We're actually trying to setup a simple Nginx config. But actually, we're losing our head on this conf as nginx is doing a strange job :
We've setted up 2 sub-domains on a clean Nginx install from yesterday :
Domain 1 :
upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://430750ef-08ce-4463-bfae-88043ffc7c82-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
Domain 2 :
upstream 820528fd-a13f-496a-b124-8973f4367db6-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://820528fd-a13f-496a-b124-8973f4367db6-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
Actually, we're having SSL problems on the domain 2 : Firefox (and chrome aswell) are saying that Domain 2 SSL certificate is not trusted, as the domain 2 is using the cert of domain 1 and is not reached by this one.
We can't understand why the server_name property is not working. From our point of view, nginx should be using the domain 2 cert when any visitor reach 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com .
1 more specification :
I've updated the server_names_hash_bucket_size to 512 as we're using long subdomains.
"FUN" fact :
When we rename the domain 2 config file from /etc/nginx/sites-enabled/820528fd-a13f-496a-b124-8973f4367db6.conf to /etc/nginx/sites-enabled/000-820528fd-a13f-496a-b124-8973f4367db6.conf, the right cert is served.
In that case, we're thinking that, for a reason that we couldn't find, nginx is using the filename as the server_name property, instead of the server_name prop we've setted up in the file, and for another reason only using the first config file found in /etc/nginx/sites-enabled.
Any ideas ?
Thanks for your support by the way,
Regards,
Related
I have this setup of NGINX as a reverse proxy.
server {
listen 443 ssl;
server_name site1.example.com;
ssl_certificate /home/efwm/efwmsw/certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://127.0.0.1:8010;
}
}
server {
listen 443 ssl;
server_name site2.example.com;
ssl_certificate /certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://127.0.0.1:8020;
}
}
server {
listen 443 ssl;
server_name site3.example.com;
ssl_certificate /certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://192.168.1.50:8000;
}
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
For first two servers everything works fine but requests to third server get:ERR_CONNECTION_REFUSED.
I add that the first two services are contained in docker on the same server where NGINX runs, while the third is an autonomous server. Nothing is written in the error log. Of course I tried calling the exposed service on the third server and it works. Any suggestion is welcome. Thank you
I have an Nginx server with SSL. And when I use proxy_pass to http://127.0.0.1:8765 with ssl added its giving "This site can’t be reached". Without SSL it was working correctly. If I send a request as http://domain-name:8765 in a web browser it gave the output correctly. Below is my configuration :
server {
server_name domain-name.in;
access_log /var/log/nginx/reverse-access.log;
error_log /var/log/nginx/reverse-error.log;
location / {
proxy_pass http://127.0.0.1:8765;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain-name.in/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain-name.in/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = domain-name.in) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name domain-name.in;
return 404; # managed by Certbot
}
I am trying to configure nginx server for my website. I am using the following code to configure my server. It works if I add default_server for my www.fastenglishacademy.fr (443) server block.
But in that case, All my subdomains also brings the content of www.fastenglishacademy.fr
And if I remove the default_server, I get the following error:
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/fastenglishacademy.fr.conf:14
nginx: configuration file /etc/nginx/nginx.conf test failed
My nginx configuration codes:
server {
listen 80;
listen [::]:80;
server_name fastenglishacademy.fr;
return 301 https://www.fastenglishacademy.fr$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name www.fastenglishacademy.fr;
return 301 https://www.fastenglishacademy.fr$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name fastenglishacademy.fr;
return 301 https://www.fastenglishacademy.fr$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /media/fea/www/fastenglishacademy.com;
index index.html index.htm index.nginx-debian.html;
server_name www.fastenglishacademy.fr;
location / {
etag on;
try_files $uri$args $uri$args/ /index.html;
}
location ~* \.(jpg|jpeg|png|gif|ico|ttf|woff2|woff|svg)$ {
expires 365d;
}
location ~* \.(css|js)$ {
expires 30d;
}
location ~* \.(pdf)$ {
expires 15d;
}
#WARNING: Please read before adding the lines below!
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# SSL Certificates
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_trusted_certificate /path/to/chain.pem;
}
My links:
https://www.fastenglishacademy.fr/
https://api.fastenglishacademy.fr/
Your server section is missing ssl_certificate and ssl_certificate_key declarations.
You need to have a .crt and a .key file to run with ssl.
It should looks like
server {
listen 80;
listen 443 default_server ssl;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
... other declarations
}
Had the same problem.
Adding directive
ssl on;
solved my problem.
It is possible to use nginx to proxy Neo4j's http protocol to add encryption and authentication:
server {
server_name graph.example.org;
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
include snippets/ssl-params.conf;
location / {
proxy_pass http://localhost:7471/;
auth_basic "restricted";
auth_basic_user_file /path/to/users;
}
}
But I do not know how to proxy the bolt connection; a pseudo-configuration that contains all the necessary info:
server {
server_name graph.example.org;
listen 7687 ssl;
listen [::]:7687 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
include snippets/ssl-params.conf;
<some ‘location’ directive> {
<some-proxy-directive> localhost:7686;
# dbms.connector.bolt.address=localhost:7686
auth_basic "restricted";
auth_basic_user_file /path/to/users;
}
}
Given that location does not make sense in this context and that proxy_pass needs an http(s)-based url, this pseudo-configuration is probably not close to the wanted one.
In an answer to the the question “Is it possible to forward NON-http connecting request to some other port in nginx?”, the stream-core module is suggested. But it is not clear to me how I'd use it. Would the following work (I have not yet been able to test this):
stream {
server {
server_name graph.example.org;
listen 7687 ssl;
listen [::]:7687 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
include snippets/ssl-params.conf;
auth_basic "restricted";
auth_basic_user_file /path/to/users;
proxy_pass localhost:7686;
# dbms.connector.bolt.address=localhost:7686
}
}
Perhaps directive need to be modified or more directives need to be added to make this work?
I am new to setup a simple SSL connection using nginx. The code I wrote below is accessible but it is not running with SSL. What am I missing?
My test site is just a simple index.html. My certificate and key is saved in /etc/ssl/certs.
server {
listen 80;
server_name example.com;
location / {
proxy_pass https://example.com:443;
}
}
server {
listen 443;
root /home/deploy/test;
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
}
You have to redirect non-HTTPS to HTTPS, not proxy pass.
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443;
server_name example.com;
root /home/deploy/test;
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
}