I have a Ruby on Rails app running on a Linode Server and I am trying to create a staging server to do some testing on. I cloned the Linode and have the server up. I am able to visit the site, however, I get the 'not secure' error in Chrome, so I want to turn ssl off. So in /etc/nginx/sites-enabled/nginx.conf I commented out listen 443 ssl; and also commented out the lines referencing ssl_certificate and ssl_certificate_key. In /etc/nginx/nginx.conf I commented out ssl_protocols and ssl_prefer_server_ciphers. After doing this I have restarted nginx.
When I visit the IP address, the address part redirects to SSL and I get a message that says This site can’t be reached. Why is the site still redirecting to ssl? Am I missing a configuration somewhere?
EDIT
Here are nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
client_max_body_size 50M;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# SSL Settings
##
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
#ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# include /etc/nginx/passenger.conf;
passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
passenger_ruby /home/deployer/.rbenv/shims/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
...and sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
#listen 443 ssl;
passenger_enabled on;
rails_env production;
root /home/deployer/myapp/current/public;
#index index.html index.htm;
# Make site accessible from http://localhost/
server_name blah.org;
#ssl_certificate /etc/nginx/ssl/blag.combined.crt;
#ssl_certificate_key /etc/nginx/ssl/blah.key;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
#client_max_body_size 50M;
}
}
Related
I am using certbot to create a SSL for my website and use Nginx for serve. However, even if I change the server block in nginx conf and restart it, only the original http work but https will return ERR_CONNECTION_TIMED_OUT.
I've tried many way on the internet, including split the server block into two, adjust the listen 443 setting, add server_name...but all of them seems not work, using url with https will return ERR_CONNECTION_TIMED_OUT.
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
ssl_certificate /etc/letsencrypt/live/myasshole.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myasshole.club/privkey.pem;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.example.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
is there any want to enable the https in nginx? I'm sure the pem key is work and I think the problem is my conf setting...
Try this
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/myasshole.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myasshole.club/privkey.pem;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.example.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
Also Note that it's better to add your domain here
server_name www.example.com example.com;
Then restart nginx
sudo service nginx restart
I'm having problems getting domains to work using nginx when you include www. in the url.
mydomain.com --> Working but www.mydomain.com --> Not
Working
Config file:
server {
listen 80;
listen [::]:80;
#server_name git.mydomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name git.www.mydomain.com;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certific$
ssl_certificate /etc/nginx/ssl/mydomain.com.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH$
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
location / {
try_files $uri $uri/ =404;
}
}
Can you help me? Thank you!
You need to set up the server names you want Nginx to serve from.
server {
listen 80;
listen [::]:80;
server_name mydomain.com www.mydomain.com;
return 301 https://$host$request_uri;
}
So you list the names you want separated by spaces.
I assume that you want to redirect all your www and non-www traffic to https with the server name you have set up in the https configuration, and that your https server name is right.
I installed SSL on my DigitalOcean droplet following this documentation.
Inspite of this, all requests on https:// are getting refused!
I ran the following command : sudo netstat -anltp and found that NGINX isn't listening on port 443
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1337/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2315/nginx -g daemo
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1442/sshd
tcp 0 288 138.197.137.XXX:22 45.64.239.214:53476 ESTABLISHED 1590/0
tcp 0 0 138.197.137.XXX:22 218.65.30.134:65311 ESTABLISHED 2340/sshd: root [pr
tcp 0 0 138.197.137.XXX:22 45.64.239.214:53487 ESTABLISHED 1724/sshd: root#not
tcp6 0 0 :::80 :::* LISTEN 2315/nginx -g daemo
tcp6 0 0 :::22 :::* LISTEN 1442/sshd
My nginx.conf file is shown below:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
My /etc/nginx/sites-available/default is shown below :
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/ssl-torrentic.cf.conf;
include snippets/ssl-params.conf;
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
Firewall status:
Status: active
To Action From
-- ------ ----
22 LIMIT Anywhere
443 ALLOW Anywhere
80 ALLOW Anywhere
Nginx Full ALLOW Anywhere
443/tcp ALLOW Anywhere
22 (v6) LIMIT Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
What is wrong ? How do I fix it ?
Make sure to have symlinks from /etc/nginx/sites-available/* to /etc/nginx/sites-enabled/:
$ cd /etc/nginx/sites-enabled
$ sudo ln -sf ../sites-available/default .
$ sudo service nginx reload
See chat for more details.
I am struggling on how to force SSL on my website (nginx). I would like to force a redirect from both "http://www.example.com" and "http://example.com" to "https://example.com" (without any www).
The code I wrote currently can catch "http://www.example.com" but does not catch "http://example.com", it seems to infinite loop a redirection. I'm pretty sure it has something to do with the "server_name". I tried swapping it up a down inside the "server { ... }" brackets and stuff but it still does not behave the way I would like it.
Here is my nginx conf
server {
server_name www.example.com;
return 301 https://example.com$request_uri;
}
server {
server_name example.com;
root /var/www/example.com;
index index.html index.php index.htm;
location / {
include /etc/nginx/conf/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
location ~ /\.ht {
deny all;
}
}
server {
#listen 443 spdy default deferred;
ssl on;
ssl_certificate_key /etc/myssl/www.example.com.key;
ssl_certificate /etc/myssl/www.example.com.chained.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-[...]';
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/share/myssl/dhparams/dh2048-group14.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
add_header Strict-Transport-Security max-age=15768000;
}
You'll want to configure each of your server blocks to specifically listen to a certain port, such as the following:
server {
listen 80;
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl spdy;
server_name www.example.com;
ssl_certificate_key /etc/myssl/www.example.com.key;
ssl_certificate /etc/myssl/www.example.com.chained.crt;
[other ssl_* directives, as required]
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl spdy;
server_name example.com;
ssl_certificate_key /etc/myssl/www.example.com.key;
ssl_certificate /etc/myssl/www.example.com.chained.crt;
[other ssl_* directives, as required]
[remaining example.com configuration here]
}
This says listen on HTTP (port 80) for requests to http://www.example.com and http://example.com and redirect them to https://example.com. The second block listens for https://www.example.com and redirects to https://example.com. Then, the final block listens for SSL/SPDY requests to https://example.com.
Add your remaining HTTPS-only configuration to the second block, which looks to be essentially merging the second and third blocks.
The following is now demonstrated in the example: You will need to add another server block if you want your server to respond or redirect users accessing https://www.example.com & thus you may require a second valid SSL certificate (one for www.example.com and one for example.com). Alternatively, a wildcard certificate or a certificate with alternate DNS names would work for both circumstances.
Also ensure that no other conflicting configuration files are present in your configuration directory (eg /etc/nginx/conf.d or /etc/nginx/sites-enabled; depending on your platform).
Edited: expanded based on other information given.
I'm setting up an nginx server with an SSL.
The domain with the ssl is dev.cooknconnect.com
I want to redirect all requests from: http://domain.com to https://domain.com
I have the following server blocks setup currently:
server {
listen 1.2.3.4:80 default;
server_name domain.com;
server_tokens off;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name domain.com www.domain.com;
keepalive_timeout 70;
server_tokens off;
ssl on;
ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/private/certificate.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://domain.com;
}
}
This currently does not work, but I don't understand why not.Can anyone find any mistake in my config.If not please suggest some way to track or debugging the same.
You could use this and it should work normally
server {
listen 80;
server_name domain.com;
server_tokens off;
return 301 https://$http_host$request_uri;
}
keep in mind that https://dev.yourdomain.com won't work, because your certificate was issued only for the root domain, the https for the dev subdomain will show the yellow certificate warning.
This works fine for me:
server{
listen 80;
server_name *.example.com;
rewrite ^ https://$host$request_uri? permanent;
}
This will permanently rewrite http to https for the domain itself and sub-domains to https mode.