I faced problem with connecting via wss to my service, when i do it in ws way everyting is ok, but in wss I got error like:
type: 'error',
message: 'write EPROTO 584:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:c:\\ws\\deps\\openssl\\openssl\\ssl\\record\\ssl3_record.c:332:\n',
error: Error: write EPROTO 584:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:c:\ws\deps\openssl\openssl\ssl\record\ssl3_record.c:332:
at WriteWrap.onWriteComplete [as oncomplete] (internal/stream_base_commons.js:92:16) {
errno: 'EPROTO',
code: 'EPROTO',
syscall: 'write'
}
#edit according to my comment, I'm using this configuration for ssl in nginx:
location / {
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
proxy_pass http://<server ip="">:<server port="">;
proxy_http_version 1.0;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
https://www.nginx.com/blog/websocket-nginx/#comment-4370665656
#edit2
This is my nginx configuration:
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 100M;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
This is from file nginx.conf, there is no other configuration files expect this one with websocket config.
you should try
ssl_prefer_server_ciphers off;
Related
I'm having a lot of trouble with setting up the docker image: collabora/code:latest behind my reverse proxy. My nextcloud instance (which has a similar setup and is working fine) can't connect to the server. However inside admin settings of Nextcloud Office I get Collabora Online server is reachable. when I connect through https://code.foo.tld. The first docker log shows the error I get inside my code docker container. If I try to create/open any files with Nextcloud Office I just get the error: Document loading failed - Failed to load Nextcloud Office - please try again later.
I already did a lot of research and found multiple related topics stating exactly the same problem. Most of them however are multiple years old and I couldn't find a solution that worked for me, which is why I am opening a new topic on this.
All relevant logs, configs and docker files should be listed below.
If you have any additional questions, feel free to let me know! I would be glad if someone could help me with this because I've been struggling setting it up for 2 days now!
I can reach https://code.foo.tld/hosting/discovery and https://code.foo.tld/hosting/capabilities, but https://code.foo.tld/cool or https://code.foo.tld/cool/adminws show me a blank page (it is reachable tho).
https://code.foo.tld shows me a 404 as expected.
Unnecessary/Private information in the following snippets is either left out or replaced with random words/letters.
docker log (code)
Ready to accept connections on port 9980.
dateTtime.num0Z
wsd-num1-num2 date time.num3 +0000 [ websrv_poll ] WRN convert-to: Requesting address is denied: z.z.z.z| wsd/COOLWSD.cpp:3507
wsd-num1-num1 date time.num4 +0000 [ coolwsd ] WRN Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| net/Socket.hpp:727
docker-compose.yml
version: "3.9"
services:
reverse-proxy:
image: "nginx:stable-alpine"
container_name: "reverse-proxy"
networks:
frontend:
ipv4_address: "x.x.x.x"
backend:
ipv4_address: "y.y.y.y"
hostname: "reverse-proxy"
"..."
nextcloud-webserver:
image: "nginx:stable-alpine"
"..."
nextcloud:
image: "nextcloud:stable-fpm-alpine"
"..."
networks:
frontend:
ipv4_address: "x.x.x.x"
backend:
ipv4_address: "y.y.y.y"
"..."
nextcloud-database:
image: "yobasystems/alpine-mariadb"
"..."
code-web:
image: "nginx:stable-alpine"
container_name: "code-web"
networks:
backend:
ipv4_address: "y.y.y.y"
hostname: "code-web"
depends_on:
- "code"
"..."
code:
image: "collabora/code:latest"
container_name: "code"
networks:
frontend:
ipv4_address: "x.x.x.x"
backend:
ipv4_address: "y.y.y.y"
hostname: "code"
restart: "always"
env_file:
- "~/dock/code/code.env"
networks:
frontend:
internal: false
ipam:
config:
- subnet: "x.x.x.x/x"
gateway: "x.x.x.x"
backend:
internal: true
ipam:
config:
- subnet: "y.y.y.y/y"
gateway: "y.y.y.y"
~/dock/code/code.env
aliasgroup1="https://nextcloud.foo.tld:443"
DONT_GEN_SSL_CERT="true"
extra_params="--o:ssl.enable=false --o:ssl.termination=true"
password='password'
server_name="hostname-app"
username="username"
These are the relevant nginx configs. A lot of stuff is left out and any include statements are replaced with the files that they include.
reverse-proxy.conf
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
worker_processes auto;
# https://nginx.org/en/docs/ngx_core_module.html#error_log
error_log /var/log/nginx/error.log;
# https://nginx.org/en/docs/ngx_core_module.html#pid
pid /run/nginx.pid;
# https://nginx.org/en/docs/ngx_core_module.html#include
include /usr/share/nginx/modules/*.conf;
# https://nginx.org/en/docs/ngx_core_module.html#events
events {
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections
worker_connections 1024;
}
# https://nginx.org/en/docs/http/ngx_http_core_module.html#http
http {
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
access_log /var/log/nginx/access.log combined;
# https://nginx.org/en/docs/ngx_core_module.html#include
include /etc/nginx/mime.types;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
default_type application/octet-stream;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server
server {
# https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
listen 443 ssl http2;
listen [::]:443 ssl http2;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
ssl_protocols TLSv1.3;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM';
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve
ssl_ecdh_curve secp384r1;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
ssl_prefer_server_ciphers on;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
ssl_dhparam /etc/nginx/certs/dhparam.pem;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
ssl_session_cache shared:SSL:10m;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
ssl_session_timeout 10m;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
ssl_session_tickets off;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
ssl_stapling on;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify
ssl_stapling_verify on;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
ssl_verify_client on;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate
ssl_client_certificate /etc/nginx/certs/authenticated_origin_pull_ca.pem;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
ssl_trusted_certificate /etc/nginx/certs/origin_ca_ecc_root.pem;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
ssl_certificate /etc/nginx/certs/foo.tld.pem;
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key
ssl_certificate_key /etc/nginx/certs/foo.tld.key;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
server_name code.foo.tld;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
location / {
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
proxy_http_version 1.1;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_bypass
proxy_cache_bypass $http_upgrade;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
proxy_read_timeout 90;
# https://docs.oracle.com/en-us/iaas/Content/Balance/Reference/httpheaders.htm
proxy_set_header X-Real-IP $remote_addr;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
proxy_set_header X-Forwarded-Proto $scheme;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
proxy_set_header Host $host;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
proxy_set_header X-Forwarded-Host $host;
# https://docs.oracle.com/en-us/iaas/Content/Balance/Reference/httpheaders.htm
proxy_set_header X-Forwarded-Port $server_port;
# https://nginx.org/en/docs/http/websocket.html
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade
proxy_set_header Upgrade $http_upgrade;
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection
proxy_set_header Connection 'upgrade';
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
proxy_pass http://hostname-web:80/;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect
proxy_redirect http://hostname-web:80 https://code.foo.tld;
}
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
add_header Strict-Transport-Security "max-age=15780000; includeSubDomains; preload" always;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-XSS-Protection "1; mode=block";
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
server_tokens off;
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip
gzip off;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
sendfile on;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
tcp_nopush on;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nodelay
tcp_nodelay on;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
keepalive_timeout 65;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#types_hash_max_size
types_hash_max_size 4096;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
client_max_body_size 0;
}
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server
server {
# https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
listen 80;
listen [::]:80;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
server_name _;
# https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#return
return 301 https://$host$request_uri;
}
}
web-server.conf
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
worker_processes auto;
# https://nginx.org/en/docs/ngx_core_module.html#error_log
error_log /var/log/nginx/error.log;
# https://nginx.org/en/docs/ngx_core_module.html#pid
pid /run/nginx.pid;
# https://nginx.org/en/docs/ngx_core_module.html#include
include /usr/share/nginx/modules/*.conf;
# https://nginx.org/en/docs/ngx_core_module.html#events
events {
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections
worker_connections 1024;
}
# https://nginx.org/en/docs/http/ngx_http_core_module.html#http
http {
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
access_log /var/log/nginx/access.log combined;
# https://nginx.org/en/docs/ngx_core_module.html#include
include /etc/nginx/mime.types;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
default_type application/octet-stream;
#https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#reverse-proxy-settings-in-nginx-config-ssl-termination
########## START collabora ##########
# https://nginx.org/en/docs/http/ngx_http_upstream_module.html#server
server {
# https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
listen 80 default_server;
listen [::]:80 default_server;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
server_name sub.foo.tld;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
## STATIC FILES ##
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
location ^~ /browser {
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
proxy_pass http://hostname-app:9980;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
proxy_set_header Host $http_host;
}
## WOPI DISCOVERY URL ##
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
location ^~ /hosting/discovery {
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
proxy_pass http://hostname-app:9980;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
proxy_set_header Host $http_host;
}
## CAPABILITIES ##
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
location ^~ /hosting/capabilities {
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
proxy_pass http://hostname-app:9980;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
proxy_set_header Host $http_host;
}
## DOWNLOAD, PRESENTATION & IMAGE UPLOAD ##
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
location ~ ^/(c|l)ool {
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
proxy_pass http://hostname-app:9980;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
proxy_set_header Host $http_host;
}
## MAIN WEBSOCKET ##
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
location ~ ^/cool/(.*)/ws$ {
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
proxy_pass http://hostname-app:9980;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
proxy_set_header Host $http_host;
# https://nginx.org/en/docs/http/websocket.html
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade
proxy_set_header Upgrade $http_upgrade;
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection
proxy_set_header Connection "Upgrade";
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
proxy_read_timeout 36000s;
}
## ADMIN CONSOLE WEBSOCKET ##
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
location ^~ /cool/adminws {
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
proxy_pass http://hostname-app:9980;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
proxy_set_header Host $http_host;
# https://nginx.org/en/docs/http/websocket.html
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade
proxy_set_header Upgrade $http_upgrade;
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection
proxy_set_header Connection "Upgrade";
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
proxy_read_timeout 36000s;
}
########## END collabora ##########
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-XSS-Protection "1; mode=block";
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
add_header Referrer-Policy "no-referrer";
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
add_header X-Download-Options "noopen";
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
add_header X-Permitted-Cross-Domain-Policies none;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
add_header X-Robots-Tag none;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
server_tokens off;
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip
gzip on;
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_vary
gzip_vary on;
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_comp_level
gzip_comp_level 4;
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_min_length
gzip_min_length 256;
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_proxied
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_types
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
sendfile on;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
tcp_nopush on;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nodelay
tcp_nodelay on;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
keepalive_timeout 65;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#types_hash_max_size
types_hash_max_size 4096;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
client_max_body_size 512M;
# https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_buffers
fastcgi_buffers 64 4K;
# https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_hide_header
fastcgi_hide_header X-Powered-By;
}
}
Note: I already asked this question on the Collabora Online Forum , but I don't know if it's actually active enough or will help me in any reasonable time.
I looked at following articles:
https://help.nextcloud.com/t/nginx-collabora-behind-nginx-reverse-proxy/77889
https://sdk.collaboraonline.com/docs/installation/CODE_Docker_image.html
https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#reverse-proxy-settings-in-nginx-config-ssl-termination
Jelastic - Collabora Online with Next Cloud without ssl (for testing)
and some more, but I'd assume that they are outdated/don't apply to my setup because nothing I've tried worked!
I was used to serving static files through express static but want to move to Nginx. I keep my static files in a public folder: /home/user/Documents/app.com/CURRENT PROJECT/public/.
On my websites they are called like this: app.com/css/styles.js, app.com/fonts/font.woff2, app.com/js/main.js.
I wasn't able to figure it out with nginxs examples. When I tried my config they just returned 302 codes. I have tried these versions of the config + I have the entire version bellow if anyone needs it for reference.
location ~ \.(css|js|woff|woff2|png|jpg|jpeg|webp|svg|mp3) {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
}
#for each path
location /css/ {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
autoindex on;
}
Full:
/etc/nginx/nginx.conf
user www-data;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 8192;
multi_accept on;
}
http {
upstream loadbalance {
least_conn;
server app:8003;
}
limit_req_zone $binary_remote_addr zone=ip:10m rate=4r/s;
http2_push_preload on;
server {
listen 80;
listen 443 ssl http2;
server_name www.app.com;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
return 301 https://app.com$request_uri;
}
server {
limit_req zone=ip burst=20 delay=14;
server_name app.com;
##
# SSL Settings
##
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
# added
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
location ~ \.(css|js|woff|woff2|png|jpg|jpeg|webp|svg|mp3) {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
autoindex on;
#add_header Cache-Control private;
}
location / {
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://loadbalance;
}
}
# Gzip Settings
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 32 16k;
gzip_http_version 1.1;
gzip_min_length 1024;
gzip_types image/jpeg image/bmp image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;
client_body_timeout 16;
client_body_buffer_size 12K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;
access_log off;
error_log /dev/null;
include servers/*;
}
I recently acquired a domain name that I want to point to my home server. It worked very well before I tried to implement SSL. Since then I get this error when I try to access https://cloud.mydomain.com/:
SSL_ERROR_RX_RECORD_TOO_LONG
I don't know how to debug on this at all.
With my host here is my config:
mydomain.com. A [my external IP]
cloud.mydomain.com. CNAME mydomain.com.
On my server I have this:
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
server_names_hash_bucket_size 64;
upstream php-handler {
server unix:/run/php/php7.3-fpm.sock;
}
set_real_ip_from 127.0.0.1;
set_real_ip_from 192.168.1.0/24;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
# include /etc/nginx/proxy.conf;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_redirect off;
# include /etc/nginx/ssl.conf;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# include /etc/nginx/header.conf;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Frame-Options "SAMEORIGIN";
# include /etc/nginx/optimization.conf;
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
fastcgi_buffers 64 64K;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 3840K;
fastcgi_cache_key $http_cookie$request_method$host$request_uri;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
gzip_disable "MSIE [1-6]\.";
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 192.168.1.1 valid=30s;
resolver_timeout 5s;
# include /etc/nginx/conf.d/*.conf;
# etc/nginx/conf.d/nextcloud.conf;
server {
server_name cloud.mydomain.com;
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name cloud.mydomain.com;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
#SOCIAL app enabled? Please uncomment the following row
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
#WEBFINGER app enabled? Please uncomment the following two rows.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
client_max_body_size 10240M;
location / {
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ~ \.(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 100M;
mp4_max_buffer_size 1024M;
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+).php(?:$|\/) {
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
expires 360d;
}
}
}
Here is the command I ran to generate the certificates:
sudo certbot --nginx -d mydomain.com -d cloud.mydomain.com
Note that when I access it from the local network with the address of the machine I have the certificate and the nextcloud is displayed.
My router is configured to transfer calls 80 and 443 on my machine and I can see the logs on /var/log/nginx/access.log
When I run the command:
openssl s_client -connect cloud.mydomain.com:443 -servername mydomain.com
I have the following result:
CONNECTED(00000003)
140509444985920:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Would you know how to debug this please?
I'm trying to set up SSL on my nginx server, it works on the plain site which is just the nginx welcome default page, but when I try any of the configured proxy_pass locations I get a cloudflare 526 Invalid SSL certificate error which rapidly flicks to a 502 bad gateway. The certificate I'm using is self signed and cloudflare SSL is set to full (not strict).
This is the error I get on my logs:
2017/11/28 22:59:10 [error] 11457#11457: *2 upstream prematurely closed connection while reading response header from upstream, client: 141.101.104.32, server: web1.olympiccode.net, request: "GET /r/ HTTP/1.1", upstream: "http://127.0.0.1:2000/r/", host: "web1.olympiccode.net", referrer: "https://web1.olympiccode.net/r"
This is my config:
user www-data;
worker_processes 1;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
send_timeout 1800;
sendfile on;
keepalive_timeout 6500;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
server {
listen 80;
server_name web1.olympiccode.net;
return 200 "hi";
}
# HTTPS server
server {
listen 443 ssl;
server_name web1.olympiccode.net;
root /usr/share/nginx/html;
ssl on;
location / {
try_files $uri $uri/ =404;
}
location /r/ {
auth_basic "RethinkDB - Web Panel";
auth_basic_user_file /etc/nginx/.rethinkdb.pass;
proxy_pass http://localhost:2000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
location /status/ {
proxy_pass http://localhost:19999;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
}
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
I am using the X-Accel-redirect feature of Nginx for playing videos with a php file named video2.php with the following code:
header("X-Accel-Redirect: /Restr/" . $file);
(of course, much more executable code before, not necessary by now)
I also have the following file, pla.php, with 2 players embedded:
First player as source src="http://example.com/video2.php" type="video/mp4", The second as source src="video2.php" type="video/mp4"
First player works and second doesn't when I am in https mode.
Both players work when I am in http mode. The first player plays in https because the full link in http.
That means Nginx works fine with SSL in all cases but one. X-Accel-redirect feature is not working when the domain is set to https. It works perfectly in http mode.
The nginx.conf is
user nobody;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events
{
worker_connections 1024;
use epoll;
}
http
{
open_file_cache max=5000 inactive=30s;
open_file_cache_valid 120s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
open_log_file_cache max=1024 inactive=30s min_uses=2;
server_names_hash_max_size 10240;
server_names_hash_bucket_size 1024;
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 5;
gzip on;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
gzip_proxied any;
gzip_http_version 1.1;
gzip_min_length 1000;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_types text/plain text/xml text/css application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg application/xml+rss text/javascript application/atom+xml application/javascript application/json;
ignore_invalid_headers on;
client_header_timeout 3m;
client_body_timeout 3m;
client_max_body_size 200m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
proxy_temp_path /tmp/nginx_temp;
log_format bytes_log "$msec $bytes_sent .";
include /etc/nginx/conf.d/*.conf;
}
In xxx.xxx.xxx.xx.conf
server {
listen xxx.xxx.xxx.xx:82;
access_log /var/log/nginx/access.xxx.xxx.xxx.xx.log;
error_log /var/log/nginx/error.xxx.xxx.xxx.xx.log;
server_name xxx.xxx.xxx.xx;
root /usr/local/apache/htdocs;
location / {
location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot)\$ {
expires 7d; #Comment this out if you are using the apache backend cache-control/expires headers.
try_files \$uri \#backend;
}
error_page 405 = \#backend;
error_page 500 = \#custom;
add_header X-Cache "HIT from Backend";
proxy_pass http://xxx.xxx.xxx.xx:8181;
include proxy.inc;
}
location \#backend {
internal;
proxy_pass http://xxx.xxx.xxx.xx:8181;
include proxy.inc;
}
location \#custom {
internal;
proxy_pass http://xxx.xxx.xxx.xx:8181;
include proxy.inc;
}
location ~ .*\.(php|jsp|cgi|pl|py)?\$ {
proxy_pass http://xxx.xxx.xxx.xx:8181;
include proxy.inc;
}
location ~ /\.ht {
deny all;
}
}
It seems here is the key, all is set to http only, not https.
the code of proxy.inc below from etc/nginx/
proxy_buffering off;
proxy_connect_timeout 59s;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass_header Set-Cookie;
proxy_redirect off;
proxy_hide_header Vary;
proxy_hide_header X-Powered-By;
proxy_set_header Accept-Encoding '';
#If you want to get the cache-control and expire headers from apache, comment out 'proxy_ignore_headers' and uncomment 'proxy_pass_header Expires;' and 'proxy_pass_header Cache-Control
#proxy_pass_header Expires;
#proxy_pass_header Cache-Control;
proxy_ignore_headers Cache-Control Expires;
proxy_set_header Referer $http_referer;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Any help will be apreciated