I set up ssl with certbot on my nginx server and it says 'too many redirects on this server'.
I tried to find out but it was too hard. what is the problem?
here are my config file. I need your help.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_dhparam /etc/letsencrypt/live/example.com/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;
server_name example.com;
root /usr/share/nginx/html/wordpress;
include /etc/nginx/default.d/*.conf;
location / {
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Related
I need to use headless puppeteer for a domain with multiple users and a certificate for each user.
Nginx's proxy_pass is used to "inject" the client certificate.
I need to be able to access targetdomain.com with 3 different certificates.
My nginx configuration:
server1 name target.mydomain.com proxy_pass targetdomain.com proxy_ssl_certificate 1.crt proxy_ssl_certificate_key 1.pem
server2 name target2.mydomain.com proxy_pass targetdomain.com proxy_ssl_certificate 2.crt proxy_ssl_certificate_key 2.pem
server3 name target3.mydomain.com proxy_pass targetdomain.com proxy_ssl_certificate 3.crt proxy_ssl_certificate_key 3.pem
server {
listen 443 http2 ssl;
server_name target.mydomain.com;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass https://targetdomain.com/;
proxy_ssl_certificate /home/user/1.crt;
proxy_ssl_certificate_key /home/user/1.pem;
proxy_ssl_protocols TLSv1;
proxy_ssl_ciphers DHE-RSA-AES256-SHA:AES256-SHA:DES-CBC3-SHA;
proxy_ssl_server_name on;
}
}
server {
listen 443 http2 ssl;
server_name target2.mydomain.com;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass https://targetdomain.com/;
proxy_ssl_certificate /home/user/2.crt;
proxy_ssl_certificate_key /home/user/2.pem;
proxy_ssl_protocols TLSv1;
proxy_ssl_ciphers DHE-RSA-AES256-SHA:AES256-SHA:DES-CBC3-SHA;
proxy_ssl_server_name on;
}
}
...
The problem: on each nginx restart all 3 servers use the same certificate either 1,2 or 3.
Originally a single pfx certificate (for each user) was provided to me for target domain.
Each pfx file was converted to .pem (containing a decrypted private key) and a .crt (pem format) file containing 3 certificate (I don't know why, but it seems to need all 3 of them).
So how can I fix this and make nginx use the proper cert for each server?
I am attempting to setup SSL with Nginx running on a docker swarm but have run into an issue. Everything looks correct but any request I make just hangs until I get a 502. I made sure to expose port 443 in my compose file. Here is the nginx error I am getting:
*7 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 10.255.0.2, server: subdomain.mysite.com, request: "GET /api-v1/user-login HTTP/2.0", upstream: "https://10.0.0.6:5051/api-v1/user-login", host: "subdomain.mysite.com"
Here is the relevant piece of my nginx default.conf:
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols SSLv3 TLSv1;
upstream siteStage {
ip_hash;
server siteStage:5051;
}
server {
listen 443 ssl http2 ;
server_name subdomain.mysite.com;
ssl on;
ssl_certificate /path/provided.crt;
ssl_certificate_key /path/client.key;
ssl_client_certificate /path/ca.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_verify_client off;
location / {
proxy_ssl_certificate /etc/ssl/client.pem;
proxy_ssl_certificate_key /etc/ssl/client.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_session_reuse on;
proxy_pass https://siteStage/;
}
}
It turns out it was my nginx config. Here is how I finally got it to work:
# No upstream
server {
listen 80;
listen 443 ssl default_server;
server_name subdomain.mysite.com;
ssl on;
ssl_certificate /path/provided.crt;
ssl_certificate_key /path/client.key;
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
location / {
proxy_pass http://siteStage:5051/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
}
}
I am trying to set up Nginx to redirect all www.example.com and https://www.example.com requests to https://example.com. Here is my config:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /var/www/domain.com/system/nginx-root;
ssl_certificate /home/user/.acme.sh/example.com/fullchain.cer;
ssl_certificate_key /home/user/.acme.sh/example.com/domain.com.key;
include /var/www/example.com/system/files/ssl-params.conf;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
Here are the contents of the ssl-params.conf file:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128$
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /var/www/example.com/system/files/dhparam.pem;
I can access example.com and https://example.com but when I try www.example.com and https://www.example.com I get a Your connection is not private error in Chrome and the site is blocked.
Can anyone help me with this?
EDIT:
I added this server block and it did not help:
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate /home/user/.acme.sh/example.com/fullchain.cer;
ssl_certificate_key /home/user/.acme.sh/example.com/example.com.key;
include /var/www/example.com/system/files/ssl-params.conf;
return 301 https://example.com$request_uri;
}
I have trouble getting HSTS status working with SSL Labs. HSTS shows up as "No" when I test my website, but I have HSTS configured in my config file. I have nginx 1.6.2. Following is the conf file. Any help would be highly appreciated. Thanks!
server {
listen 443;
ssl on;
ssl_certificate <<path to cerificate>>;
ssl_certificate_key <<path to key>>
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
ssl_prefer_server_ciphers on;
ssl_ciphers "AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location /{
proxy_pass http://localhost:4002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
root /usr/share/nginx/html;
index index.html index.htm;
Put something in index.html in your root location and try to open it in a browser;
index.html should be reachable.
I'm experiencing a weird Nginx SSL issue that I can't seem to figure out.
What's happening is some users were receiving invalid SSL certificate errors while browsing "site2.com", in the error it was saying that the SSL for site2 was actually for site1.com so for some reason Nginx was loading the SSL from site1 for site2.
So to troubleshoot, I tried removing the entire "SITE_1" block from nginx config, and then site2.com wouldn't load at all. So I'm super confused as to what I'm doing wrong.
Can someone assist me?
# SITE_1
server {
listen 443;
ssl on;
server_name site1.com;
client_max_body_size 10M;
client_body_buffer_size 128k;
ssl_certificate /home/sites/conf/ssl_site1.crt;
ssl_certificate_key /home/sites/conf/ssl_site1.key;
ssl_session_timeout 25m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 240;
proxy_connect_timeout 240;
proxy_send_timeout 240;
send_timeout 240;
proxy_pass http://apache_server;
}
}
# SITE_2
server {
listen 443;
server_name site2.com;
client_max_body_size 10M;
client_body_buffer_size 128k;
ssl_certificate /home/sites/conf/ssl_site2.crt;
ssl_certificate_key /home/sites/conf/ssl_site2.key;
ssl_session_timeout 25m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
gzip on;
gzip_static on;
gzip_buffers 16 8k;
gzip_comp_level 9;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/plain text/css application/x-javascript;
gzip_vary on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 240;
proxy_connect_timeout 240;
proxy_send_timeout 240;
send_timeout 240;
proxy_pass http://apache_server;
}
}
Looks like site2 server declaration is missing the ssl on; config. In site1, you have it directly under listen.