I have NGINX set up as a reverse proxy to serve a node server from a single Ubuntu 18.04 ec2 instance (NGINX and the node server are both on the same instance). Certbot successfully installed and configured and HTTP routes are coming through with no issue but when I try to hit an HTTPS endpoint I get ERR_CONNECTION_CLOSED on my client (which is hosted on GH-Pages but I don't think that's relevant?).
My ec2 instance is set up to accept all traffic on ports 80 and 443, my server is listening on port 3333.
Currently ufw is set to inactive but I have tried enabling it and allowing 'NGINX FULL'. The requests still failed in this scenario but I received a connection timeout error instead of connection closed.
NGINX error logs example output:
2020/05/13 23:17:23 [error] 13581#13581: *15 connect() failed (111: Connection refused) while connecting to upstream, client: 159.xxx.xxx.35, server: api.example.net, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:3333/", host: "54.xxx.xx.xxx:80"
My NGINX server blocks are as follows:
server {
listen 443 ssl;
server_name api.example.net www.api.example.net;
ssl_certificate /etc/letsencrypt/live/api.example.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.example.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_pass http://localhost:3333/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
server {
listen 80;
server_name api.example.net www.api.example.net;
# return 301 https://$host$request_uri;
location / {
proxy_pass http://localhost:3333/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
I've been googling for the last 18 hours and my brain is bleeding, any and all suggestions will be greatly appreciated.
I was able to connect to your server on https (you forgot to redact the domain in the error log). The server itself seems to work fine (I got the error Cannot GET /). I suspect your client on gh-pages get the ERR_CONNECTION_CLOSED error because CORS is not allowing it to talk to your server.
This question may be helpful: POST API call returns CORS error without https and ERR_CONNECTION_CLOSED without
If you want to allow CORS with nginx, then this may work (snippet from enable-cors.org). After you get it working, you should probably improve security by not allowing all origins.
#
# Wide-open CORS config for nginx
#
location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
}
I hope this helps!
Related
I have a Digital Ocean VM running an Express backend server listening to port 5000.
I have all these records setup to point my VM ip to the domain I registered.
https://i.imgur.com/dfdBgKb.jpg
I have Nginx installed and a sites-available/sites-enabled config file like this:
https://i.imgur.com/TxMtfSM.png
/etc/nginx/sites-available/reeeeee.tk.conf
server
{
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
listen 80;
server_name api.reeeeee.tk;
# SSL
# ssl_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/api.reeeeee.tk/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
# HSTS
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-XSS-Protection "1; mode=block" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header Referrer-Policy "no-referrer-when-downgrade" always;
# add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
access_log /var/log/nginx/api.reeeeee.tk-access.log;
error_log /var/log/nginx/api.reeeeee.tk-error.log;
server_tokens off;
location /
{
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# ACME-challenge
location ^~ /.well-known/acme-challenge/
{
root /var/www/_letsencrypt;
}
}
I created a /var/www/_letsencrypt directory and chowned it with the user: "www-data"
https://imgur.com/KBKTapE
I then succesfully ran Certbot:
https://i.imgur.com/2glcHVn.jpg
After succesfully running Certbot, I got rid of all the "#"'s so the ".conf" file now looks like:
/sites-enabled/reeeeee.tk.conf
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 80;
server_name api.reeeeee.tk;
# SSL
ssl_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.reeeeee.tk/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
# HSTS
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
access_log /var/log/nginx/api.reeeeee.tk-access.log;
error_log /var/log/nginx/api.reeeeee.tk-error.log;
server_tokens off;
location /
{
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# ACME-challenge
location ^~ /.well-known/acme-challenge/
{
root /var/www/_letsencrypt;
}
}
I restarted Nginx
https://i.imgur.com/oUXWHAM.png
BUT the site is still not HTTPS secured.
http://www.reeeeee.tk/api/movies
Did I get an SSL certificate? What did I do wrong? Do you see anything in the screenshots or code that I did wrong?
Where do I go from here? How do I get a working SSL cert and an HTTPS secured site?
I was following advice I got from this Reddit thread. ALL further context is in here if I didn't post enough info:
https://www.reddit.com/r/nginx/comments/z88yra/trying_to_get_ssl_certificate_for_backend_where/
Was this person just wrong? Did I do it wrong from the beginning? Do I have to start over?
I installed successfully Odoo 16 on Ubuntu 22. (Yenthe script) When I run Odoo directly with the IP address on port 8069 everything functions. But when I run it with a domain name with a server block several things happen: The initial website generation gets stuck in an endless loop. After letting it run for a long time when I refresh the screen the website is created but I cannot edit it. I can click on the frontend editor button in the top left area but the edit mode does not appear. The editible area changes into dark grey with a large circle circling endlessly.
When I alternate the same app wit the Ip number it works without a problem.
I am using cloudflare.
First I suspected the server block but I have been using suggested variations but no changes. The error log does not show obvious errors.
Does anyone out there have a similar experience? Are there solutions?
server {
listen 80;
# set proper server name after domain set
server_name spiritpointacupressure.com;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_HOST $remote_addr;
# odoo log files
access_log /var/log/nginx/odoo-access.log;
error_log /var/log/nginx/odoo-error.log;
# increase proxy buffer size
proxy_buffers 16 64k;
proxy_buffer_size 128k;
proxy_read_timeout 900s;
proxy_connect_timeout 900s;
proxy_send_timeout 900s;
# force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502
http_503;
types {
text/less less;
text/scss scss;
}
# enable data compression
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript application/pdf image/jpeg image/png;
gzip_vary on;
client_header_buffer_size 4k;
large_client_header_buffers 4 64k;
client_max_body_size 0;
location / {
proxy_pass http://127.0.0.1:8069;
# by default, do not forward anything
proxy_redirect off;
}
location /longpolling {
proxy_pass http://127.0.0.1:8072;
}
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
expires 2d;
proxy_pass http://127.0.0.1:8069;
add_header Cache-Control "public, no-transform";
}
# cache some static data in memory for 60mins.
location ~ /[a-zA-Z0-9_-]*/static/ {
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;
proxy_buffering on;
expires 864000;
proxy_pass http://127.0.0.1:8069;
}
}
Just add this line on your nginx config file, on server block. It hangs because a request is send over http instead of https.
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
I tried with Odoo 16 CE, on ubuntu 22.04, and it works fine
Could you share your nginx configuration?
Have you enabled proxy_mode=True in your odoo .conf?
I have two apps running on my server.
A react app on port 4512 (locally on HTTP) and 5512 (on https). Can be accessed on https://merchant.abc.com:5512
A node js (express) API on port 4511 (locally on http) and 5511 (on https) served on https://ce.abc.com:5511
Initially, I was using a wildcard SSL certificate for both sub-domains, and nodejs was taking care of CORS. But we were then required to use separate SSL certificates for both domains. When I used separate SSL certificates, Nginx started to deny cors requests (I was able to use API using postman).
I then read about Nginx cors options on some posts here and came up with the following Nginx settings
/etc/nginx/sites-available/default
# Vendor API
server {
listen 5511 ssl;
ssl_certificate /ssl/ssl-bundle-api.crt;
ssl_certificate_key /ssl/ssl-api.key;
location /{
include /etc/nginx/shared/allow-cors;
proxy_pass http://localhost:4511;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
}
# Retailer app
server {
listen 5512 ssl;
ssl_certificate /ssl/ssl-bundle-react.crt;
ssl_certificate_key /ssl/ssl-react.key;
location /{
proxy_pass http://localhost:4512;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
}
/etc/nginx/shared/allow-cors
if ($request_method = "OPTIONS") {
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods 'DELETE,GET,OPTIONS,POST,PUT' always;
add_header Access-Control-Allow-Headers 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With,X-Token-Auth,X-Mx-ReqToken,X-Requested-With' always;
add_header 'Access-Control-Max-Age' 1728000 always;
add_header 'Content-Type' 'text/plain charset=UTF-8' always;
add_header 'Content-Length' 0 always;
return 204;
}
add_header Access-Control-Allow-Origin $http_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods 'DELETE,GET,OPTIONS,POST,PUT' always;
add_header Access-Control-Allow-Headers 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With,X-Token-Auth,X-Mx-ReqToken,X-Requested-With' always;
I then removed the cors settings from the nodejs API. This seemed to fix the issue on my aws ec2 ubuntu 18.04 instance completely. But when I deploy this code on the client's on-premise server (created using image of my ec2 instance) it again has issues. On Firefox it seems like the pre-flight check gets the expected 204, but then I don't see any POST request being sent.
On Chrome I see a successful pre-flight check with 204. I also see the actual POST request in chrome, but with a (failed) net::ERR_FAILED status.
Can somebody please help be resolving this.
We are facing issue while configuring Nginx as a webSocket proxy in Web Application. We have added the following configuration related to websockets in nginx.conf:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
server 234.61.34.23:3389;
}
location /websocket-tunnel/connect/ {
proxy_read_timeout 86400;
proxy_redirect off;
proxy_pass http://websocket;
proxy_buffering off;
proxy_http_version 1.1;
add_header Upgrade $http_upgrade;
add_header Connection "upgrade";
add_header Host $host;
add_header X-Real-IP $remote_addr;
add_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header X-Forwarded-Server $host;
}
234.61.55.59:8090 - is the IP address & Port of the machine on which Nginx is installed and running.
234.61.34.23:3389 - is the IP address & port of the backend system to connect.
Now from the javascript code in Web application we are creating websocket and generating the following request URL:
wss://234.61.55.59:8090/websocket-tunnel/connect?id=12345
Now getting the following error in Nginx error.log
[error] 9516#33264: *396 invalid URL prefix in "ws://websocket/websocket-tunnel/connect?id=12345"
Is there any thing we have missing in nginx websocket configuration? Any Suggestions on resolving this error please.
I have issue with configure nginx as reverse proxy via ssl.
This is my configuration:
worker_processes 4;
events { worker_connections 1024; }
http {
upstream oidc-app {
least_conn;
server oidc_1:44338;
server oidc_2:44338;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
server_name localhost;
ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
add_header Strict-Transport-Security max-age=15638400;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
error_log /var/log/nginx/error.log debug;
location / {
proxy_pass https://oidc-app;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_redirect http:// https://;
}
}
}
When I open my app in browser I have an error from nginx:
*2 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 172.18.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://172.18.0.5:44338/", host: "localhost"
Whats more, if I turn on Fiddler and capture https traffic with ignore certificate - everything is fine.
However if I disable Fiddler - an error occured again.
What I'm doing wrong?
If I configure nginx as http via 80 port - everything is fine again.