ssl certificate setup invalid - ssl

I used godaddy ssl certificate to setup secure my angular 6 application. I hosted that in nginx server and setup ssl certificate. after setup my browser shows certificate(invalid) and Your connection to this site is not secure. so i have to proceed it unsafe option.
I used following configuration to setup ssl in nginx and admin.****.com is my sub domain used for host the site.
server {
listen 443;
listen [::]:443;
ssl on;
ssl_certificate /etc/ssl/certs/****.com.1.2019.chain.crt;
ssl_certificate_key /etc/ssl/private/***.com.1.key;
root /var/www/frontend;
index index.html index.htm index.nginx-debian.html;
server_name admin.***.com www.admin.*****.com;
location / {
try_files $uri $uri/ /index.html;
}
}

Related

Why do I have to change from Flexible to Full to solve my "too many redirects" problem with cloudflare?

I just setup a new website.
After setting up everything (SSL with LetsEncrypt), there is a too many redirects problem.
It took me hours to figure out that I can just solve it by switching from Flexible to Full in my cloudflare seetings. But why? Can somebody explain details to me?
Nginx conf:
server {
server_name mysite.com;
root /root/mysite;
index index.html;
location / {
try_files $uri $uri/ =404;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name mysite.com;
listen 80;
return 404; # managed by Certbot
}
When the set up is configured in Flexible mode, it means that the connection follows this configuration:
Between the end user and Cloudflare, HTTPS is used
Between Cloudflare and your origin erver, HTTP is used
This can be useful if the origin does not support HTTPS, but you still want end users to connect securely to Cloudflare. The recommendation is to always have end to end TLS enabled with fully valid certificates.
If your origin is configured to redirect HTTP requests to HTTPS, then we enter into a loop, since the redirected HTTPS request goes back to Cloudflare, then Cloudflare makes an HTTP request to the origin ... and back to where it started!
In your case you seem to have a fully valid Let's Encrypt certificate on your origin server, so you should use Full (Strict) . More information is also available here

Nginx SSL configuration not working on mobile browsers

I've set up an Nginx server serving ssl, with an http server block redirecting to a secured server block. The certificate is issued by my domain provider (1&1). It works perfectly fine on most desktop browsers, but I get an SSL_ERROR_INTERNAL_ERROR_ALERT on Firefox on mobile, and an ERR_SSL_PROTOCOL_ERROR on Chrome mobile (Android Pie).
Here is the nginx configuration:
server {
listen 80 deferred;
listen [::]:80 deferred;
server_name meetoko.com www.meetoko.com;
return 301 https://meetoko.com$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/ssl/meetoko.com.pem;
ssl_certificate_key /etc/ssl/meetoko.com.key;
root /var/www/html;
server_name meetoko.com;
server_name www.meetoko.com;
try_files $uri $uri/ /index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
}
location /public/ {
alias /root/oko-back/public/;
}
}
The .pem key is a concatenation of the primary and the intermediate issued certificates, and the .key is the private key.
All was working well before going to HTTPS on both mobiles and desktop, so it's hard to figure out what might be wrong... Any ideas?
Thanks !
The site has an inconsistent configuration as shown by SSLLabs. It is properly configured for IPv4 but has no configuration for IPv6 although it has an IPv6 address.
My guess is that the tested desktop environment is IPv4 only (at least regarding internet access) and therefore no problem occurs. The mobile environment instead is IPv6 capable and in this case IPv6 is the preferred protocol. Only, accessing the site with IPv6 fails due to an incomplete configuration.
try to set this option in config:
ssl_verify_client optional_no_ca;
ssl_verify_client
when ssl_verify_client optional or on
nginx server asks client (mobile browser) to provide certificate with trusted CA. Several firmwares have no client certificates issued and signed by trusted CA.
The optional_no_ca parameter (1.3.8, 1.2.5) requests the client
certificate but does not require it to be signed by a trusted CA
certificate.
But mobile Opera browser don't work even with these settings. Opera asks user to offer certificate anyway. So to stop bothering client ssl_verify_client setting should be:
ssl_verify_client off;

https is not working with my installed ssl (nginx & letsencrypt)

I have installed ssl certificate using letsencrypt in my nginx server. It works perfectly in the following domain:
http://shajao.com
Site gets redirected perfectly and ssl is working nicely with an A+ score in ssllabs.
I followed this instruction:
https://medium.com/#jnwarp/lets-encrypt-configure-nginx-with-a-perfect-score-on-ssl-labs-6fc10d2e4bf7
I tried to do the same thing on same server but different domain name but can't get it to work.
Basically ssl is not working. So when I hit the domain in browser it starts an infinite redirection loop. So I stopped the http to https redirect and found that https is not working which gets the site redirected to http.
My dns is managed using cloudflare and I tried turning off the ssl feature from there as well.
My server code:
server {
listen 80;
listen [::]:80;
server_name getcoursetube.com www.getcoursetube.com;
root /media/6sense/www/getcoursetube.com;
index index.html index.htm index.nginx-debian.html;
# return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
root /media/6sense/www/getcoursetube.com;
index index.html index.htm index.nginx-debian.html;
server_name getcoursetube.com www.getcoursetube.com;
location / {
try_files $uri$args $uri$args/ /index.html;
}
error_log /media/6sense/www/getcoursetube.com/logs/error.log;
access_log /media/6sense/www/getcoursetube.com/logs/access.log;
#WARNING: Please read before adding the lines below!
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_certificate /etc/letsencrypt/live/getcoursetube.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/getcoursetube.com/privkey.pem;
ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
}
After spending hours, I tested my certificate on DigiCert. And found that DigiCert is showing a SSL certificate that is issued by Cloudflare.
I turned off SSL from Cloudflare but it didn't work. So I had to quit Cloudflare.
I removed my site from Cloudflare and managed my DNS through GoDaddy (from where I purchased my domain). And it worked perfectly.
Let me know if anybody has a better answer and made it work through Cloudflare as well.
Update:
I readded my domain on Cloudflare and set SSL to full mode in Cloudflare. Removed the redirection code from Nginx server configuration and enabled always https on Cloudflare. And everything started working perfectly
the reason for me was i didnt allow inbound traffic to the port 443 on my instance.

Reverse proxy in nginx for nextcloud?

How do I set a reverse proxy for nextcloud?
This is my current config but it doesn't work:
server {
listen 8000;
server_name cloud.prjctdesign.com;
return 301 https://$host$request_uri;
}
server {
listen 4430 ssl http2;
server_name cloud.prjctdesign.com;
ssl_certificate /certs/cloud.prjctdesign.com.crt;
ssl_certificate_key /certs/cloud.prjctdesign.com.key;
include /etc/nginx/conf/ssl_params.conf;
client_max_body_size 10G; # change this value it according to $UPLOAD_MAX_SIZE
location / {
proxy_pass http://192.168.178.32;
include /etc/nginx/conf/proxy_params;
}
}
Also I enabled SSL using a let's encrypt cert. I run Nextcloud in the official VM image provided by Nextcloud / Techandme
I believe there is something wrong with the HSTS but I have no idea how it works. Also I based my forwarding off of this
I figured it out.
The reference to the ssl certificate is incorrect. Either run NGINX on the same server you are running nextcloud and redirect nginx to the position of the .cert file as in these lines:
ssl_certificate /certs/cloud.prjctdesign.com.crt;
ssl_certificate_key /certs/cloud.prjctdesign.com.key;
or generate a new cert on the nginx server and point the config towards it.

Invalid ports added in redirects on AWS EC2 nginx using SSL decryption offloaded to ELB

On AWS, I'm trying to migrate a PHP Symfony app running on nginx. I want to be able to test the app by directly talking to the EC2 server and via an ELB (the public route in).
I've setup an elastic load balancer to decrypt all the SSL traffic and pass this on to my EC2 server via port 80, as well as pass port 80 directly onto my EC2 server via port 80.
Initially this caused infinite redirects in my app but I researched and then fixed this by adding
fastcgi_param HTTPS $https;
with some custom logic that looks at $http_x_forwarded_proto to figure out when its actually via SSL.
There remains one issue I can't solve. When a user logs into the Symfony app, if they come via the ELB, the form POST eventually returns a redirect back to
https://elb.mysite.com:80/dashboard
instead of
https://elb.mysite.com/dashboard
which gives the user an error of "SSL connection error".
I've tried setting
fastcgi_param SERVER_PORT $fastcgi_port;
to force it away from 80 and I've also added the
port_in_redirect off
directive but both make no difference.
The only way I've found to fix this is to alter the ELB 443 listener to pass traffic via https. The EC2 server has a self certified SSL certificate configured. But this means the EC2 server is wasting capacity performing this unnecessary 2nd decryption.
Any help very much appreciated. Maybe there is a separate way within nginx of telling POST requests to not apply port numbers?
Nginx vhost config:
server {
port_in_redirect off;
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/mysite.com/self-ssl.crt;
ssl_certificate_key /etc/nginx/ssl/mysite.com/self-ssl.key;
# Determine if HTTPS being used either locally or via ELB
set $fastcgi_https off;
set $fastcgi_port 80;
if ( $http_x_forwarded_proto = 'https' ) {
# ELB is using https
set $fastcgi_https on;
# set $fastcgi_port 443;
}
if ( $https = 'on' ) {
# Local connection is using https
set $fastcgi_https on;
# set $fastcgi_port 443;
}
server_name *.mysite.com my-mysite-com-1234.eu-west-1.elb.amazonaws.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log error;
rewrite ^/app\.php/?(.*)$ /$1 permanent;
location / {
port_in_redirect off;
root /var/www/vhosts/mysite.com/web;
index app.php index.php index.html index.html;
try_files $uri #rewriteapp;
}
location ~* \.(jpg|jpeg|gif|png)$ {
root /var/www/vhosts/mysite.com/web;
access_log off;
log_not_found off;
expires 30d;
}
location ~* \.(css|js)$ {
root /var/www/vhosts/mysite.com/web;
access_log off;
log_not_found off;
expires 2h;
}
location #rewriteapp {
rewrite ^(.*)$ /app.php/$1 last;
}
location ~ ^/(app|app_dev|config)\.php(/|$) {
port_in_redirect off;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param HTTPS $fastcgi_https;
# fastcgi_param SERVER_PORT $fastcgi_port;
#fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/vhosts/mysite.com/web$fastcgi_script_name;
include fastcgi_params;
}
}
References:
FastCGI application behind NGINX is unable to detect that HTTPS secure connection is used
https://serverfault.com/questions/256191/getting-correct-server-port-to-php-fpm-through-nginx-and-varnish
http://nginx.org/en/docs/http/ngx_http_core_module.html#port_in_redirect
Finally got a solution via another channel.
The answer is to commented out SERVER_PORT with a # in the file fastcgi_params file.
Much thanks to Maxim from Nginx.