I followed this tutorial to set up a secure version of Nifi registry: https://community.hortonworks.com/content/kbentry/170966/setting-up-a-secure-apache-nifi-registry.html
I am working on an ubuntu server. I do not have the possibility to generate the keychain and to access the graphical interface of nifi I use google chrome on my local machine (windows10). So I imported the p12 file in my browser. My nginx configuration file is as follows:
upstream container {
server 172.0.0.2:9000;
}
server {
listen 443 ssl;
ssl On;
ssl_certificate /etc/letsencrypt/live/sm/fullchain.pem; #/etc/nginx/ssl/fullchain.$
ssl_certificate_key /etc/letsencrypt/live/sm/privkey.pem; #/etc/nginx/ssl/privkey$
if ($ssl_protocol = "") {
rewrite ^ https://$host$request_uri? permanent; # optional, to force use of$
}
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.php;
server_name workshop1.smart-mobility.alstom.com; # managed by Certbot
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location ~ /\.ht {
deny all; }
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
auth_basic "Restricted";auth_basic_user_file /etc/nginx/.htpasswd;
}
location /nifi-registry-api/ {
rewrite ^/nifi-registry-api/(.*) /nifi-registry-api/$1 break;
proxy_pass https://localhost:18443/nifi-registry;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /nifi-registry/ {
proxy_pass https://localhost:18443/nifi-registry;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-ProxyScheme "https";
proxy_set_header X-ProxyHost $proxy_host;
proxy_set_header X-ProxiedEntitiesChain "<%{SSL_CLIENT_S_DN}>";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
} }
When I log on to the nifi-registry page I have the following error: 502 Bad Gateway
can someone help me on this point please I do not find examples
Error log nginx :
*28739 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL hands
Related
I cannot manage to get Nginx to serve my static files. It always gives me 302 errors. I have my static files in a public folder (/home/user/Documents/myapp.com/CURRENT PROJECT/public) and want to serve them when a user goes to the site and requests myapp.com/css/style.css, myapp.com/js/main_script.js... I have the permission but from what I can tell it either can't find the file or ignores it completely and tries to serve them from the API(I can't use express.static anymore).
user www-data;
pid /run/nginx.pid
http {
upstream loadbalance {
least_conn;
server myapp:8003;
}
server {
listen 80;
listen 443 ssl http2;
server_name www.myapp.com;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
return 301 https://myapp.com$request_uri;
}
server {
root "/home/user/Documents/myapp.com/CURRENT PROJECT/public";
server_name myapp.com;
##
# SSL Settings
##
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
# This would not work
location /css/ {
autoindex on;
}
# This would not work
location ~ \.(css|js|woff|woff2|png|jpg|jpeg|webp|svg|mp3) {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
}
#Api
location / {
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://loadbalance;
}
}
}
Once you set up the reverse proxy, you should manage with express the routing of the static files.
My settings for the proxy:
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
I have a ubuntu server on which I have a vue app and am trying to add an express app. Everything is working correctly in my vue app but the only route that works for my express location is the index route at /api.
here is my nginx.conf:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html/vue/family-showdown/client/dist;
index index.html index.htm index.nginx-debian.html;
server_name _;
error_page 404 /;
location /api {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_pass http://localhost:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location / {
root /var/www/html/vue/family-showdown/client/dist;
}
}
in my express app.js I have:
app.use('/', _index["default"]);
app.use('/users', _users["default"]);
Navigating to /api works correctly so I would expect that navigating to /api/users should work but instead I get a 404 that says Cannot GET //users
there is no any location in your nginx configuration for /users path. you can try this configuration.
location / {
root /var/www/html/vue/family-showdown/client/dist;
index index.html;
include /etc/nginx/mime.types;
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /users/ {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
and delete these configurations
root /var/www/html/vue/family-showdown/client/dist;
index index.html index.htm index.nginx-debian.html;
server_name _;
error_page 404 /;
location / {
root /var/www/html/vue/family-showdown/client/dist;
}
This is the original nginx configuration I have here, working fine:
server {
listen 8080; # http
# Forward requests to our node app at port 8082
#
location /mui {
# Remove the '/mui' portion of the path (and any extraneous trailing slash)
rewrite ^/mui/?(.*)$ /$1; break;
proxy_pass http://localhost:8082;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location / {
# We also rewrite the Java servlet urls to move additional, 'RESTful' path elements
# to a url query parameter named '_path_suffix'
#
rewrite ^/(.*)$ /server?_path_suffix=$1; break;
proxy_pass http://localhost:8081;
proxy_redirect off;
}
}
I want to add basic authentication to everything - EXCEPT for one single page... /mui/river
If I include the basic authentication lines in the server block, and put the auth_basic off inside location /mui block, it works as expected for this configuration (it requires authentication for / but not for /mui):
server {
listen 8080; # http
auth_basic "Restricted Area";
auth_basic_user_file /etc/ngnix/.htpasswd;
# Forward requests to our node app at port 8082
#
location /mui {
# Remove the '/mui' portion of the path (and any extraneous trailing slash)
rewrite ^/mui/?(.*)$ /$1; break;
proxy_pass http://localhost:8082;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
auth_basic off;
}
location / {
# We also rewrite the Java servlet urls to move additional, 'RESTful' path elements
# to a url query parameter named '_path_suffix'
#
rewrite ^/(.*)$ /server?_path_suffix=$1; break;
proxy_pass http://localhost:8081;
proxy_redirect off;
}
}
Almost perfect. Next step would be to make it request authentication for everything inside /mui, except for page /mui/river.
That's where my problem is... I tried the following, and when I reach /mui/river it still requires authentication...
server {
listen 8080; # http
auth_basic "Restricted Area";
auth_basic_user_file /etc/ngnix/.htpasswd;
location = /mui/river {
rewrite ^/mui/?(.*)$ /$1; break;
proxy_pass http://localhost:8082;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
auth_basic off;
}
# Forward requests to our node app at port 8082
#
location /mui {
# Remove the '/mui' portion of the path (and any extraneous trailing slash)
rewrite ^/mui/?(.*)$ /$1; break;
proxy_pass http://localhost:8082;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location / {
# We also rewrite the Java servlet urls to move additional, 'RESTful' path elements
# to a url query parameter named '_path_suffix'
#
rewrite ^/(.*)$ /server?_path_suffix=$1; break;
proxy_pass http://localhost:8081;
proxy_redirect off;
}
}
How can I open access only for /mui/river?
Update:
This is my latest attempt, still not working - still blocking everything. Note that I also tried to change the rewrite line:
server {
listen 8080; # http
# Forward requests to our node app at port 8082
#
location = /mui/river {
rewrite ^/mui/river?(.*)$ /river$1; break;
auth_basic off;
proxy_pass http://localhost:8082;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /mui {
# Remove the '/mui' portion of the path (and any extraneous trailing slash)
rewrite ^/mui/?(.*)$ /$1; break;
proxy_pass http://localhost:8082;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
auth_basic "Restricted Area";
auth_basic_user_file /etc/ngnix/.htpasswd;
}
location / {
# The Java servlet is always assumed to be named 'server', so add that to the path.
#
# We also rewrite the Java servlet urls to move additional, 'RESTful' path elements
# to a url query parameter named '_path_suffix'
#
rewrite ^/(.*)$ /server?_path_suffix=$1; break;
proxy_pass http://localhost:8081;
proxy_redirect off;
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
Right now your basic auth is set at the server level (inside the server {...} block), so it will apply to all location blocks.
If you want to protect everything except /mui/river, move the following 2 lines inside the location /mui {...} and location / {...} you wish to protect:
auth_basic "Restricted Area";
auth_basic_user_file /etc/ngnix/.htpasswd;
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
I've needed to set up SSL on my server, and have been putting it off, I've now done it, and found it a lot simpler than expected, so for anyone else, here's the process I followed.
I have a dedicated server, and have downloaded a GeoTrust Certificate and Private Key (supplied by my host).
I have uploaded both of these to /etc/nginx/ssl/ (as root).
I added the following to my Nginx default.conf:
server {
server_name www.example.com;
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/www.example.com_ssl_certificate.cer;
ssl_certificate_key /etc/nginx/ssl/www.example.com_private_key.key;
location / {
allow all;
# Proxy Headers
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Cluster-Client-Ip $remote_addr;
# The Important Websocket Bits!
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://examplecom;
}
}
I have opened up port 443 as follows:
firewall-cmd --permanent --zone=public --add-port=443/tcp
And added https service:
firewall-cmd --permanent --zone=public --add-service=https
I can now access the app over https at my domain.
The final issue is setting up the Phoenix web sockets over wss, I will edit this post and add that information as soon as I have it done.
HTH someone.
Centos 7
Nginx 1.10.1
you need to configure it in this way for using it with Nginx
server {
listen 80;
listen 443 ssl;
server_name www.example.com ;
ssl_certificate_key /etc/letsencrypt/live/api.domain.com/privkey.pem;
ssl_certificate /etc/letsencrypt/live/api.domain.com/fullchain.pem;
error_page 403 404 500 502 503 504 /critical_error.html;
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
access_log /var/log/nginx/exampleApi-access.log main;
error_log /var/log/nginx/exampleApi-error.log;
location / {
proxy_pass http://yourip:port;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
It will work for sure you should try this.
I am trying to transfer files between two devices (browsers) using WebRTC. I followed this GitHub repo to setup the signalmaster signaling-server, and it works fine. So, I put a simple index.html page in the same folder. But when I goto http://localhost:8888, it doesn't show the page. I then figure out that the Signaling server is not a webserver. So, I setup a webserver using Web server for chrome.
At this point I am confused about:
the need for signaling-server while having a webserver !! and
how I am going to use the signaling server if I am unable to load the webpage !!
in simple, why do I need the signaling-server for if I am already not using it ?! Also, how can I setup a signling-server and webserver together so that my page could load!
This gives a good overview of the role a signaling server plays with WebRTC:
https://www.html5rocks.com/en/tutorials/webrtc/infrastructure/
It's possible to use your current Webpage in combination with nodejs, php and nginx.
Nodejs and the signaling server are running in the background on port 8888 and with a reverse proxy you can call the webpage without a port in the url.
server {
listen 80 default;
server_name http://192.168.229.128;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
location / {
proxy_pass http://localhost:8888;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* \.io {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:8888;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
In this case, socket.io is used, but you can remove it, if you want.