I have reissue my domain Certificate , then I've update certificate and key files for my servers it works only on one of them and get ERR_SSL_PROTOCOL_ERROR problem for others although all these servers use subdomains of the same domain . I have no idea where to look and how to trubleshooting this problem .
My question is : what would make ssl certificate work on one server and not work to another Although two servers use subdomains of same domain?
would you help me please ..
nginx configuration
server {
#listen 80;
#listen [::]:80;
# SSL configuration
#
ssl on;
ssl_certificate /etc/nginx/sites-available/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/sites-available/ssl/mykey.key;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
server_name _;
location / {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-
Requested-With, Content-Type, Accept";
try_files $uri $uri/ /index.php?$query_string;
}
server {
listen 80;
listen [::]:80 ;
server_name mydomain;
return 301 https://mydomain$request_uri;
}
Related
I am using certbot to create a SSL for my website and use Nginx for serve. However, even if I change the server block in nginx conf and restart it, only the original http work but https will return ERR_CONNECTION_TIMED_OUT.
I've tried many way on the internet, including split the server block into two, adjust the listen 443 setting, add server_name...but all of them seems not work, using url with https will return ERR_CONNECTION_TIMED_OUT.
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
ssl_certificate /etc/letsencrypt/live/myasshole.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myasshole.club/privkey.pem;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.example.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
is there any want to enable the https in nginx? I'm sure the pem key is work and I think the problem is my conf setting...
Try this
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/myasshole.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myasshole.club/privkey.pem;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.example.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
Also Note that it's better to add your domain here
server_name www.example.com example.com;
Then restart nginx
sudo service nginx restart
I have a flask app running on port 8000 of my droplet on digital ocean. I needed to enable ssl on this server with Nginx, and I can connect to my main port without any problem. But when trying to connect to funders-api.ninja:8000 I can't get access. Here's my default config
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name funders-api.ninja www.funders-api.ninja;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 8000 ssl;
listen [::]:8000 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
if ($host = www.funders-api.ninja) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = funders-api.ninja) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name funders-api.ninja www.funders-api.ninja;
return 404; # managed by Certbot
}
This is basicly de config made with Cerbot, but I would like to acces port 8000 com https.
thats a misconfigured section - the example.com server section is commented out in your config file, and at port 8000 you are listening with server name of funders-api.ninja www.funders-api.ninja
I'm having problems getting domains to work using nginx when you include www. in the url.
mydomain.com --> Working but www.mydomain.com --> Not
Working
Config file:
server {
listen 80;
listen [::]:80;
#server_name git.mydomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name git.www.mydomain.com;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certific$
ssl_certificate /etc/nginx/ssl/mydomain.com.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH$
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
location / {
try_files $uri $uri/ =404;
}
}
Can you help me? Thank you!
You need to set up the server names you want Nginx to serve from.
server {
listen 80;
listen [::]:80;
server_name mydomain.com www.mydomain.com;
return 301 https://$host$request_uri;
}
So you list the names you want separated by spaces.
I assume that you want to redirect all your www and non-www traffic to https with the server name you have set up in the https configuration, and that your https server name is right.
i want to force ssl on my website and redirect non-www to www. I read lots of guides and tried the sample configurations but did not fully worked.
With my config it gives me too many redirects error
This is my config
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
server_name mydomainname.com www.mydomainname.com;
return 301 https://www.mydomainname.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl default_server;
include snippets/ssl-mydomainname.com.conf;
include snippets/ssl-params.conf;
server_name mydomainname.com;
return 301 https://www.mydomainname.com$request_uri;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/blog;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location ~ /.well-known {
allow all;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
Please give me some advice.
You need to separate your 443 server block into two. For example:
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/ssl-mydomainname.com.conf;
include snippets/ssl-params.conf;
return 301 https://www.mydomainname.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-mydomainname.com.conf;
include snippets/ssl-params.conf;
server_name www.mydomainname.com;
...
}
So the default secure server redirects to your secure www server. See this document for more. This also assumes that the certificate is valid for both the www and non-www server names.
I am struggling on how to force SSL on my website (nginx). I would like to force a redirect from both "http://www.example.com" and "http://example.com" to "https://example.com" (without any www).
The code I wrote currently can catch "http://www.example.com" but does not catch "http://example.com", it seems to infinite loop a redirection. I'm pretty sure it has something to do with the "server_name". I tried swapping it up a down inside the "server { ... }" brackets and stuff but it still does not behave the way I would like it.
Here is my nginx conf
server {
server_name www.example.com;
return 301 https://example.com$request_uri;
}
server {
server_name example.com;
root /var/www/example.com;
index index.html index.php index.htm;
location / {
include /etc/nginx/conf/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
location ~ /\.ht {
deny all;
}
}
server {
#listen 443 spdy default deferred;
ssl on;
ssl_certificate_key /etc/myssl/www.example.com.key;
ssl_certificate /etc/myssl/www.example.com.chained.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-[...]';
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/share/myssl/dhparams/dh2048-group14.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
add_header Strict-Transport-Security max-age=15768000;
}
You'll want to configure each of your server blocks to specifically listen to a certain port, such as the following:
server {
listen 80;
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl spdy;
server_name www.example.com;
ssl_certificate_key /etc/myssl/www.example.com.key;
ssl_certificate /etc/myssl/www.example.com.chained.crt;
[other ssl_* directives, as required]
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl spdy;
server_name example.com;
ssl_certificate_key /etc/myssl/www.example.com.key;
ssl_certificate /etc/myssl/www.example.com.chained.crt;
[other ssl_* directives, as required]
[remaining example.com configuration here]
}
This says listen on HTTP (port 80) for requests to http://www.example.com and http://example.com and redirect them to https://example.com. The second block listens for https://www.example.com and redirects to https://example.com. Then, the final block listens for SSL/SPDY requests to https://example.com.
Add your remaining HTTPS-only configuration to the second block, which looks to be essentially merging the second and third blocks.
The following is now demonstrated in the example: You will need to add another server block if you want your server to respond or redirect users accessing https://www.example.com & thus you may require a second valid SSL certificate (one for www.example.com and one for example.com). Alternatively, a wildcard certificate or a certificate with alternate DNS names would work for both circumstances.
Also ensure that no other conflicting configuration files are present in your configuration directory (eg /etc/nginx/conf.d or /etc/nginx/sites-enabled; depending on your platform).
Edited: expanded based on other information given.