I've been seeing a ton of info about reverse proxies and nginx but I'm a little lost on how to implement. I am running two separate EC2 instances (front and back end, with back end running pm2). I have SSL established on the front using LetsEncrypt, and it won't allow me to hit my backend because of Mixed Content. What should I do?
nginx.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name domain;
location / {}
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost;
root /insert/root/here;
ssl_certificate "/path/to/cert";
ssl_certificate_key "/path/to/key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
It looks like browser complains at your html content because it has hard-coded "http://" references to external resources, like javascript, fonts etc.
It does not mean that it can't reach backend due to this "mixed-content" issue.
I see no proxy_pass (or fastcgi_pass) directives in your config (which should pass requests to your upstream backend server) so probably that is an real reason why you can't reach your backend.
Your configuration should look like this:
server {
listen 443 ssl;
root /here/are/your/static/files/; # here you can place static html, css, js etc files from your backend to offload backend from serving static files - nginx will take care of them.
...
location / {
#this means that nginx will forward requests to backend server in case request does not match local static file.
try_files $uri $uri/ #backend;
}
location #backend {
#....
proxy_pass http://backend-server-ip-address:backend-port
}
}
Related
I know this is a known problem even explained in vue-cli docs when you use history mode in Vue Router.
If you are using Vue Router in history mode, a simple static file server will fail. For example, if you used Vue Router with a route for /todos/42, the dev server has been configured to respond to localhost:3000/todos/42 properly, but a simple static server serving a production build will respond with a 404 instead.
To fix that, you will need to configure your production server to
fallback to index.html for any requests that do not match a static
file.
But I'm already doing this in my config file and the problem persists when I reload the page manually.
server {
listen 80;
server_name my.domain.name.com;
rewrite ^ https://$server_name$request_uri permanent;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name my.domain.name.com;
root /var/www/my-frontend-dist-root;
location / {
try_files $uri $uri/ /index.html;
}
location ~*.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|ta$
expires 365d;
log_not_found off;
access_log off;
}
access_log /var/log/nginx/my.access.log;
error_log /var/log/nginx/my.error.log debug;
ssl on;
ssl_certificate /etc/letsencrypt/live/my.domain.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.name/privkey.pem;
keepalive_timeout 60;
ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aN$
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhp-2048.pem;
proxy_buffers 16 64k;
proxy_buffer_size 128k;
}
What am I missing?
I have openerp running on port 8069.
this is the nginx conf:
server {
listen 80;
listen [::]:80;
listen 443 default ssl;
server_name www.erp.mysite.hr;
ssl on;
ssl_certificate /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.crt;
ssl_certificate_key /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
if ($ssl_protocol = "") {
rewrite ^ https://$server_name$request_uri? permanent;
}
}
aand location goes here and port proxy which works...
and when access openerp, always is http unless specified in the url with https, that way it works, but it is not redirected to https automatically.
this is the link that i get
http://erp.mysite.hr/web/login?redirect=http%3A%2F%2Ferp.mysite.hr%2Fweb
Any idea what could be the problem?
Thanks
This should work correctly, any http request will be redirected to https, which will be taken later by the top block.
server {
listen 443 default ssl;
server_name www.erp.mysite.hr;
ssl on;
ssl_certificate /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.crt;
ssl_certificate_key /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
#do whatever you need here
}
}
server {
listen 80;
server_name www.erp.mysite.hr;
location / {
return 301 https://$host$request_uri$is_args$args;
}
}
First. Change your nginx code, second go to system parameters and change a parameter
web.base.url = "https://erp.mysite.hr"
to your url.
You can also add a parameter url freeze to prevent reloading of this attribute
web.base.url.freeze = True
I have migrated a website from physical server running apache to a virtual machine running nginx.
When I go to website direct link, website is up : http://www.via-ap.com
but when I go to Google and if I click on website on right panel, I get a 404 error.
see below :
https://www.google.fr/search?ei=Ri3jW4TXDZGalwSL46vQAQ&q=via+ap&oq=via+ap&gs_l=psy-ab.3...4929.5483.0.5646.6.5.0.0.0.0.0.0..0.0....0...1c.1.64.psy-ab..6.0.0....0.76V4PDLEtNM
I did these tests from many browsers and from private mode.
my default nginx vhost conf is :
server {
server_name _;
listen 80 default_server;
listen 443 ssl default_server;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
return 404;
}
and then each website have his own conf like this below :
server {
listen 80;
listen [::]:80;
server_name website.com;
return 301 https://www.$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.website.com website.com;
root /home/website/www/;
index index.html index.htm index.php;
access_log /var/log/nginx/website.access_log;
error_log /var/log/nginx/website.error_log info;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.2-fpm-website.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
include /etc/nginx/conf/website.conf; /* file where strict transport security headers are defined */
ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/website.com/chain.pem;
include /etc/nginx/conf/ssl.conf;
}
Do you know why?
Thanks
L.
solution found.
on first server block (listen 80)
as you said first, I have added www.website.com in addition to website.com
then I have replaced return 301 https://www.$host$request_uri; by return 301 https://$host$request_uri;
I have 2 virtual hosts configured in nginx and both using ssl in a way that http://www.firstsite.com redirects to https://www.firstsite.com and it works correctly, the problem is that http://www.secondsite.com is not redirecting to https://www.secondsite.com, but to https://www.firstsite.com
this is the first config file
server {
listen 80;
return 301 https://www.dianadelvalle.com$request_uri;
server_name www.dianadelvalle.com;
}
server{
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/www.koohack.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.koohack.com/privkey.pem;
root /home/pi/www.dianadelvalle.com/;
index commingsoon.html index.html index.htm index.nginx-debian.html;
server_name www.dianadelvalle.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# max upload size
client_max_body_size 5M; # adjust to taste
location / {
try_files $uri $uri/ =404;
}
}
and the second config file:
# the upstream component nginx needs to connect to
upstream django {
server unix:///home/pi/koohack/mysite.sock; # for a file socket
#server 127.0.0.1:8001; # for a web port socket (we'll use this first)
}
server {
listen 80;
server_name www.koohack.com;
return 301 https://www.koohack.com$request_uri;
}
# configuration of the server
server {
listen 443 ssl;
server_name www.koohack.com;
ssl_certificate /etc/letsencrypt/live/www.koohack.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.koohack.com/privkey.pem;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# max upload size
client_max_body_size 15M; # adjust to taste
if (-f /home/pi/koohack/.maintenance) {
return 503;
}
error_page 503 #maintenance;
location #maintenance {
rewrite ^(.*)$ /home/pi/koohack/static/maintenance.html break;
}
# Django media
location /media {
alias /home/pi/koohack/media; # your Django project's media files - amend as required
}
location /static {
alias /home/pi/koohack/static; # your Django project's static files - amend as required
}
# Finally, send all non-media requests to the Django server.
location / {
uwsgi_pass django;
include /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
}
location /.well-known {
alias /home/pi/koohack/.well-known;
}
}
I spared the server name, log and certificate paths for clarity. What I'm doing wrong? Any suggestions?
Necessary note: I already looked to this possible answer to avoid content duplication but it didn't help
You may have the following configs:
server_name my.domain.com;
ssl_certificate /etc/nginx/chain.pem;
ssl_certificate_key /etc/nginx/my.domain.key;
Check that your second site is also listening on ssl ports.
listen 443 ssl;
listen [::]:443 ssl;
If the 2nd site is missing the listening config, it will redirect to default, regardless of the ssl certificate configs.
It is possible to use nginx to proxy Neo4j's http protocol to add encryption and authentication:
server {
server_name graph.example.org;
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
include snippets/ssl-params.conf;
location / {
proxy_pass http://localhost:7471/;
auth_basic "restricted";
auth_basic_user_file /path/to/users;
}
}
But I do not know how to proxy the bolt connection; a pseudo-configuration that contains all the necessary info:
server {
server_name graph.example.org;
listen 7687 ssl;
listen [::]:7687 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
include snippets/ssl-params.conf;
<some ‘location’ directive> {
<some-proxy-directive> localhost:7686;
# dbms.connector.bolt.address=localhost:7686
auth_basic "restricted";
auth_basic_user_file /path/to/users;
}
}
Given that location does not make sense in this context and that proxy_pass needs an http(s)-based url, this pseudo-configuration is probably not close to the wanted one.
In an answer to the the question “Is it possible to forward NON-http connecting request to some other port in nginx?”, the stream-core module is suggested. But it is not clear to me how I'd use it. Would the following work (I have not yet been able to test this):
stream {
server {
server_name graph.example.org;
listen 7687 ssl;
listen [::]:7687 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
include snippets/ssl-params.conf;
auth_basic "restricted";
auth_basic_user_file /path/to/users;
proxy_pass localhost:7686;
# dbms.connector.bolt.address=localhost:7686
}
}
Perhaps directive need to be modified or more directives need to be added to make this work?