I'm building an NginX reverse proxy (Ubuntu Server 22.04.1 - NginX 1.22.1) to open an internal Portal for ArcGIS to extranet.
The reverse proxy listen to 8054 and redirects to 2 internal servers using usual TLS 443 port
Everything works fine except a redirection occurring during Portal's login auth.
In Chrome's console, the info of faulty are :
Request URL: https://myserver.mydomain/portal/sharing/rest/portals/self/subscriptionInfo?f=json&token=ARYpO8uD2SRx5tjuhTElBoDT_ojo9YRwvsX7XI51s3GIfvhlMIGpOjRXKN0g8fXFHgfenkIdg-YtF9TtyWvOomu9TyUm2x8mY4SfTlWSX41E9lyP_I0NVWO-xdwGzJqWDU8GJ4oi5sg53mvRH2OMdUA1bwN0fE-jcSEmK4EsxxOHBe6HZbciuGUCh4s8rgDbz7fBlpIdrFBryxe-YbvooLvb1Q8BsVSZFZFYBlclLQk.&callback=dojo_request_script_callbacks.dojo_request_script0
Request Method: GET
Status Code: 404
Remote Address: 10.0.128.36:443
Referrer Policy: strict-origin-when-cross-origin
content-encoding: gzip
content-type: text/html
date: Wed, 25 Jan 2023 09:59:31 GMT
server: nginx
vary: Accept-Encoding
:authority: myserver.mydomain
:method: GET
:path: /portal/sharing/rest/portals/self/subscriptionInfo?f=json&token=ARYpO8uD2SRx5tjuhTElBoDT_ojo9YRwvsX7XI51s3GIfvhlMIGpOjRXKN0g8fXFHgfenkIdg-YtF9TtyWvOomu9TyUm2x8mY4SfTlWSX41E9lyP_I0NVWO-xdwGzJqWDU8GJ4oi5sg53mvRH2OMdUA1bwN0fE-jcSEmK4EsxxOHBe6HZbciuGUCh4s8rgDbz7fBlpIdrFBryxe-YbvooLvb1Q8BsVSZFZFYBlclLQk.&callback=dojo_request_script_callbacks.dojo_request_script0
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6
dnt: 1
sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: script
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Usual processed URL returns :
Request URL: https://myserver.mydomain:8054/portal/sharing/rest/oauth2/authorize?client_id=arcgisonline&display=default&response_type=token&state=%7B%22portalUrl%22%3A%22https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%22%2C%22useLandingPage%22%3Atrue%7D&expiration=20160&locale=fr-fr&redirect_uri=https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%2Fhome%2Faccountswitcher-callback.html&force_login=true&hideCancel=true&showSignupOption=true&canHandleCrossOrgSignIn=true&signuptype=esri
Request Method: GET
Status Code: 200
Remote Address: 10.0.128.36:8054
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
access-control-allow-methods: GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS
access-control-allow-origin: *
access-control-max-age: 1200
cache-control: no-cache, no-store, must-revalidate
content-encoding: gzip
content-length: 1416
content-type: text/html;charset=utf-8
date: Wed, 25 Jan 2023 10:51:05 GMT
expires: -1
pragma: no-cache
server: nginx/1.22.1
vary: Origin,Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
:authority: myserver.mydomain:8054
:method: GET
:path: /portal/sharing/rest/oauth2/authorize?client_id=arcgisonline&display=default&response_type=token&state=%7B%22portalUrl%22%3A%22https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%22%2C%22useLandingPage%22%3Atrue%7D&expiration=20160&locale=fr-fr&redirect_uri=https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%2Fhome%2Faccountswitcher-callback.html&force_login=true&hideCancel=true&showSignupOption=true&canHandleCrossOrgSignIn=true&signuptype=esri
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6
cache-control: max-age=0
dnt: 1
referer: https://myserver.mydomain:8054/portal/home/signin.html?useLandingPage=true
sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
How can I catch, pass, redirect, return, or whatever, the url missing the port 8054 in order to continue auth processing ?
Here are the nginx general and server configs if it may help
Thanks for any help !
nginx.conf
<pre>
user www-data nginx;
worker_processes auto;
error_log /var/log/nginx/main_error.log;
pid /var/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
worker_rlimit_core 4096;
events {
worker_connections 1024;
multi_accept on;
}
http {
include /etc/nginx/phpconf/php_processes.conf;
include /etc/nginx/mimetypes/mime.types;
client_body_buffer_size 16K;
client_header_buffer_size 1k;
client_max_body_size 12m;
large_client_header_buffers 4 8k;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
access_log /var/log/nginx/main_access.log;
client_body_timeout 30;
client_header_timeout 10;
keepalive_timeout 75s;
send_timeout 60;
keepalive_requests 1000;
proxy_cache_path /var/nginx/cache1 levels=1:2 keys_zone=cache1:10m inactive=5m max_size=1G use_temp_path=off; # (20230113)
proxy_cache_path /var/nginx/cache2 levels=1:2 keys_zone=cache2:10m inactive=5m max_size=1G use_temp_path=off; # (20230113)
# copies data between one FD and other from within the kernel
# faster than read() + write()
sendfile on;
# Limit whole filesize sending at once
sendfile_max_chunk 512k; #(20220905)
# send headers in one piece, it is better than sending them one by one
tcp_nopush on;
tcp_nodelay on;
server_names_hash_bucket_size 64;
types_hash_max_size 2048;
default_type application/octet-stream;
gzip on;
gzip_comp_level 6;
gzip_min_length 256; #(20220605 previous 50)
gzip_proxied any;
gzip_vary on; #(20220605 previous disabled)
gzip_disable “MSIE [1–6]\.(?!.*SV1)”; #(20220605 previous disabled)
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-javascrip # (20200219)
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/png
image/jpeg
image/x-icon
text/cache-manifest
text/css
text/javascript # (20200219)
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
gzip_buffers 16 8k; #(2020110 previous 4k 8k)
# allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on;
##
# Virtual Host Configs
##
# include /etc/nginx/conf.d/default.conf;
include /etc/nginx/conf.d/port8054.conf;
}
</pre>
port8054.conf
<pre>
server {
## Config base : 18/01/2023
listen 8054 ssl http2;
listen [::]:8054 ssl http2;
## Set TLS 1.2 (ArcGIS compliance)
ssl_certificate /etc/nginx/tls/intra/cacert.pem;
ssl_certificate_key /etc/nginx/tls/intra/cakey-stripped.key;
ssl_trusted_certificate /etc/nginx/tls/intra/rootcacert.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384"; # previous : HIGH:!MD5:!ADH:!DH:!RC4:!RSA:!aNULL
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 1400;
## Set on after debug
ssl_stapling off;
ssl_stapling_verify off;
server_name myserver.mydomain:8054;
keepalive_timeout 75s;
keepalive_requests 1000;
# access_log /var/log/nginx/port8054-access.log;
## Record errors
error_log /var/log/nginx/port8054-error.log debug;
proxy_http_version 1.1;
## Overwrite proxy response headers
proxy_hide_header access-control-allow-methods;
proxy_hide_header access-control-allow-headers;
proxy_hide_header access-control-allow-origin;
add_header access-control-allow-methods "GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS";
add_header access-control-allow-headers "Origin, X-Requested-With, Content-Type, Accept";
add_header access-control-allow-origin "*";
proxy_hide_header x-aspnet-version;
proxy_hide_header x-powered-by;
proxy_set_header "Connection" "";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
location ^~ /favicon.ico {
}
## PHP files processing
location ~ ^(.+\.php)(.*)$ {
include /etc/nginx/phpconf/fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_hide_header X-Powered-By;
fastcgi_hide_header X-CF-Powered-By;
## If error 404
try_files $fastcgi_script_name =404;
}
## Set cache for following contents (20201106)
location ~* \.(?:png|jpg|jpeg|gif|ico|svg|otf|ttf|woff|woff2|doc|pdf|css)$ {
include /etc/nginx/proxyparams/proxy_params;
proxy_cache cache1;
proxy_set_header Host $host;
# proxy_pass https://otherserver.mydomain/$1;
# proxy_ssl_verify off;
# add_header X-Cache-Status $upstream_cache_status;
# add_header Pragma "public";
# add_header Cache-Control "max-age=86400, public";
}
location ^~ /portal/ {
proxy_pass https://otherserver.mydomain/portal/;
}
location /10.9.1/{
proxy_pass https://otherserver.mydomain/portal/home/10.9.1/;
}
location /sharing/rest/ {
proxy_intercept_errors on;
proxy_pass https://otherserver.mydomain/portal/sharing/rest/;
}
location ^~ /oauth2/ {
proxy_pass https://otherserver.mydomain/portal/sharing/rest/oauth2/;
}
location /self/ {
proxy_pass https://otherserver.mydomain/portal/sharing/rest/portals/self/;
}
location ^~ /nodejs/ {
proxy_http_version 1.1;
include /etc/nginx/proxyparams/proxy_params;
proxy_pass https://thirdserver.mydomain/;
proxy_buffering on;
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k;
proxy_buffers 64 4k;
client_max_body_size 12m;
}
}
</pre>
I'm trying to fix a misbehaving app behind my reverse proxy - basically, it drops absolute URLs into pages.
My conf looks like
...
location /openproject/ {
proxy_set_header Host <internal host>;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://<internal host>/openproject/;
sub_filter 'http:<internal url>' 'https:<external url>';
sub_filter_once on;
sub_filter_last_modified on;
}
...
things in <> are replaced to protect my hosts.. and yes the misbehaving app is OpenProject
It doesn't seem to be working and debug doesn't say anything about substitutions happening..
Is there anything that I've done wrong?
nginx -V is
nginx version: nginx/1.18.0 built with OpenSSL 1.1.1k 25 Mar 2021
(running with OpenSSL 1.1.1o 3 May 2022) TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2
-ffile-prefix-map=/build/nginx-q9LD4J/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module
Found this https://marsbard.github.io/2016-07-30-replace-urls-behind-nginx-reverse-proxy/
seems I needed the config to be:
location /openproject/ {
proxy_set_header Accept-Encoding ""; # no compression allowed or next won't work
sub_filter "http://<internal host>/" "https://<external host>/";
sub_filter_once off;
proxy_set_header Host <internal host>;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_pass http://<internal host>/openproject/;
}
I'm facing issue with reverse proxy configured using nginx
The curl is showing that the request is reaching the endpoint and this last send the response and it stuck on nginx.
About to connect() to 127.0.0.1 port 80 (#0)
Trying 127.0.0.1...
Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
POST / HTTP/1.1
User-Agent: curl/7.29.0
Host: 127.0.0.1
Accept: /
Content-Type: text/xml
SOAPAction: http://tempuri.org/AOI
Content-Length: 1707
Expect: 100-continue
< HTTP/1.1 100 Continue
^C
[root#venom conf.d]#
Below my configuration
server {
listen 80 ;
server_name 80_proxy;
access_log /var/log/nginx/access.log main;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
client_header_buffer_size 1k;
client_body_buffer_size 16k;
large_client_header_buffers 4 8k;
server_tokens off;
error_page 497 https://$host:$server_port$request_uri;
root html;
index index.html index.htm;
proxy_redirect http:// $scheme://;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header X-Powered-By;
proxy_cookie_path / "/; secure; SameSite=Lax; Max-Age=172800";
chunked_transfer_encoding on;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_request_buffering off;
client_body_timeout 5;
proxy_connect_timeout 90;
proxy_buffering off;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; always';
add_header Content-Security-Policy "script-src 'self';";
location / {
proxy_send_timeout 2100;
proxy_read_timeout 2100;
client_max_body_size 10M;
proxy_ssl_certificate /etc/ssl/cert.crt;
proxy_ssl_certificate_key /etc/ssl/cert.key;
proxy_ssl_trusted_certificate /etc/ssl/cert_ca.crt;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_pass https://10.34.22.33:801;
}
}
Thanks in advance
I migrated to Nginx, but i cannot find the solution for my problem.
On apache, I had 1 virutal host with ssl and specific port.
The apache config seems like this:
<VirtualHost *:443>
ServerAdmin info#example.com
ServerName example.in
DocumentRoot /paht/to/web/files
SSLEngine on
SSLCertificateFile /ssl/certificate
SSLCertificateKeyFile /ssl/key_file
SSLCACertificateFile /ssl/ca.cer
</VirtualHost>
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECD$
SSLHonorCipherOrder on
<Directory /path/to/my/web>
Options FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
<VirtualHost *:9092>
ServerAdmin info#example.com
ServerName example.in
DocumentRoot /paht/to/web/files
DocumentRoot /another/path/to/api
SSLEngine on
SSLCertificateFile /path/to/webcer
SSLCertificateKeyFile /path/to/webkey
SSLCACertificateFile /path/to/ca.cer
<Directory /another/path/to/api>
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/api_cable_error.log
CustomLog ${APACHE_LOG_DIR}/api_cable_access.log combined
When I openend https://example.in:9092, it worked without any troubles.
But when I set this up in nginx configuration, i am still getting 'certificate is not valid' error on HTTPS. The Nginx config seems to be:
server {
listen 80;
listen 9092;
server_name example.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /path/to/web/example/com;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
server {
listen 9092 ssl http2;
listen [::]:9092 ssl http2;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-S$
ssl_prefer_server_ciphers on;
ssl_certificate /path/to/cert
ssl_certificate_key path/to/key
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /another/path/to/files;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
Does anyone have experiences how to get this working?
Thanks.
Fixed. I created new config file:
server {
listen 9092 ssl;
# IPv6 Listening
# Uncomment to allow nginx to listen on IPv6
#listen [::]:80;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_certificate /my/fullchain.pem;
ssl_certificate_key /my/privkey.pem;
ssl_stapling on;
ssl_stapling_verify off;
ssl_dhparam /my/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name example.com;
root /path/to/files;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
index index.html index.php;
client_max_body_size 1024M;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root/$fastcgi_path_info;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
The issue was probably in rewrite rule in first server section:
rewrite ^ https://$server_name$request_uri? permanent;
Removed it and everything is working.
disable all
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# ssl_prefer_server_ciphers on;
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
#ssl_stapling on;
#ssl_stapling_verify off;
#ssl_dhparam /my/dhparam.pem;
# ssl_session_cache shared:SSL:10m;
#ssl_session_timeout 10m;
and make sure
ssl_certificate /my/letsencrypt/cert
ssl_certificate_key /my/letsencrypt/key;
/my/letsencrypt/cert and /my/letsencrypt/key ssl files at right place and there valid
When I enable SSL on NGINX, and I upload a file larger than 7MB, the file upload does not complete. This works fine if I remove NGINX and just put the SSL directly onto sails. I get the following from the debug file as if I am receiving a status 200 before the file is complete:
2017/01/24 12:25:16 [debug] 2645#2645: *5 sendfile: 1899007 of 54230479 #4670513
2017/01/24 12:25:16 [debug] 2645#2645: *5 chain writer out: 0000564D9740D5D0
2017/01/24 12:25:16 [debug] 2645#2645: *5 event timer: 14, old: 1485260776372, new: 1485260776465
2017/01/24 12:25:16 [debug] 2645#2645: *5 http upstream request: "/api/v1/project/56cd9e2aeabf5be95d6e9b35/report/?"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http upstream process header
2017/01/24 12:25:16 [debug] 2645#2645: *5 malloc: 0000564D9740F870:4096
2017/01/24 12:25:16 [debug] 2645#2645: *5 recv: eof:0, avail:1
2017/01/24 12:25:16 [debug] 2645#2645: *5 recv: fd:14 413 of 4096
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy status 200 "200 OK"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Vary: X-HTTP-Method-Override"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "X-Powered-By: Sails <sailsjs.org>"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Origin: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Credentials: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 posix_memalign: 0000564D97410880:4096 #16
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Methods: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Headers: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Expose-Headers: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Content-Type: application/json; charset=utf-8"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Content-Length: 94"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "ETag: W/"5e-dbzI0uHc1qmLjPTL2hIz3A""
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Date: Tue, 24 Jan 2017 12:25:16 GMT"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Connection: keep-alive"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header done
2017/01/24 12:25:16 [debug] 2645#2645: *5 xslt filter header
2017/01/24 12:25:16 [debug] 2645#2645: *5 HTTP/1.1 200 OK^M
Server: nginx/1.11.8^M
Date: Tue, 24 Jan 2017 12:25:16 GMT^M
Content-Type: application/json; charset=utf-8^M
Content-Length: 94^M
Connection: keep-alive^M
Vary: X-HTTP-Method-Override^M
X-Powered-By: Sails <sailsjs.org>^M
Access-Control-Allow-Origin: ^M
Access-Control-Allow-Credentials: ^M
Access-Control-Allow-Methods: ^M
Access-Control-Allow-Headers: ^M
Access-Control-Expose-Headers: ^M
ETag: W/"5e-dbzI0uHc1qmLjPTL2hIz3A"^M
Below is my nginx.conf file:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
send_timeout 60s;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60s;
client_max_body_size 0;
client_body_buffer_size 32K;
ssl_dhparam /ssl/dhparam.pem;
client_body_in_file_only clean;
client_body_in_single_buffer on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/sites-enabled/*;
}
Here is my sites-available\default file:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mysite.co.uk;
client_max_body_size 0;
client_body_buffer_size 32K;
location / {
client_body_temp_path /tmp/;
client_max_body_size 0;
client_body_buffer_size 32K;
keepalive_timeout 60s;
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
ssl_certificate /ssl/mykey.pem;
ssl_certificate_key /ssl/mykey.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:128m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA$
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
}
Any ideas?