I have a Digital Ocean VM running an Express backend server listening to port 5000.
I have all these records setup to point my VM ip to the domain I registered.
https://i.imgur.com/dfdBgKb.jpg
I have Nginx installed and a sites-available/sites-enabled config file like this:
https://i.imgur.com/TxMtfSM.png
/etc/nginx/sites-available/reeeeee.tk.conf
server
{
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
listen 80;
server_name api.reeeeee.tk;
# SSL
# ssl_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/api.reeeeee.tk/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
# HSTS
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-XSS-Protection "1; mode=block" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header Referrer-Policy "no-referrer-when-downgrade" always;
# add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
access_log /var/log/nginx/api.reeeeee.tk-access.log;
error_log /var/log/nginx/api.reeeeee.tk-error.log;
server_tokens off;
location /
{
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# ACME-challenge
location ^~ /.well-known/acme-challenge/
{
root /var/www/_letsencrypt;
}
}
I created a /var/www/_letsencrypt directory and chowned it with the user: "www-data"
https://imgur.com/KBKTapE
I then succesfully ran Certbot:
https://i.imgur.com/2glcHVn.jpg
After succesfully running Certbot, I got rid of all the "#"'s so the ".conf" file now looks like:
/sites-enabled/reeeeee.tk.conf
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 80;
server_name api.reeeeee.tk;
# SSL
ssl_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.reeeeee.tk/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
# HSTS
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
access_log /var/log/nginx/api.reeeeee.tk-access.log;
error_log /var/log/nginx/api.reeeeee.tk-error.log;
server_tokens off;
location /
{
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# ACME-challenge
location ^~ /.well-known/acme-challenge/
{
root /var/www/_letsencrypt;
}
}
I restarted Nginx
https://i.imgur.com/oUXWHAM.png
BUT the site is still not HTTPS secured.
http://www.reeeeee.tk/api/movies
Did I get an SSL certificate? What did I do wrong? Do you see anything in the screenshots or code that I did wrong?
Where do I go from here? How do I get a working SSL cert and an HTTPS secured site?
I was following advice I got from this Reddit thread. ALL further context is in here if I didn't post enough info:
https://www.reddit.com/r/nginx/comments/z88yra/trying_to_get_ssl_certificate_for_backend_where/
Was this person just wrong? Did I do it wrong from the beginning? Do I have to start over?
Related
I have two apps running on my server.
A react app on port 4512 (locally on HTTP) and 5512 (on https). Can be accessed on https://merchant.abc.com:5512
A node js (express) API on port 4511 (locally on http) and 5511 (on https) served on https://ce.abc.com:5511
Initially, I was using a wildcard SSL certificate for both sub-domains, and nodejs was taking care of CORS. But we were then required to use separate SSL certificates for both domains. When I used separate SSL certificates, Nginx started to deny cors requests (I was able to use API using postman).
I then read about Nginx cors options on some posts here and came up with the following Nginx settings
/etc/nginx/sites-available/default
# Vendor API
server {
listen 5511 ssl;
ssl_certificate /ssl/ssl-bundle-api.crt;
ssl_certificate_key /ssl/ssl-api.key;
location /{
include /etc/nginx/shared/allow-cors;
proxy_pass http://localhost:4511;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
}
# Retailer app
server {
listen 5512 ssl;
ssl_certificate /ssl/ssl-bundle-react.crt;
ssl_certificate_key /ssl/ssl-react.key;
location /{
proxy_pass http://localhost:4512;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
}
/etc/nginx/shared/allow-cors
if ($request_method = "OPTIONS") {
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods 'DELETE,GET,OPTIONS,POST,PUT' always;
add_header Access-Control-Allow-Headers 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With,X-Token-Auth,X-Mx-ReqToken,X-Requested-With' always;
add_header 'Access-Control-Max-Age' 1728000 always;
add_header 'Content-Type' 'text/plain charset=UTF-8' always;
add_header 'Content-Length' 0 always;
return 204;
}
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods 'DELETE,GET,OPTIONS,POST,PUT' always;
add_header Access-Control-Allow-Headers 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With,X-Token-Auth,X-Mx-ReqToken,X-Requested-With' always;
I then removed the cors settings from the nodejs API. This seemed to fix the issue on my aws ec2 ubuntu 18.04 instance completely. But when I deploy this code on the client's on-premise server (created using image of my ec2 instance) it again has issues. On Firefox it seems like the pre-flight check gets the expected 204, but then I don't see any POST request being sent.
On Chrome I see a successful pre-flight check with 204. I also see the actual POST request in chrome, but with a (failed) net::ERR_FAILED status.
Can somebody please help be resolving this.
I have NGINX set up as a reverse proxy to serve a node server from a single Ubuntu 18.04 ec2 instance (NGINX and the node server are both on the same instance). Certbot successfully installed and configured and HTTP routes are coming through with no issue but when I try to hit an HTTPS endpoint I get ERR_CONNECTION_CLOSED on my client (which is hosted on GH-Pages but I don't think that's relevant?).
My ec2 instance is set up to accept all traffic on ports 80 and 443, my server is listening on port 3333.
Currently ufw is set to inactive but I have tried enabling it and allowing 'NGINX FULL'. The requests still failed in this scenario but I received a connection timeout error instead of connection closed.
NGINX error logs example output:
2020/05/13 23:17:23 [error] 13581#13581: *15 connect() failed (111: Connection refused) while connecting to upstream, client: 159.xxx.xxx.35, server: api.example.net, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:3333/", host: "54.xxx.xx.xxx:80"
My NGINX server blocks are as follows:
server {
listen 443 ssl;
server_name api.example.net www.api.example.net;
ssl_certificate /etc/letsencrypt/live/api.example.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.example.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_pass http://localhost:3333/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
server {
listen 80;
server_name api.example.net www.api.example.net;
# return 301 https://$host$request_uri;
location / {
proxy_pass http://localhost:3333/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
I've been googling for the last 18 hours and my brain is bleeding, any and all suggestions will be greatly appreciated.
I was able to connect to your server on https (you forgot to redact the domain in the error log). The server itself seems to work fine (I got the error Cannot GET /). I suspect your client on gh-pages get the ERR_CONNECTION_CLOSED error because CORS is not allowing it to talk to your server.
This question may be helpful: POST API call returns CORS error without https and ERR_CONNECTION_CLOSED without
If you want to allow CORS with nginx, then this may work (snippet from enable-cors.org). After you get it working, you should probably improve security by not allowing all origins.
#
# Wide-open CORS config for nginx
#
location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
}
I hope this helps!
I've a server running Ubuntu 18.04 and Nginx and have a fully functioning instance of Jitsi Meet hosted on it.
On the other hand I have 2 other sites (one a react front end and the other a backend) and i need them to have ssl certificates since we are using Jitsi Meet api from the front end and chrome is not letting us give permissions on the mic and camera because the front end is not secure.
So I tried installing certbot and getting a Let's Encrypt certificate but when i get it and try to restart nginx, it fails.
I think it has something to do with Jitsi using the port 443 or something but I really can't tell...
This is the nginx conf for jitsi domain:
server_names_hash_bucket_size 64;
server {
listen 80;
listen [::]:80;
server_name video.<base-domain>;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root <path-to-jitsi>;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 4444 ssl http2;
listen [::]:4444 ssl http2;
server_name video.<base-domain>;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:E$
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/letsencrypt/live/video.<base-domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/video.<base-domain>/privkey.pem;
root <path-to-jitsi>;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
index index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;
location = /config.js {
alias /etc/jitsi/meet/video.<base-domain>-config.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias <path-to-jitsi>/$1/$2;
}
# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
tcp_nodelay on;
}
location ~ ^/([^/?&:'"]+)$ {
try_files $uri #root_path;
}
location #root_path {
rewrite ^/(.*)$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js$
{
set $subdomain "$1.";
set $subdir "$1/";
alias /etc/jitsi/meet/video.<base-domain>-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /xmpp-websocket;
}
}
this is the nginx conf for the front end domain:
server{
server_name app.<base-domain> www.app.<base-domain>;
root <path-to-front>;
index index.html index.htm;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
charset utf-8;
location / {
try_files $uri /index.html;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/default-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/app.<base-domain>/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/app.<base-domain>/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = app.<base-domain>) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name app.<base-domain> www.app.<base-domain>;
listen 80;
return 404; # managed by Certbot
}
this is the nginx error.log:
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: still could not bind()
I was hoping someone can tell how I should configure this in order to have both jitsi and the front end secure.
I also will add that both domains are actually subdomains... meaning jitsi domain is video..com
and front is app..com
the real config has base-domain and paths correctly specified... If I remove all ssl config from the front end nginx configuration, everything work again.
You should use devops-guide-quickstart . There is Generate a Let's Encrypt certificate section. If you have nginx on your system before installing jitsi, jitsi will run with its nginx configuration.
if you need customized nginx file, here it is. But you should work on for security concerns.
** For standalone(without Docker) remove
"resolver 127.0.0.1 valid=5s ipv6=off;"
then change rest of 127.0.0.1 to localhost
Docker-jitsi-meet Custom Nginx Configuration
server {
resolver 127.0.0.1 valid=5s ipv6=off;
listen 80;
listen [::]:80;
server_name jitsiConf.domain.com; # managed by Certbot
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
default_type "text/plain";
try_files $uri =404;
}
location / {
return 301 https://$host$request_uri;
}
#rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
}
server {
resolver 127.0.0.1 valid=5s ipv6=off;
listen 443 ssl;
listen [::]:443 ssl;
server_name jitsiConf.domain.com; # managed by Certbot
ssl on;
ssl_certificate /etc/letsencrypt/live/jitsiConf.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/jitsiConf.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
proxy_cookie_path / "/; HTTPOnly; Secure";
add_header Expect-CT "enforce, max-age=21600";
add_header Feature-Policy "payment none";
keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# this tells the browser that jitsi can't be embedded in a Frame
add_header X-Frame-Options "DENY";
# List of Browser-Features which are allowed / denied for this Site
add_header Feature-Policy "geolocation 'none'; camera 'self'; microphone 'self'; speaker 'self'; autoplay 'none'; battery 'none'; accelerometer 'none'; autoplay 'none'; payment 'none';";
ssi on;
ssi_types application/x-javascript application/javascript;
# ensure all static content can always be found first
#location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
#{
# add_header 'Access-Control-Allow-Origin' '*';
#}
#location ~ ^/(?!(http-bind|external_api\.|xmpp-websocket))([a-zA-Z0-9=_äÄöÖüÜß\?\-]+)$ {
# rewrite ^/(.*)$ / break;
#}
location / {
expires max;
log_not_found off;
proxy_cache_valid 200 120m;
ssi on;
set $upstream_endpoint http://127.0.0.1:8100;
proxy_pass $upstream_endpoint;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
# BOSH
location /http-bind {
set $upstream_endpoint http://127.0.0.1:5280;
proxy_pass $upstream_endpoint/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
# xmpp websockets
location /xmpp-websocket {
set $upstream_endpoint http://127.0.0.1:5280;
proxy_pass $upstream_endpoint;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
tcp_nodelay on;
}
}
Also this configuration will be stuck on CSP error. Just for test developments this code will allow all CSP risks. you can add under the
ssl_session_cache shared:SSL:50m;
set $CSP_image "img-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; ";
set $CSP_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; ";
set $CSP_style "style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; ";
set $CSP_font "font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; ";
set $CSP_frame "frame-src 'self' *.vimeocdn.com *.vimeo.com; ";
set $CSP_object "object-src 'self' ; ";
set $CSP "default-src 'self' ; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";
add_header Content-Security-Policy $CSP;
CSPallow **sorry i couldn't find original post*
I am trying to set up Nginx to redirect all www.example.com and https://www.example.com requests to https://example.com. Here is my config:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /var/www/domain.com/system/nginx-root;
ssl_certificate /home/user/.acme.sh/example.com/fullchain.cer;
ssl_certificate_key /home/user/.acme.sh/example.com/domain.com.key;
include /var/www/example.com/system/files/ssl-params.conf;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
Here are the contents of the ssl-params.conf file:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128$
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /var/www/example.com/system/files/dhparam.pem;
I can access example.com and https://example.com but when I try www.example.com and https://www.example.com I get a Your connection is not private error in Chrome and the site is blocked.
Can anyone help me with this?
EDIT:
I added this server block and it did not help:
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate /home/user/.acme.sh/example.com/fullchain.cer;
ssl_certificate_key /home/user/.acme.sh/example.com/example.com.key;
include /var/www/example.com/system/files/ssl-params.conf;
return 301 https://example.com$request_uri;
}
I have installed SSL successfully for my main domain eg. domain.net and www.domain.net
I am now trying to enable SSL into the blog on the website eg. blog.domain.net and www.blog.domain.net
I have gone through the installation and everything has been a success, however after restarting nginx when I visit 'blog.domain.net.conf' it is returning a '403 Forbidden' error now.
I have tried doing:
sudo chown -R root:root /usr/share/nginx/html/*
sudo chown -R dev:dev /usr/share/nginx/html/*
sudo chmod -R 0755 /usr/share/nginx/html/*
along with checking permissions of the site root but nothing is effecting it. The only thing I can think of that is different between the main domain and the blog is that I do have an ssl.conf file located in my conf.d/ folder that is only specifying the main domain.. do I need to add the blog into this file as well? If so, how can I add more than one domain into it if they share different paths?
SSL.CONF
server {
listen 443 http2 ssl;
server_name domain.net www.domain.net;
ssl_certificate /etc/letsencrypt/live/domain.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.net/privkey.pem;
########################################################################
# from https://cipherli.st/ #
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
########################################################################
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
##################################
# END https://cipherli.st/ BLOCK #
##################################
ssl_dhparam /etc/ssl/certs/dhparam.pem;
location ~ /.well-known {
allow all;
}
# The rest of your server block
root /var/www/domain.net/html;
index index.php index.html index.htm;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
I am also doing a proxy pass for the sub-domain/blog
blog.conf
# upstream ghost {
# server 127.0.0.1:2000;
# }
server {
listen 80;
server_name blog.domain.net www.blog.domain.net;
access_log /var/log/nginx/ghost.access.log;
error_log /var/log/nginx/ghost.error.log;
return 301 https://$server_name$request_uri;
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location ^~ /.well-known {
allow all;
root /var/www/blog.domain.net/html;
}
location / {
proxy_pass http://127.0.0.1:2000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
server {
# SSL configuration
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-blog.domain.net.conf;
include snippets/ssl-params.conf;
}
Could my proxy pass be what is affecting this?
Any help is appreciated!