I am trying to configure Sonarqube that it works with SSL. I followed the following instructions:
https://docs.sonarqube.org/latest/setup/operate-server/
Below is my configuration:
server {
listen 443 ssl;
root /opt/sonarqube/sonarqube-6.7.7/web/;
index index.html index.htm;
server_name sonar;
location / {
root /var/www/sonar;
proxy_pass http://localhost:9000;
}
}
I have tested my SSL-Certificate and it works fine with a website, that I have created, but with Sonar it is not working.
Below is the error what I get in the Firefox browser:
Errorcode: SSL_ERROR_RX_RECORD_TOO_LONG
thank you for your answers. #Steffen Ullrich: you are right.
server {
listen 9090 ssl;
ssl_certificate <CERT_NAME>.pem;
ssl_certificate_key <DOMAIN>.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ...;
ssl_dhparam <DHPARAM>.pem;
ssl_prefer_server_ciphers on;
server_name sonar;
location / {
proxy_pass http://localhost:9000;
proxy_redirect http://localhost:9000 https://<DOMAIN.net>:9090;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
Thank you all for your help.
Related
I have 2 nodejs applications running in my EC2 instance at PORT 3000 and 1337. What I want to achieve is
admin.mydomain.com
should be redirected to the application running on PORT 1337 and
mydomain.com www.mydomain.com
should be redirected to the application running on PORT 3000.
With my current nginx configuration I am getting a 502
map $subdomain $subdomain_port {
default 3000;
www 3000;
admin 1337;
}
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name ~^(?P<subdomain>.+?)\.historydiaries\.com$;
location / {
proxy_pass http://localhost:$subdomain_port;
proxy_redirect off;
}
ssl_certificate /etc/letsencrypt/live/historydiaries.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/historydiaries.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;
add_header Strict-Transport-Security “max-age=15768000” always;
}
You can achieve this using two different nginx conf
I will go with separate Nginx vhost configuration.
One for www.mydomain.com and another one for admin.mydomain.com
server {
listen 80;
server_name www.mydomain.com;
access_log /var/log/nginx/mydomain_access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:3000/;
proxy_redirect off;
}
}
and
server {
listen 80;
server_name admin.mydomain.com;
access_log /var/log/nginx/admin.mydomain_access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:1337/;
proxy_redirect off;
}
}
This just simple vhost configuration. You can add Let's Encrypt later when you need.
following situation:
I have an play framework server running on localhost:9000. If someone now acces from outside on that server via http, nginx redirect the http request to localhost:9000.
Now i run seperate on that server a rshiny server, that listen on port 9271(https), and has to redirect the traffic to 9270(http).
I tried already some stuff, this one is the last version, that i dont get to work:
server {
listen 9271;
server_name _;
ssl on;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/xxx.pem;
ssl_certificate_key /etc/nginx/ssl/xxx.key;
access_log /var/log/nginx/access.log xxx_host;
error_log /var/log/nginx/error.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:9270;
proxy_read_timeout 90;
proxy_redirect http://localhost:9270/ $scheme://$host/;
}
}
I have set up www.myapp.io which connects to a MEAN-stack application hosted by nginx. It works, now, I want to add SSL to it. I have followed this link to secure with let's encrypt.
However, after the configuration, https://www.myapp.io isn’t working: www.myapp.io redirected you too many times. ERR_TOO_MANY_REDIRECTS.
The follows is /etc/nginx/sites-enabled/myapp.io, does anyone know where is wrong?
server {
listen 80;
server_name myapp.io www.myapp.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name myapp.io www.myapp.io;
ssl_certificate /etc/letsencrypt/live/myapp.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.io/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:EC$
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location ~ /.well-known {
allow all;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Proxy "";
proxy_pass https://127.0.0.1:3000;
}
}
(I did not put ssl_session_cache shared:SSL:50m;, because I already have ssl_session_cache shared:SSL:10m; in /etc/nginx/nginx.conf.)
The config file before adding ssl, which worked:
server {
listen 80;
server_name myopp.io *.myopp.io;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Proxy "";
proxy_pass http://127.0.0.1:3000;
}
}
PS: The site is managed via cloudflare, at the moment, the SSL setting on clouldflare is Flexible, I don't know if I need to change it.
As #dave_thompson_085 suggested in his comment, changing Flexible to Full in Cloudflare will make https://www.myapp.io reachable...
I have issue with configure nginx as reverse proxy via ssl.
This is my configuration:
worker_processes 4;
events { worker_connections 1024; }
http {
upstream oidc-app {
least_conn;
server oidc_1:44338;
server oidc_2:44338;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
server_name localhost;
ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
add_header Strict-Transport-Security max-age=15638400;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
error_log /var/log/nginx/error.log debug;
location / {
proxy_pass https://oidc-app;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_redirect http:// https://;
}
}
}
When I open my app in browser I have an error from nginx:
*2 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 172.18.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://172.18.0.5:44338/", host: "localhost"
Whats more, if I turn on Fiddler and capture https traffic with ignore certificate - everything is fine.
However if I disable Fiddler - an error occured again.
What I'm doing wrong?
If I configure nginx as http via 80 port - everything is fine again.
I have this nginx configuration
server {
listen 80;
server_name app.com www.app.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443;
server_name app.com www.app.com;
ssl on;
ssl_certificate /etc/nginx/ssl/app.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location = /favicon.ico {
root /opt/myapp/app/programs/web.browser/app;
access_log off;
expires 1w;
}
location ~* "^/[a-z0-9]{40}\.(css|js)$" {
root /opt/myapp/app/programs/web.browser;
access_log off;
expires max;
}
location ~ "^/packages" {
root /opt/myapp/app/programs/web.browser;
access_log off;
}
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
and deployed to ec2 using mup with normal settings
It is deployed and i can access the site app.com
But the https://app.com is not working
as In the config file all the requests are rewriting to https
What is happening here
I can access the site when I enter app.com that means it is
forwarding app.com ad https://app.com
I cannot access https://app.com that means nginx is not working
Which of the above two scenarios are true?
I'm out of options. I checked with ssl checkers they are showing that ssl certificate is not installed.
then why my app is working when enter app.com?
Now Meteor Up has the built in SSL Support. No more hard work.
Just add the SSL certificates and the key and do mup setup.
We use stud to terminate SSL
I am not NGINX knowledgeable but looking at my working production configs I see a number of parameters you have not included in yours.
In particular you may need the following at the top in order to proxy websocket connections:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
My 443 server also includes the following in addition to what you already have:
server {
ssl_stapling on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=31536000;";
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
Finally I would try commenting out your location directives for bug checking. The issue should not be with your SSL certificate, it should still allow you to visit (with a warning) for a self-signed or misconfigured certificate. Hope this helps.