-NAME "Nidday Mark";

    # Proxy to backend service
    location / {
        proxy_pass https://api.wifiyanidday.com;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ssl_verify off;  # Disable SSL verification for the remote API
        proxy_ssl_server_name on;
    }
}

# Additional server block for other routes (like /rpc, /ws, /upload, etc.)
server {
    listen 80;
    listen [::]:80;

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name _;  # Default server for all other requests

    ssl_certificate /etc/nginx/nginx.cer;
    ssl_certificate_key /etc/nginx/nginx.key;

    resolver 127.0.0.1 ipv6=off;

    rewrite ^/index.html / permanent;

    # Other locations
    location = /rpc {
        content_by_lua_file /usr/share/gl-ngx/oui-rpc.lua;
        add_header Content-Type application/json;
        add_header X-Frame-Options DENY;
    }

    location = /ws {
        add_header X-Frame-Options DENY;
        content_by_lua_file /usr/share/gl-ngx/oui-ws.lua;
    }

    location = /upload {
        add_header X-Frame-Options DENY;
        content_by_lua_file /usr/share/gl-ngx/oui-upload.lua;
    }

    location = /download {
        add_header X-Frame-Options DENY;
        content_by_lua_file /usr/share/gl-ngx/oui-download.lua;
    }

    location /cgi-bin/ {
        add_header X-Frame-Options DENY;
        include fastcgi_params;
        fastcgi_read_timeout 300;
        fastcgi_pass unix:/var/run/fcgiwrap.socket;
    }

    location ~.*\.(html|png|jpg|svg)$ {
        add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
        add_header X-Frame-Options DENY;
    }

    include /etc/nginx/gl-conf.d/*.conf;
}

I added the first server block, but when i tested it with curl, my traffic never went through ngix, it went directly to the remote server, so no header was set, so i googled and found out i needed to update my routers dns to match any traffic from my api.wifiyanidday.com to my nginx server at 192.168.8.1, and it did route it there, but then when i test it with curl without the proxy pass and just a text return, it works, but when i added my server as the proxy pass, i get:

root@GL-MT3000:~# curl -v -k https://api.wifiyanidday.com
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
> GET / HTTP/1.1
> Host: api.wifiyanidday.com
> User-Agent: curl/7.83.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 502 Bad Gateway
< Server: nginx/1.26.1
< Date: Sun, 09 Feb 2025 23:01:19 GMT
< Content-Type: text/html
< Content-Length: 157
< Connection: keep-alive
<
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.26.1</center>
</body>
</html>
root@GL-MT3000:~#

What am i doing wrong in my config, or rather, I’ll appreciate any help i can get. Thanks!

brada4 · February 9, 2025, 11:59pm

Please post output of

ubus call system board

does not look like you are using OpenWrt

sadly AI hallucination does not do what you say on generic nginx either, return it to the place of purchase asap.

Nidday · February 10, 2025, 12:21am

BusyBox v1.33.2 (2024-12-05 01:20:09 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02-SNAPSHOT, r15812+908-46b6ee7ffc
 -----------------------------------------------------
root@GL-MT3000:~# ubus call system board
{
        "kernel": "5.4.211",
        "hostname": "GL-MT3000",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT3000",
        "board_name": "glinet,mt3000-snand",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r15812+908-46b6ee7ffc",
                "target": "mediatek/mt7981",
                "description": "OpenWrt 21.02-SNAPSHOT r15812+908-46b6ee7ffc"
        }
}
root@GL-MT3000:~#

brada4 · February 10, 2025, 12:30am

Ask gl-inet for assistance with their software.
And make rev proxy reading documentation. no one can fix your ultron past saying its broke.

Nidday · February 10, 2025, 12:33am

Damn, you sound like the broke ultron "Don't even know what that means"

Your help is appreciated though!

brada4 · February 10, 2025, 12:34am

Ultron == your nginx config

reinerotto · February 10, 2025, 12:59am

Never used nginx as proxy, but squid, instead. Used nginx only on openwrt as web server. This said, some notes from these scenarios: Doing what you want, for http only, is a piece of cake. squid inserts the X-... header by default. However, quite a much more complicated scenario for https. Which (also) means, you need to have proper certs installed on your clients, which I very doubt. Because nginx/squid has to terminate the SSL connection with remote server, to "decode" the https-stream, insert X-header in your case, and open new SSL connection with client. In few words: Without special certs installed on your client(s), NO WAY AT ALL to do what you want, for https.

Nidday · February 10, 2025, 8:50am

I also don't know much about squid, but nginx requires the same thing, atleast from what i have read. It also requires me to do ssl termination. I don't want to add custom headers to all the requests of different servers, only my server and I have the correct certificates, for it, if you look closely at my nginx config, you'll see that i attach them for the ssl termination.

brada4 · February 10, 2025, 11:12am

Terminator hid the truth in nginx documentation while saying something about backend examples.

reinerotto · February 11, 2025, 3:56pm

Using nginx to proxy your own site only changes the scenario. You should use the detailed nginx docs for this usage case, to set up the proxy on a pure Linux system, first. To avoid any possible/probable interference from the openwrt stuff, like UCI and package install "features". Only after success on ubuntu or similar, start port to openwrt.