Let's Encrypt certificate for site alongside Jitsi Meet - ssl

I've a server running Ubuntu 18.04 and Nginx and have a fully functioning instance of Jitsi Meet hosted on it.
On the other hand I have 2 other sites (one a react front end and the other a backend) and i need them to have ssl certificates since we are using Jitsi Meet api from the front end and chrome is not letting us give permissions on the mic and camera because the front end is not secure.
So I tried installing certbot and getting a Let's Encrypt certificate but when i get it and try to restart nginx, it fails.
I think it has something to do with Jitsi using the port 443 or something but I really can't tell...
This is the nginx conf for jitsi domain:
server_names_hash_bucket_size 64;
server {
listen 80;
listen [::]:80;
server_name video.<base-domain>;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root <path-to-jitsi>;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 4444 ssl http2;
listen [::]:4444 ssl http2;
server_name video.<base-domain>;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:E$
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/letsencrypt/live/video.<base-domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/video.<base-domain>/privkey.pem;
root <path-to-jitsi>;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
index index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;
location = /config.js {
alias /etc/jitsi/meet/video.<base-domain>-config.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias <path-to-jitsi>/$1/$2;
}
# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
tcp_nodelay on;
}
location ~ ^/([^/?&:'"]+)$ {
try_files $uri #root_path;
}
location #root_path {
rewrite ^/(.*)$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js$
{
set $subdomain "$1.";
set $subdir "$1/";
alias /etc/jitsi/meet/video.<base-domain>-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /xmpp-websocket;
}
}
this is the nginx conf for the front end domain:
server{
server_name app.<base-domain> www.app.<base-domain>;
root <path-to-front>;
index index.html index.htm;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
charset utf-8;
location / {
try_files $uri /index.html;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/default-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/app.<base-domain>/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/app.<base-domain>/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = app.<base-domain>) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name app.<base-domain> www.app.<base-domain>;
listen 80;
return 404; # managed by Certbot
}
this is the nginx error.log:
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: still could not bind()
I was hoping someone can tell how I should configure this in order to have both jitsi and the front end secure.
I also will add that both domains are actually subdomains... meaning jitsi domain is video..com
and front is app..com
the real config has base-domain and paths correctly specified... If I remove all ssl config from the front end nginx configuration, everything work again.

You should use devops-guide-quickstart . There is Generate a Let's Encrypt certificate section. If you have nginx on your system before installing jitsi, jitsi will run with its nginx configuration.
if you need customized nginx file, here it is. But you should work on for security concerns.
** For standalone(without Docker) remove
"resolver 127.0.0.1 valid=5s ipv6=off;"
then change rest of 127.0.0.1 to localhost
Docker-jitsi-meet Custom Nginx Configuration
server {
resolver 127.0.0.1 valid=5s ipv6=off;
listen 80;
listen [::]:80;
server_name jitsiConf.domain.com; # managed by Certbot
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
default_type "text/plain";
try_files $uri =404;
}
location / {
return 301 https://$host$request_uri;
}
#rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
}
server {
resolver 127.0.0.1 valid=5s ipv6=off;
listen 443 ssl;
listen [::]:443 ssl;
server_name jitsiConf.domain.com; # managed by Certbot
ssl on;
ssl_certificate /etc/letsencrypt/live/jitsiConf.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/jitsiConf.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
proxy_cookie_path / "/; HTTPOnly; Secure";
add_header Expect-CT "enforce, max-age=21600";
add_header Feature-Policy "payment none";
keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# this tells the browser that jitsi can't be embedded in a Frame
add_header X-Frame-Options "DENY";
# List of Browser-Features which are allowed / denied for this Site
add_header Feature-Policy "geolocation 'none'; camera 'self'; microphone 'self'; speaker 'self'; autoplay 'none'; battery 'none'; accelerometer 'none'; autoplay 'none'; payment 'none';";
ssi on;
ssi_types application/x-javascript application/javascript;
# ensure all static content can always be found first
#location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
#{
# add_header 'Access-Control-Allow-Origin' '*';
#}
#location ~ ^/(?!(http-bind|external_api\.|xmpp-websocket))([a-zA-Z0-9=_äÄöÖüÜß\?\-]+)$ {
# rewrite ^/(.*)$ / break;
#}
location / {
expires max;
log_not_found off;
proxy_cache_valid 200 120m;
ssi on;
set $upstream_endpoint http://127.0.0.1:8100;
proxy_pass $upstream_endpoint;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
# BOSH
location /http-bind {
set $upstream_endpoint http://127.0.0.1:5280;
proxy_pass $upstream_endpoint/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
# xmpp websockets
location /xmpp-websocket {
set $upstream_endpoint http://127.0.0.1:5280;
proxy_pass $upstream_endpoint;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
tcp_nodelay on;
}
}
Also this configuration will be stuck on CSP error. Just for test developments this code will allow all CSP risks. you can add under the
ssl_session_cache shared:SSL:50m;
set $CSP_image "img-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; ";
set $CSP_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; ";
set $CSP_style "style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; ";
set $CSP_font "font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; ";
set $CSP_frame "frame-src 'self' *.vimeocdn.com *.vimeo.com; ";
set $CSP_object "object-src 'self' ; ";
set $CSP "default-src 'self' ; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";
add_header Content-Security-Policy $CSP;
CSPallow **sorry i couldn't find original post*

Related

Succesfully ran Certbot. Site still not secure. What did I do wrong?

I have a Digital Ocean VM running an Express backend server listening to port 5000.
I have all these records setup to point my VM ip to the domain I registered.
https://i.imgur.com/dfdBgKb.jpg
I have Nginx installed and a sites-available/sites-enabled config file like this:
https://i.imgur.com/TxMtfSM.png
/etc/nginx/sites-available/reeeeee.tk.conf
server
{
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
listen 80;
server_name api.reeeeee.tk;
# SSL
# ssl_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/api.reeeeee.tk/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
# HSTS
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-XSS-Protection "1; mode=block" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header Referrer-Policy "no-referrer-when-downgrade" always;
# add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
access_log /var/log/nginx/api.reeeeee.tk-access.log;
error_log /var/log/nginx/api.reeeeee.tk-error.log;
server_tokens off;
location /
{
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# ACME-challenge
location ^~ /.well-known/acme-challenge/
{
root /var/www/_letsencrypt;
}
}
I created a /var/www/_letsencrypt directory and chowned it with the user: "www-data"
https://imgur.com/KBKTapE
I then succesfully ran Certbot:
https://i.imgur.com/2glcHVn.jpg
After succesfully running Certbot, I got rid of all the "#"'s so the ".conf" file now looks like:
/sites-enabled/reeeeee.tk.conf
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 80;
server_name api.reeeeee.tk;
# SSL
ssl_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.reeeeee.tk/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/api.reeeeee.tk/fullchain.pem;
# HSTS
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
access_log /var/log/nginx/api.reeeeee.tk-access.log;
error_log /var/log/nginx/api.reeeeee.tk-error.log;
server_tokens off;
location /
{
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# ACME-challenge
location ^~ /.well-known/acme-challenge/
{
root /var/www/_letsencrypt;
}
}
I restarted Nginx
https://i.imgur.com/oUXWHAM.png
BUT the site is still not HTTPS secured.
http://www.reeeeee.tk/api/movies
Did I get an SSL certificate? What did I do wrong? Do you see anything in the screenshots or code that I did wrong?
Where do I go from here? How do I get a working SSL cert and an HTTPS secured site?
I was following advice I got from this Reddit thread. ALL further context is in here if I didn't post enough info:
https://www.reddit.com/r/nginx/comments/z88yra/trying_to_get_ssl_certificate_for_backend_where/
Was this person just wrong? Did I do it wrong from the beginning? Do I have to start over?

Letsencrypt / nginx : SSL configuration went wrong

I recently acquired a domain name that I want to point to my home server. It worked very well before I tried to implement SSL. Since then I get this error when I try to access https://cloud.mydomain.com/:
SSL_ERROR_RX_RECORD_TOO_LONG
I don't know how to debug on this at all.
With my host here is my config:
mydomain.com. A [my external IP]
cloud.mydomain.com. CNAME mydomain.com.
On my server I have this:
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
server_names_hash_bucket_size 64;
upstream php-handler {
server unix:/run/php/php7.3-fpm.sock;
}
set_real_ip_from 127.0.0.1;
set_real_ip_from 192.168.1.0/24;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
# include /etc/nginx/proxy.conf;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_redirect off;
# include /etc/nginx/ssl.conf;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# include /etc/nginx/header.conf;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Frame-Options "SAMEORIGIN";
# include /etc/nginx/optimization.conf;
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
fastcgi_buffers 64 64K;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 3840K;
fastcgi_cache_key $http_cookie$request_method$host$request_uri;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
gzip_disable "MSIE [1-6]\.";
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 192.168.1.1 valid=30s;
resolver_timeout 5s;
# include /etc/nginx/conf.d/*.conf;
# etc/nginx/conf.d/nextcloud.conf;
server {
server_name cloud.mydomain.com;
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name cloud.mydomain.com;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
#SOCIAL app enabled? Please uncomment the following row
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
#WEBFINGER app enabled? Please uncomment the following two rows.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
client_max_body_size 10240M;
location / {
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ~ \.(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 100M;
mp4_max_buffer_size 1024M;
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+).php(?:$|\/) {
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
expires 360d;
}
}
}
Here is the command I ran to generate the certificates:
sudo certbot --nginx -d mydomain.com -d cloud.mydomain.com
Note that when I access it from the local network with the address of the machine I have the certificate and the nextcloud is displayed.
My router is configured to transfer calls 80 and 443 on my machine and I can see the logs on /var/log/nginx/access.log
When I run the command:
openssl s_client -connect cloud.mydomain.com:443 -servername mydomain.com
I have the following result:
CONNECTED(00000003)
140509444985920:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Would you know how to debug this please?

Nginx ssl force www to redirect to non www domain

I am trying to set up Nginx to redirect all www.example.com and https://www.example.com requests to https://example.com. Here is my config:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /var/www/domain.com/system/nginx-root;
ssl_certificate /home/user/.acme.sh/example.com/fullchain.cer;
ssl_certificate_key /home/user/.acme.sh/example.com/domain.com.key;
include /var/www/example.com/system/files/ssl-params.conf;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
Here are the contents of the ssl-params.conf file:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128$
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /var/www/example.com/system/files/dhparam.pem;
I can access example.com and https://example.com but when I try www.example.com and https://www.example.com I get a Your connection is not private error in Chrome and the site is blocked.
Can anyone help me with this?
EDIT:
I added this server block and it did not help:
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate /home/user/.acme.sh/example.com/fullchain.cer;
ssl_certificate_key /home/user/.acme.sh/example.com/example.com.key;
include /var/www/example.com/system/files/ssl-params.conf;
return 301 https://example.com$request_uri;
}

Do I need two separate ssl.conf files if I am hosting multiple domains on same server?

I have installed SSL successfully for my main domain eg. domain.net and www.domain.net
I am now trying to enable SSL into the blog on the website eg. blog.domain.net and www.blog.domain.net
I have gone through the installation and everything has been a success, however after restarting nginx when I visit 'blog.domain.net.conf' it is returning a '403 Forbidden' error now.
I have tried doing:
sudo chown -R root:root /usr/share/nginx/html/*
sudo chown -R dev:dev /usr/share/nginx/html/*
sudo chmod -R 0755 /usr/share/nginx/html/*
along with checking permissions of the site root but nothing is effecting it. The only thing I can think of that is different between the main domain and the blog is that I do have an ssl.conf file located in my conf.d/ folder that is only specifying the main domain.. do I need to add the blog into this file as well? If so, how can I add more than one domain into it if they share different paths?
SSL.CONF
server {
listen 443 http2 ssl;
server_name domain.net www.domain.net;
ssl_certificate /etc/letsencrypt/live/domain.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.net/privkey.pem;
########################################################################
# from https://cipherli.st/ #
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
########################################################################
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
##################################
# END https://cipherli.st/ BLOCK #
##################################
ssl_dhparam /etc/ssl/certs/dhparam.pem;
location ~ /.well-known {
allow all;
}
# The rest of your server block
root /var/www/domain.net/html;
index index.php index.html index.htm;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
I am also doing a proxy pass for the sub-domain/blog
blog.conf
# upstream ghost {
# server 127.0.0.1:2000;
# }
server {
listen 80;
server_name blog.domain.net www.blog.domain.net;
access_log /var/log/nginx/ghost.access.log;
error_log /var/log/nginx/ghost.error.log;
return 301 https://$server_name$request_uri;
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location ^~ /.well-known {
allow all;
root /var/www/blog.domain.net/html;
}
location / {
proxy_pass http://127.0.0.1:2000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
server {
# SSL configuration
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-blog.domain.net.conf;
include snippets/ssl-params.conf;
}
Could my proxy pass be what is affecting this?
Any help is appreciated!

Apply SSL and www in main domain and not in subdomain in nginx

I am working on to apply SSL (https) and www to domain ("https:// www.xyz.com") in the browser whenever I type anything for the domain ("xyz.com").
I have subdomains as well and I don't want to apply "www" in subdomains (this is working fine).
Everything is working great except if I type "https:// xyz.com" in the browser, ngingx doesn't apply www (it should be "https:// www.xyz.com") but it gives "https:// xyz.com" only.
Following is the config file of sites-available:
server {
listen 443;
server_name xyz.com *.xyz.com;
ssl on;
ssl_certificate /etc/nginx/ssl/xyz.crt;
ssl_certificate_key /etc/nginx/ssl/*.xyz.com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8069;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_buffer_size 128k;
proxy_buffers 16 64k;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
location ~* /web/static/ {
proxy_buffering off;
proxy_pass http://127.0.0.1:8069;
}
}
}
server {
listen 80;
server_name xyz.com;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://www.$host$request_uri? permanent;
}
server {
listen 80;
server_name *.xyz.com;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}
Kindly guide me where I am doing wrong.
Thanks in advance.
move add_header Strict-Transport-Security max-age=2592000; option to ssl server block with 443 port.
server {
listen 443;
add_header Strict-Transport-Security max-age=2592000;
# rest configs
}
Change http 80 block to
server {
listen 80;
listen [::]:80;
server_name example.com;
return 301 https://www.example.com$request_uri; # permenent redirect
}
NOTE: any changes made to nginx config needs a reload signal to nginx process to apply the changes in ubuntu it requires sudo service nginx reload