I really hope you guys can help me out. I lost my way around different guides of setting up ssl.
When I try to access my site i just get 502 Bad Gateway. Plain old nginx works just fine, and "simple" ssl without forces ssl also works fine.
Here are my config files.
default.conf
## http://xn--srentorp-54a.dk redirects to https://xn--srentorp-54a.dk
server {
listen 80;
listen [::]:80;
server_name xn--srentorp-54a.dk;
include /etc/nginx/snippets/letsencrypt.conf;
location / {
return 301 https://xn--srentorp-54a.dk$request_uri;
}
}
## http://www.xn--srentorp-54a.dk redirects to https://www.xn--srentorp-54a.dk
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name www.xn--srentorp-54a.dk;
include /etc/nginx/snippets/letsencrypt.conf;
location / {
return 301 https://www.xn--srentorp-54a.dk$request_uri;
}
}
## https://xn--srentorp-54a.dk redirects to https://www.xn--srentorp-54a.dk
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xn--srentorp-54a.dk;
ssl_certificate /etc/letsencrypt/live/xn--srentorp-54a.dk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xn--srentorp-54a.dk/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/xn--srentorp-54a.dk/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
location / {
return 301 https://www.xn--srentorp-54a.dk$request_uri;
}
}
## Serves https://www.xn--srentorp-54a.dk
server {
server_name www.xn--srentorp-54a.dk;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server ipv6only=on;
ssl_certificate /etc/letsencrypt/live/xn--srentorp-54a.dk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xn--srentorp-54a.dk/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/xn--srentorp-54a.dk/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
root /var/www/;
index index.html index.php;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~/\.ht {
deny all;
}
}
server {
listen 80;
server_name torpinc.xn--srentorp-54a.dk;
location / {
proxy_pass http://localhost:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
proxy_buffers 4 32k;
client_max_body_size 8m;
client_body_buffer_size 128k;
}
}
server {
listen 80;
server_name perpt.xn--srentorp-54a.dk;
location / {
proxy_pass http://localhost:8082;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
proxy_buffers 4 32k;
client_max_body_size 8m;
client_body_buffer_size 128k;
}
}
letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
ssl.conf
sl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
Related
I am serving a Vue App via proxy_pass from my Nginx server. Here's my config looks like:
location /iframe/reports/ {
proxy_pass http://reports-frontend/reports;
proxy_set_header Host $host;
}
location ^~ /js/ {
proxy_pass http://reports-frontend/js/;
}
location ^~ /css/ {
proxy_pass http://reports-frontend/css/;
}
My Vue App is running inside a Nginx docker container with the following configuration:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root /app;
index index.html;
try_files $uri $uri/ /index.html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}
When I request localhost:8080/iframe/reports I am able to get the index.html and assets needed. But the routing seems not to be working. Why is that so?
Thanks!
also after googling quite a bit I was not able to find the solution. I'm running a Plesk for Ubuntu and am currently deploying a react native app. All url-paths checkout fine and navigation within the app works. However if I'm for instance on www.mydomain.com/something/something and I refresh the page the refresh leads to a 404 error.
What I tried now
I ssh'ed into /var/www/vhosts/system/mydomain.com/conf and udpated the file nginx.conf with
server {
location / {
try_files $uri $uri/ /index.html?$query_string;
}
}
I restarted the service, however this does not do the trick.
Any idea how to fix that?
Thanks
Matt
Here is the full nginx.conf file:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
server {
listen 175.31.15.213:443 ssl http2;
server_name example.com;
server_name www.example.com;
server_name ipv4.example.com;
server_name "example.com.52-29-213-14.svr.fm";
ssl_certificate /opt/psa/var/certificates/certXTrwD4;
ssl_certificate_key /opt/psa/var/certificates/certXTrwD4;
ssl_client_certificate /opt/psa/var/certificates/certL2SKRF;
client_max_body_size 128m;
root "/var/www/vhosts/example.com/httpdocs";
access_log "/var/www/vhosts/system/example.com/logs/proxy_access_ssl_log";
error_log "/var/www/vhosts/system/example.com/logs/proxy_error_log";
if ($host ~* ^1519\.tirol$) {
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
#extension letsencrypt begin
location ^~ /.well-known/acme-challenge/ {
root /var/www/vhosts/default/htdocs;
types { }
default_type text/plain;
satisfy any;
auth_basic off;
allow all;
location ~ ^/\.well-known/acme-challenge.*/\. {
deny all;
}
}
#extension letsencrypt end
location / {
proxy_pass https://175.31.15.213:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}
location /internal-nginx-static-location/ {
alias /var/www/vhosts/example.com/httpdocs/;
internal;
}
location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
proxy_pass https://175.31.15.213:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}
location /internal-nginx-static-location/ {
alias /var/www/vhosts/example.com/httpdocs/;
internal;
}
location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
proxy_pass https://175.31.15.213:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}
location ~ ^/~(.+?)(/.*?\.php)(/.*)?$ {
alias /var/www/vhosts/example.com/web_users/$1/$2;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass "unix:///var/www/vhosts/system/example.com/php-fpm.sock";
include /etc/nginx/fastcgi.conf;
}
location ~ ^/~(.+?)(/.*)?$ {
proxy_pass https://175.31.15.213:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
}
location ~ \.php(/.*)?$ {
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass "unix:///var/www/vhosts/system/example.com/php-fpm.sock";
include /etc/nginx/fastcgi.conf;
}
location ~ /$ {
index "index.html" "index.cgi" "index.pl" "index.php" "index.xhtml" "index.htm" "index.shtml";
}
add_header X-Powered-By PleskLin;
include "/var/www/vhosts/system/example.com/conf/vhost_nginx.conf";
}
server {
listen 175.31.15.213:80;
server_name example.com;
server_name www.example.com;
server_name ipv4.example.com;
server_name "example.com.52-29-213-14.svr.fm";
client_max_body_size 128m;
if ($host ~* ^1519\.tirol$) {
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
return 301 https://$host$request_uri;
}
server {
location / {
try_files $uri $uri/ /index.html?$query_string;
}
}
any help would be appreciated.
I have received an SSL cert from letsencrypt, and am trying to support both HTTP and HTTPS for my server. The cert is good, but I am getting 404's when trying to access my site using https. Here is my config file:
server {
server_name my.domain.org;
root /var/www/my.domain.org/htdocs;
index index.php index.html index.html;
server_name my.domain.org;
location / {
try_files $uri $uri/ /index.php?$args;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/my.domain.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.org/privkey.pem;
server_name my.domain.org;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root /var/www/my.domain.org/htdocs;
index index.php index.html index.html;
}
}
Config for https does not differ from http.
So, just copy same http configuration and add ssl specific parts:
# https
server {
listen 443 ssl;
# for http2 support uncomment line bellow and comment line above
# listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/my.domain.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.org/privkey.pem;
server_name my.domain.org;
root /var/www/my.domain.org/htdocs;
index index.php index.html index.html;
location / {
try_files $uri $uri/ /index.php?$args;
}
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
#http
server {
listen 80;
root /var/www/my.domain.org/htdocs;
index index.php index.html index.html;
server_name my.domain.org;
location / {
try_files $uri $uri/ /index.php?$args;
}
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
I have two nginx vhosts which are identical apart from the domain and the SSL/root locations. They look like this:
/etc/nginx/sites-available/domain1.co.uk
server {
listen 80;
server_name domain1.co.uk;
rewrite ^/(.*) https://domain1.co.uk/$1 permanent;
}
server {
listen 80;
listen 443 ssl;
server_name www.domain1.co.uk;
ssl_certificate /etc/nginx/ssl/domain1.chained.crt;
ssl_certificate_key /etc/nginx/ssl/private/domain1.key;
return 301 $scheme://domain1.co.uk$request_uri;
}
server {
listen 443 ssl;
server_name domain1.co.uk;
root /var/www/domain1.co.uk/public_html;
ssl_certificate /etc/nginx/ssl/domain1.chained.crt;
ssl_certificate_key /etc/nginx/ssl/private/domain1.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
try_files $uri #prerender;
}
location /blog/ {
index index.php;
try_files $uri $uri/ /blog/index.php?$args;
}
# pass the PHP scripts to FastCGI server listening on the php-fpm socket
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ ^/api {
try_files $request_uri $request_uri/ /api/index.php?$query_string;
}
location #prerender {
proxy_set_header X-Prerender-Token 4398455894u5ugjgfgfj;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
set $prerender 0;
if ($http_user_agent ~* "googlebot|yahoo|bingbot|baiduspider|yandex|yeti|yodaobot|gigabot|ia_archiver|facebookexternalhit|twitterbot|developers\.google\.com") {
set $prerender 1;
}
if ($args ~ "_escaped_fragment_|prerender=1") {
set $prerender 1;
}
if ($http_user_agent ~ "Prerender") {
set $prerender 0;
}
if ($prerender = 1) {
rewrite .* /$scheme://$host$request_uri? break;
#proxy_pass http://localhost:3000;
proxy_pass http://service.prerender.io;
}
if ($prerender = 0) {
proxy_pass http://127.0.0.1:3000;
}
}
}
/etc/nginx/sites-available/domain2.co.uk
server {
listen 80;
server_name domain2.co.uk;
rewrite ^/(.*) https://domain2.co.uk/$1 permanent;
}
server {
listen 80;
listen 443 ssl;
server_name www.domain2.co.uk;
ssl_certificate /etc/nginx/ssl/domain2.chained.crt;
ssl_certificate_key /etc/nginx/ssl/private/domain2.key;
return 301 $scheme://domain2.co.uk$request_uri;
}
server {
listen 443 ssl;
server_name domain2.co.uk;
root /var/www/domain2.co.uk/public_html;
ssl_certificate /etc/nginx/ssl/domain2.chained.crt;
ssl_certificate_key /etc/nginx/ssl/private/domain2.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
try_files $uri #prerender;
}
location /blog/ {
index index.php;
try_files $uri $uri/ /blog/index.php?$args;
}
# pass the PHP scripts to FastCGI server listening on the php-fpm socket
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ ^/api {
try_files $request_uri $request_uri/ /api/index.php?$query_string;
}
location #prerender {
proxy_set_header X-Prerender-Token 4398455894u5ugjgfgfj;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
set $prerender 0;
if ($http_user_agent ~* "googlebot|yahoo|bingbot|baiduspider|yandex|yeti|yodaobot|gigabot|ia_archiver|facebookexternalhit|twitterbot|developers\.google\.com") {
set $prerender 1;
}
if ($args ~ "_escaped_fragment_|prerender=1") {
set $prerender 1;
}
if ($http_user_agent ~ "Prerender") {
set $prerender 0;
}
if ($prerender = 1) {
rewrite .* /$scheme://$host$request_uri? break;
#proxy_pass http://localhost:3000;
proxy_pass http://service.prerender.io;
}
if ($prerender = 0) {
proxy_pass http://127.0.0.1:3000;
}
}
}
When I visit domain1.co.uk it just works as expected, and redirects to the non-www https URL. If I visit domain2.co.uk though, it serves the correct SSL cert, but is showing the domain1 site on the domain2 URL.
I have a default server block as well:
server {
listen 80 default_server;
return 444;
}
server {
listen 443 default_server;
ssl on;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
return 444;
}
How can I configure this so that domain2.co.uk is actually serving the files from /var/www/domain2.co.uk/public_html instead of domain1?
Ah! Sorry! I thought, you didn't have domain2.co.uk. Hoping you have "/var/www/domain2.co.uk/public_html" as root for "domain2.co.uk" server. Did you make nginx to read the /etc/nginx/sites-available/domain2.co.uk file, if it is not included. Basically, you would need to check the "include" directive in /etc/nginx/nginx.conf and also, create a sym link file "/etc/nginx/sites-enabled/domain2.co.uk" and point it to "/etc/nginx/sites-available/domain1.co.uk" to enable it.
Restarting nginx :
# service nginx start
Starting nginx: nginx: [emerg] duplicate upstream "api" in /etc/nginx/sites-enabled/default:1
nginx: configuration file /etc/nginx/nginx.conf test failed
This is the config file :
upstream api{
least_conn;
server 127.0.0.1:5001 max_fails=2 fail_timeout=15s;
server 127.0.0.1:5002 max_fails=2 fail_timeout=15s;
server 127.0.0.1:5003 max_fails=2 fail_timeout=15s;
server 127.0.0.1:5004 max_fails=2 fail_timeout=15s;
}
server {
listen 192.168.10.33:80;
allow 192.168.0.0/20;
allow 127.0.0.1/32;
deny all;
server_name api api.my.intranet;
location ^~ (/images/|/css/|/javascripts/) {
root /var/www/myapi/public/;
expires 30m;
}
# serve all other stuff from appserver
location / {
if ($http_origin ~ (.*\.my\.intranet|.*\.my\.com) ) {
add_header 'Access-Control-Allow-Origin' $http_origin;
}
# add_header 'Access-Control-Allow-Origin' '*';
expires off;
proxy_pass http://api/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
}
}
server {
listen 175.30.33.14:80;
server_name api.my.com;
return 301 https://api.my.com$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/certs/my.com.2014.chain;
ssl_certificate_key /etc/ssl/private/my.com.2014.key;
server_tokens off;
server_name api api.my.com api.my.intranet;
location ^~ (/images/|/css/|/javascripts/) {
root /var/www/myapi/public/;
expires 30d;
}
# serve all other stuff from appserver
location / {
if ($http_origin ~ (.*\.my\.intranet|.*\.my\.com) ) {
add_header 'Access-Control-Allow-Origin' $http_origin;
}
# add_header 'Access-Control-Allow-Origin' '*';
expires off;
proxy_pass http://api/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
}
location /v2 {
rewrite ^/v2/(.*) /$1 break;
if ($http_origin ~ (.*\.my\.intranet|.*\.my\.com) ) {
add_header 'Access-Control-Allow-Origin' $http_origin;
}
# add_header 'Access-Control-Allow-Origin' '*';
expires off;
proxy_pass http://192.168.10.8:3000/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
Do you see any problem ?
a backup file: defuault.backup was in the same folder which created a conflict !