Endless redirect loop with SSL nginx configuration - ssl

I configured some basic proxies and then ran certbot. It endlessly redirects me, unfortunately.
I have tried numerous solutions to no avail. Is there something wrong with the other these server blocks are in? Any help would be much appreciated.
server {
server_name www.example.com;
return 301 https://example.com$request_uri;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name example.com; # managed by Certbot
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://localhost:3000/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Host $host;
}
location /api/ {
proxy_pass http://localhost:8000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 80;
listen [::]:80 default_server;
return 302 https://$host$request_uri;
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name www.example.com;
listen 80;
return 404; # managed by Certbot
}

Try:
server {
listen 80;
listen [::]:80 default_server;
server_name www.example.com example.com;
return 302 https://$host$request_uri;
}
server {
server_name www.example.com example.com; # managed by Certbot
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
location / {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Host $host;
}
location /api/ {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

Related

upstream timed out (110: Connection timed out) while reading response header from upstream nginx in nodejs project

While I had not connected this server to Domain or integrated SSL, it was working fine, as soon as I implemented the SSL it started throwing error.
Here is my server block - sites-available - config.
server{
server_name demo.example.com;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:3002; (I have used just proxy_pass in one config and still had the problem so added this set header)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; (I have tried with just "" but it didnt work)
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/demo.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/demo.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server{
if ($host = demo.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name demo.example.com;
return 404; # managed by Certbot
}

Nginx won't serve static files (Reverse Proxy + Express API)?

I cannot manage to get Nginx to serve my static files. It always gives me 302 errors. I have my static files in a public folder (/home/user/Documents/myapp.com/CURRENT PROJECT/public) and want to serve them when a user goes to the site and requests myapp.com/css/style.css, myapp.com/js/main_script.js... I have the permission but from what I can tell it either can't find the file or ignores it completely and tries to serve them from the API(I can't use express.static anymore).
user www-data;
pid /run/nginx.pid
http {
upstream loadbalance {
least_conn;
server myapp:8003;
}
server {
listen 80;
listen 443 ssl http2;
server_name www.myapp.com;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
return 301 https://myapp.com$request_uri;
}
server {
root "/home/user/Documents/myapp.com/CURRENT PROJECT/public";
server_name myapp.com;
##
# SSL Settings
##
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
# This would not work
location /css/ {
autoindex on;
}
# This would not work
location ~ \.(css|js|woff|woff2|png|jpg|jpeg|webp|svg|mp3) {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
}
#Api
location / {
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://loadbalance;
}
}
}
Once you set up the reverse proxy, you should manage with express the routing of the static files.
My settings for the proxy:
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}

How to redirect different subdomains to applications running on different ports with nginx

I have 2 nodejs applications running in my EC2 instance at PORT 3000 and 1337. What I want to achieve is
admin.mydomain.com
should be redirected to the application running on PORT 1337 and
mydomain.com www.mydomain.com
should be redirected to the application running on PORT 3000.
With my current nginx configuration I am getting a 502
map $subdomain $subdomain_port {
default 3000;
www 3000;
admin 1337;
}
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name ~^(?P<subdomain>.+?)\.historydiaries\.com$;
location / {
proxy_pass http://localhost:$subdomain_port;
proxy_redirect off;
}
ssl_certificate /etc/letsencrypt/live/historydiaries.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/historydiaries.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;
add_header Strict-Transport-Security “max-age=15768000” always;
}
You can achieve this using two different nginx conf
I will go with separate Nginx vhost configuration.
One for www.mydomain.com and another one for admin.mydomain.com
server {
listen 80;
server_name www.mydomain.com;
access_log /var/log/nginx/mydomain_access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:3000/;
proxy_redirect off;
}
}
and
server {
listen 80;
server_name admin.mydomain.com;
access_log /var/log/nginx/admin.mydomain_access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:1337/;
proxy_redirect off;
}
}
This just simple vhost configuration. You can add Let's Encrypt later when you need.

WWW subdomain not secured even though redirection is applied

I am trying attempting to get the 'www' sub-domain redirected to the same route without the 'www' but when accessing the address i receive the following error:
Your connection is not private
Attackers might be trying to steal your information from www.*.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
The sub-domain without the 'www' is fully active and set up with an SSL i've made using Lets Encrypt (both version of the sub-domains were registered when creating the SSL).
When doing a curl command on the 'www' domain i successfully get a '301 Moved Permanently'.
Here is the configuration file of my nginx:
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 sitename.com$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
edited, see comment
You could try a more complete solution. Using wildcards and a improved redirect. Please try it!
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
server_name .sitename.com; # Note the '.' before sitename!
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
Docs
.sitename.com;
A special wildcard name in the form “.example.org” can be used to match both the exact name “example.org” and the wildcard name “*.example.org”.
I've decided to tackle this issue in another way. I generated another Lets Encrypt SSL certificate for the 'www' subdomain and created another block.
Now everything works as expected.
Here is my updated config:
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
server_name sitename.com www.sitename.com;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/www.sitename.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.sitename.com-0001/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}

Website won't work after ssl installation

My website was working properly before I installed the ssl certificate. However, once it was installed, my website stopped working. Nginx starts fine as usual, and I get no errors, but the website just doesn't work. Here's my code for nginx config:
server {
listen 80;
server_name www.example.com; (example is replaced with my domain name in code)
location / {
rewrite ^ https://$server_name$request_uri permanent;
}
}
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/example_com/example.key;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://xxx.xx.xx.xxx:8004;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}