NGINX Ignore HTTPS for single page - ssl

I have a video portal system that plays live streams. The issue is that the live streams are created on the fly via docker, so I can't secure them easily (HTTPS). I need a way to tell NGINX not to secure (HTTP) a single page at {my_domain}/portal/{url_variable} but make sure the rest of the site will be HTTPS. Here is my current config:
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/app.domain.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name app.domain.com;
root /home/forge/app.domain.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/app.domain.com/111111/server.crt;
ssl_certificate_key /etc/nginx/ssl/app.domain.com/111111/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'stuff';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
I have attempted to add another server that listens to port 80 and use location for only for the portal URL, but the entire site then does not render.

Related

NGINX + HTTPS causes 504 Gateway Timeout error for external requests

I'm running nginx server on my Raspberry Pi and it seems to be working just fine using HTTP protocol.
Recently, I decided to add HTTPS support to my server and got certificate from Let's Encrypt.
And it still works like a charm, if you are sending requests from local network. But every external request via HTTPS ends with 504 Gateway Timeout error.
Here is my config:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name domain.name;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_certificate /etc/letsencrypt/live/domain.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.name/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/domain.name/chain.pem;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ /.well-known {
allow all;
root /usr/share/nginx/html;
}
}
Found out that my ISP has a firewall service active by default. It was blocking all connections to 443 port. Disabling it resolved my issue.

Why is my WWW-Subdomain not showing?

I am curretly working on a project where WWW subdomain isn't resolving since I moved from my previous server and make my DNS point to the new IP address. Has it something to do with HSTS settings ? SSL certificates ? Wrong redirect format ? Wrong CNAME ?
On the previous server:
I issued a SSL certificate using LetsEncrypt for both domains : website.fr and www.website.fr., running with Debian/Apache
I terminated the instance without copying the certificate.
At that time, it worked on both https www and non www
On the new server:
I've created an AWS EC2 under Ubuntu16.04/Nginx
I've issued a new SSL for both domains using LetsEncrypt
Sites-available conf file (enabled):
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name website.fr www.website.fr;
return 301 $scheme://website.fr$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.website.fr;
ssl_certificate /etc/letsencrypt/live/website.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/website.fr/privkey.pem;
include snippets/ssl-params.conf;
return 301 $scheme://website.fr$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate /etc/letsencrypt/live/website.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/website.fr/privkey.pem;
include snippets/ssl-params.conf;
root /var/www/...
...etc...
ssl-params.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECD$
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem; #Diffie-Hellman 2048 group
DNS Zone settings:
IN A XX.XX.XX.XX
* IN CNAME website.fr.
www IN CNAME website.fr.
Why isn't my WWW-Subdomain also resolving ? Why isn't the page showing ?
Problem solved by itself...
Apparently, nothing was wrong in the configuration. DNS needed A LOT OF TIME to spread (24h+).
Just needed to be patient :)
You need to point another A Record with the host "www" to your IP.
This needs to be done wherever you bought the domain.

SSL Chain Incomplete

After creating 7 SSL Certificates with Let's Encrypt, I have stumbled upon this error. I had setup all my configs correct and I scanned my whole site for SSL Vulnerabilities on [SSLLabs.com][1] and it told me that my server's certificate chain is incomplete.
The grading picture:
My SSL Grading
The error:
The error I got
I am running CentOS Linux release 7.2.1511 (Core) as a Reverse Proxy in NginX. And my configuration is:
# GhostAntiDDoS
server {
listen 443 ssl;
server_name ghostantiddos.com *.ghostantiddos.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/ghostantiddos.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=15768000;
# Bulletin
#limit_conn conn_limit_per_ip 10;
#limit_req zone=req_limit_per_ip burst=5 nodelay;
client_body_timeout 5s;
client_header_timeout 5s;
....
The rest of the parts are hidden as they will expose my origin.
If anyone could assist me in this, I'd be great!
Replace
certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem
by
certificate /etc/letsencrypt/live/ghostantiddos.com/fullchain.pem
then test again with https://ssllabs.com

Session cache not detected in nginx

SSLlabs still show the following message even after i added the ssl_session_cache
Session resumption (caching) No (IDs assigned but not accepted)
Here is my full configuration
server {
listen 443 spdy; #Change to 443 when SSL is on
ssl on;
ssl_certificate /etc/ssl/domain.com_bundle.crt;
ssl_certificate_key /etc/ssl/domain.com.key.nopass;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/trustchain.crt;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
#rest config goes here
}
SSL Labs doesn't assume that SNI is available to the client, so it only tests the default virtual server.
The problem could be that you don't have SSL session caching enabled on the default server. To enable it, you just need to add that ssl_session_cache line to your default_server. Alternatively, if you'd like that configuration the work across all of your nginx virtual servers (which I would recommend), you could move the ssl_session_cache line outside of the server declaration, so it applies to all of them.
Here's the configuration I use:
# All your server-wide SSL configuration
# Enable SSL session caching for improved performance
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
ssl_session_cache shared:ssl_session_cache:10m;
server {
# All your normal virtual server configuration
}
Sources:
I tested both options on my own server and SSL Labs loves it!
This thread on the Nginx mailing list
when you use one server, it be correct. If you have load balance before servers, it may be like this. Because of request can not transmit to same server before. I suggest ssl_session_tickets.

Installing SSL in nginx problems

So I'm having trouble getting my ssl cert working properly in a rails app with nginx. Do I need to use the sites-available folder, or can I just stick all my cert info in the /opt/nginx/conf/nginx.conf file? Currently, my nginx.conf file looks like this, but when I try to access the site using https it doesn't work. Before this, I have another server block that listens on port 80, and that works for http, but this one for https doesn't work. Any ideas?
server {
listen 443;
server_name www.mysite.com;
#localhost;
ssl on;
ssl_certificate reference to my pem file
ssl_certificate_key reference to my key file
root reference to app in /var/www
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
}
I spent a lot of time today setting up SSL on nginx. First thing I would suggest checking is that port 443 is open from something like www.checkmyports.net
Also, do you get an error when you restart nginx?