Nginx configuration for jenkins port - ssl

I'm new to Nginx and I have the following problem in the configuration: since I've set up the ssl certificate I can no longer access the Jenkins admin (which I did by accessing mydomanin.net:8080).
Here is the configuration I have now set in the /etc/nginx/sites-available/default :
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mydomain.net;
return 301 https://$server_name$request_uri;
}
server {
server_name mydomain.net;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-mydomain.net.conf;
include snippets/ssl-params.conf;
root /var/www/foldername;
index index.html index.htm index.nginx-debian.html;
location / {
error_page 404 =200 /index.html;
}
}
Everything works fine but I have to be able to access the Jenkins admin on port 8080. If I try it now I get a This site can’t provide a secure connection ERR_SSL_PROTOCOL_ERROR.
I have tried setting up another server block with listen on port 8080 but with no success. Also, I've tried to add another listen on the existing server block, same outcome :(.
Any tips that would set me on the right direction would be much appreciated.
Thank you

Related

Https require port 80 in url

Using Nginx 1.12.1 version
Without port no specified URL will not work for Https i.e https://test.domain.com:80
Below is the code:
server {
listen 80 default_server;
listen [::]:80 default_server;
ssl on;
server_name ~^(?<subdomain>[^.]+)\.domain.com$;
ssl_certificate /etc/ssl/ssl_certificate.cer;
ssl_certificate_key /etc/ssl/sslnew.key;
root /var/www/$subdomain;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
If I remove "SSL on" then https will not work but it will work without port no i.e test.domain.com.
http assumes port 80 and https assumes port 443. If you want a browser to override these defaults, the port must be specified in the URL.
The correct solution is to provide http over port 80 and https over port 443, in which case, the port does not need to be provided in the URL and can be assumed from the scheme (http or https).
For example:
server {
listen 80;
listen 443 ssl;
...
}
See this document for details.

How to listen to different port on Nginx and proxy the request?

I am a newbie to Nginx config and all, I have a process which is an express app, running on port 3000 using pm2 and I have allowed port 3000 using ufw as well, and have made a server instance on Nginx to proxy it,
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .mysite.co;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/django/mysite;
}
proxy_cache mysite;
location / {
include proxy_params;
proxy_pass http://unix:/home/django/mysite/mysite.sock;
}
gzip_comp_level 3;
gzip_types text/plain text/css image/*;
ssl_certificate /etc/letsencrypt/live/mysite.co/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.co/privkey.pem; # managed by Certbot
}
server {
if ($host = www.mysite.co) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = mysite.co) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name .mysite.co;
return 404; # managed by Certbot
}
server{
listen 3000;
listen 443 ssl http2;
server_name .mysite.co:3000;
location / {
proxy_pass https://localhost:3000;
}
}
I ran netstat -napl | grep 3000 and I could confirm that the process is running and pm2 status also says its running and no errors in log as well.
How could I make this work? Thanks for the help in advance.
You won't be able to use nginx to listen on port 3000 as well as your node process as only one service can really listen on the port at once. So you'll need to ensure nginx is listening for connections on a different port. I imagine what you're trying to do is to listen on port 80 / 443 and then send the request onto your express service which is listening on port 3000?
In this case your bottom server block is nearly correct. To get this working without TLS/SSL (just on port 80) you'll want to use something like this:
server {
listen 80;
server_name node.mysite.co
location / {
proxy_pass http://localhost:3000;
}
}
The following is a very basic example and you'll probably want to toggle some other settings. This will make "http://node.mysite.co" go proxy through to whatever service (in this case an Express server) is listening on port 3000 locally.
You do not need to make a firewall (ufw) exception for port 3000 in this case as it's a local proxy pass. You should close the port on the firewall so people can't access it directly, this way the must go through nginx.
If you want to get SSL/TLS working, you'll want another block that'll look something like the following. Again, this is very basic and doesn't have a lot of settings you probably want to research and set (such as cipher choices).
server {
listen 443 ssl;
server_name node.mysite.co
ssl_certificate certs/mysite/server.crt;
ssl_certificate_key certs/mysite/server.key;
location / {
proxy_pass http://localhost:3000;
}
}
You'll need to replace the cert and key path to point to your SSL/TLS ceritifcate and key respectively. This will enable you to access https://node.mysite.co and it'll be proxied onto the service on port 3000 as well.
Once you've done that you might then choose to go back and change the http (port 80) server to a redirect to https to force https only connections.
Also note that I've ensured the server_name is different to your existing django server_name with a subdomain (node.mysite.co). You might wish to change this value but you can't have two server blocks listening on the same port and server_name, otherwise nginx would have no idea what to do with the request. I'm sure you're doing this anyway but I wanted to make sure it was explicit and would work with your existing setup.
If you wish the site to be served only for mysite.co:3000
If for some reason you want the user to go to port 3000 on the domain mysite.co, then you will need to set the "listen" to 3000 and keep the server name as "mysite.co". This will allow someone to go to mysite.co:3000 in their browser and hit your node service. I imagine this isn't really what you want for a public facing website though, it also won't line up very nicely with your port 443 version.
Note: I don't claim to be an nginx expert, but I've used it for all my node projects for the past few years and I find this setup to be pretty clear. There might be some nicer syntax you can use.

nginx responds to all domains

Someone else is using my AWS EC2 on preview.theirdomain.com, so my node server (behind nginx) shows up on google searches for mydomain.com.
I have followed the nginx pitfalls, or at least tried, but can't figure out why my server is still responding to theirdomain.com.
This stops the server from responding completelely, both to www.mydomain.com and preview.theirdomain.com. Not a good solution
When I comment out the second server listen 443; ... the server is fully open to www.mydomain.com and preview.theirdomain.com
/etc/nginx/sites-enabled/default:
server {
listen 80;
server_name preview.theirdomain.com;
return 404;
}
server{
listen 443;
server_name preview.theirdomain.com;
return 404;
}
server {
listen 80;
return 404;
}
server {
listen 80;
server_name www.mydomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name www.mydomain.com;
#more stuff that works
}
From google domains I am only forwarding www.mydomain.com, and as you can see, the server reroutes everything to ssl. On preview.theirdomain.com, the https is not working, as my certificates only work for www.mydomain.com
There are no other files in the /etc/nginx/sites-enables, and I am running out of ideas.
I got help over at Freenode #nginx, and the solution was to add default_server to my server.
server{
listen 443 ssl default_server;
server_name www.mydomain.com;
#more stuff that works
}
I'm sure there is a good reason why. Leaving it here for anyone else on the verge of breakdown.

How can a single nginx virtual server deal with both port 80 and 443?

I have a config file with a virtual server setup, this is running on port 443 for ssl. I would also like this same virtual server to handle non ssl traffic on port 80.
I was hoping to do the following but it doesn't seem to work.
server {
listen 443 ssl;
listen 80;
server_name example.com;
...
}
It looks like the ssl options below these settings are causing problems for the non ssl traffic.
Yes, of course.
server {
listen 80;
listen 443 ssl;
# force https-redirects
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
}
Here is my post, name "Nginx Configuration for HTTPS" which contains more info.
Remove ssl on; directive.
ssl flag in listen directive is exactly what you need.
See http://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server

Why does listen `443 default_server ssl` work for multiple server names in nginx?

I run nginx for static content and as a proxy to Apache/mod_wsgi serving django. I have example.com and test.example.com as proxy to Apache/Django and static.example.com which serves all static files directly through nginx. I have a wildcard SSL cert so that each of these sub-domains can use SSL (and I only have one IP).
Why is it that when using listen 443 default_server ssl; in either test.example.com or example.com, SSL works for both yet I have to explicitly listen to 443 for static.example.com?
ssl_certificate /etc/ssl/certs/example.chained.crt;
ssl_certificate_key /etc/ssl/private/example.key;
server {
listen 80;
listen 443;
server_name static.example.com;
# ... serves content ...
}
server {
listen 80;
listen 443 default_server ssl;
server_name example.com;
# ... proxy pass to http://example.com:8080 (apache) ...
}
server {
listen 80;
# why don't I need `listen 443;` here?
server_name test.example.com;
# ... proxy pass to http://test.example.com:8080 (apache) ...
}
The SSL protocol by itself (without the SNI extension) uses the ip address of the server to request the SSL certificate. With SNI it also passes the hostname (doesn't work for Win XP), but that should't be relevant here.
Server directives are not an exact match. It's the "closest" match. It may appear "work", but it may be ending up in the wrong server directive. It's hard to tell without any more information, like the server root.
The point is something will always work since you appear to be using a single ip address.