nginx forward single path to http - ssl

following situation:
I have an play framework server running on localhost:9000. If someone now acces from outside on that server via http, nginx redirect the http request to localhost:9000.
Now i run seperate on that server a rshiny server, that listen on port 9271(https), and has to redirect the traffic to 9270(http).
I tried already some stuff, this one is the last version, that i dont get to work:
server {
listen 9271;
server_name _;
ssl on;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/xxx.pem;
ssl_certificate_key /etc/nginx/ssl/xxx.key;
access_log /var/log/nginx/access.log xxx_host;
error_log /var/log/nginx/error.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:9270;
proxy_read_timeout 90;
proxy_redirect http://localhost:9270/ $scheme://$host/;
}
}

Related

How to redirect different subdomains to applications running on different ports with nginx

I have 2 nodejs applications running in my EC2 instance at PORT 3000 and 1337. What I want to achieve is
admin.mydomain.com
should be redirected to the application running on PORT 1337 and
mydomain.com www.mydomain.com
should be redirected to the application running on PORT 3000.
With my current nginx configuration I am getting a 502
map $subdomain $subdomain_port {
default 3000;
www 3000;
admin 1337;
}
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name ~^(?P<subdomain>.+?)\.historydiaries\.com$;
location / {
proxy_pass http://localhost:$subdomain_port;
proxy_redirect off;
}
ssl_certificate /etc/letsencrypt/live/historydiaries.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/historydiaries.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;
add_header Strict-Transport-Security “max-age=15768000” always;
}
You can achieve this using two different nginx conf
I will go with separate Nginx vhost configuration.
One for www.mydomain.com and another one for admin.mydomain.com
server {
listen 80;
server_name www.mydomain.com;
access_log /var/log/nginx/mydomain_access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:3000/;
proxy_redirect off;
}
}
and
server {
listen 80;
server_name admin.mydomain.com;
access_log /var/log/nginx/admin.mydomain_access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:1337/;
proxy_redirect off;
}
}
This just simple vhost configuration. You can add Let's Encrypt later when you need.

nginx proxy_pass with vue-cli too slow

I'm using nginx proxy_pass with vue (docker container)
when I connect with direct port (ex. http://127.0.0.1:4000) this works very well and fast.
but when I connect with 443 port with domain (ex. https://example.com) always failed with too slow javascript loading.
https://example.com/js/app.7f6baa34.js net::ERR_CONNECTION_RESET 200 (OK)
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/www.example.com/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/www.example.com/example.com.key;
server_name www.example.com;
client_max_body_size 100M;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:4000;
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
}
Problem solved.
It caused by lack of server memory.

Configure Sonarqube with SSL with NGINX as reverse-proxy - Errorcode: SSL_ERROR_RX_RECORD_TOO_LONG

I am trying to configure Sonarqube that it works with SSL. I followed the following instructions:
https://docs.sonarqube.org/latest/setup/operate-server/
Below is my configuration:
server {
listen 443 ssl;
root /opt/sonarqube/sonarqube-6.7.7/web/;
index index.html index.htm;
server_name sonar;
location / {
root /var/www/sonar;
proxy_pass http://localhost:9000;
}
}
I have tested my SSL-Certificate and it works fine with a website, that I have created, but with Sonar it is not working.
Below is the error what I get in the Firefox browser:
Errorcode: SSL_ERROR_RX_RECORD_TOO_LONG
thank you for your answers. #Steffen Ullrich: you are right.
server {
listen 9090 ssl;
ssl_certificate <CERT_NAME>.pem;
ssl_certificate_key <DOMAIN>.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ...;
ssl_dhparam <DHPARAM>.pem;
ssl_prefer_server_ciphers on;
server_name sonar;
location / {
proxy_pass http://localhost:9000;
proxy_redirect http://localhost:9000 https://<DOMAIN.net>:9090;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
Thank you all for your help.

Site redirected too many times after setting let's encrypt

I have set up www.myapp.io which connects to a MEAN-stack application hosted by nginx. It works, now, I want to add SSL to it. I have followed this link to secure with let's encrypt.
However, after the configuration, https://www.myapp.io isn’t working: www.myapp.io redirected you too many times. ERR_TOO_MANY_REDIRECTS.
The follows is /etc/nginx/sites-enabled/myapp.io, does anyone know where is wrong?
server {
listen 80;
server_name myapp.io www.myapp.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name myapp.io www.myapp.io;
ssl_certificate /etc/letsencrypt/live/myapp.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.io/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:EC$
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location ~ /.well-known {
allow all;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Proxy "";
proxy_pass https://127.0.0.1:3000;
}
}
(I did not put ssl_session_cache shared:SSL:50m;, because I already have ssl_session_cache shared:SSL:10m; in /etc/nginx/nginx.conf.)
The config file before adding ssl, which worked:
server {
listen 80;
server_name myopp.io *.myopp.io;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Proxy "";
proxy_pass http://127.0.0.1:3000;
}
}
PS: The site is managed via cloudflare, at the moment, the SSL setting on clouldflare is Flexible, I don't know if I need to change it.
As #dave_thompson_085 suggested in his comment, changing Flexible to Full in Cloudflare will make https://www.myapp.io reachable...

Nginx unknow protocol via ssl

I have issue with configure nginx as reverse proxy via ssl.
This is my configuration:
worker_processes 4;
events { worker_connections 1024; }
http {
upstream oidc-app {
least_conn;
server oidc_1:44338;
server oidc_2:44338;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
server_name localhost;
ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
add_header Strict-Transport-Security max-age=15638400;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
error_log /var/log/nginx/error.log debug;
location / {
proxy_pass https://oidc-app;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_redirect http:// https://;
}
}
}
When I open my app in browser I have an error from nginx:
*2 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 172.18.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://172.18.0.5:44338/", host: "localhost"
Whats more, if I turn on Fiddler and capture https traffic with ignore certificate - everything is fine.
However if I disable Fiddler - an error occured again.
What I'm doing wrong?
If I configure nginx as http via 80 port - everything is fine again.