I am curretly working on a project where WWW subdomain isn't resolving since I moved from my previous server and make my DNS point to the new IP address. Has it something to do with HSTS settings ? SSL certificates ? Wrong redirect format ? Wrong CNAME ?
On the previous server:
I issued a SSL certificate using LetsEncrypt for both domains : website.fr and www.website.fr., running with Debian/Apache
I terminated the instance without copying the certificate.
At that time, it worked on both https www and non www
On the new server:
I've created an AWS EC2 under Ubuntu16.04/Nginx
I've issued a new SSL for both domains using LetsEncrypt
Sites-available conf file (enabled):
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name website.fr www.website.fr;
return 301 $scheme://website.fr$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.website.fr;
ssl_certificate /etc/letsencrypt/live/website.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/website.fr/privkey.pem;
include snippets/ssl-params.conf;
return 301 $scheme://website.fr$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate /etc/letsencrypt/live/website.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/website.fr/privkey.pem;
include snippets/ssl-params.conf;
root /var/www/...
...etc...
ssl-params.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECD$
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem; #Diffie-Hellman 2048 group
DNS Zone settings:
IN A XX.XX.XX.XX
* IN CNAME website.fr.
www IN CNAME website.fr.
Why isn't my WWW-Subdomain also resolving ? Why isn't the page showing ?
Problem solved by itself...
Apparently, nothing was wrong in the configuration. DNS needed A LOT OF TIME to spread (24h+).
Just needed to be patient :)
You need to point another A Record with the host "www" to your IP.
This needs to be done wherever you bought the domain.
Related
I have a video portal system that plays live streams. The issue is that the live streams are created on the fly via docker, so I can't secure them easily (HTTPS). I need a way to tell NGINX not to secure (HTTP) a single page at {my_domain}/portal/{url_variable} but make sure the rest of the site will be HTTPS. Here is my current config:
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/app.domain.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name app.domain.com;
root /home/forge/app.domain.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/app.domain.com/111111/server.crt;
ssl_certificate_key /etc/nginx/ssl/app.domain.com/111111/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'stuff';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
I have attempted to add another server that listens to port 80 and use location for only for the portal URL, but the entire site then does not render.
I originally used certbot for my first site(default)'s cert. All was well and it has worked wonderfully for the past 6months.
Recently I've tried to add another site to my server , and the problem occurs when I try to certify it. (It works fine running on http - using port 80).
I followed the exact same steps as before using certbot to generate the ssl-cert (albeit changing the names), and I had no issues.
However now when I add that cert for site2 to, it redirects to default & shows as not-secure in the url-bar.
If I try go to default, it works fine and is still certified.
I'm certain it is an issue with the certificate for site2, but i'm not sure where the issue lies?
My original website "default" is a php script.
However the second site "site2" is a html script.
Default's code;
server {
listen 80 default_server ;
listen [::]:80 default_server ipv6only=on;
server_name default.com www.default.com;
return 301 https://www.default.com$request_uri;
}
server{
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include /etc/nginx/snippets/ssl-default.com.conf;
include /etc/nginx/snippets/ssl-params.conf;
location ~ /.well-known {
allow all;
}
root /var/www/default.com/site;
index index.php index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
site2's code;
server {
listen 80;
listen [::]:80 ;
server_name site2.com www.site2.com;
return 302 https://www.site2.com$request_uri;
}
server{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
include /etc/nginx/snippets/ssl-site2.com.conf;
include /etc/nginx/snippets/ssl-params.conf;
location ~ /.well-known {
allow all;
}
root /var/www/site2.com/;
index index.html;
location / {
try_files $uri $uri/ =404;
}
location ~ /\.ht {
deny all;
}
}
sudo nginx -t output;
[warn] "ssl_stapling" ignored, issuer certificate not found
nginx: [warn] conflicting server name "_" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "_" on [::]:443, ignored
nginx: [warn] conflicting server name "default.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.default.com" on 0.0.0.0:80,
ignored
nginx: [warn] conflicting server name "default.com" on [::]:80, ignored
nginx: [warn] conflicting server name "www.default.com" on [::]:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
params.conf contains;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# disable HSTS header for now
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;
preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl.site2.com.conf has the locations of the privkey and fullchain. (same format & location as default's just change of names..)
*Checking the "not-secure" in the url-bar, states the cert for site2 is issued to default
server_name _ should not be used on ssl hosts unless there is only one virtual host; you should set the explicit name in each server section.
Most likely, you have 2 or more configuration files where you set one value in server_name for the same port. As I can see, one of these files are default. Try to check /etc/nginx/sites-enabled for existing sites.
Try to remove line server_name _; from both ::443 configs and it should work.
I have an issue wherein I am building an nginx reverse proxy for directing to multiple microservices at different url paths.
The system is entirely docker based and as a result the same environment is used for development and production. This has caused an issue for me when installing SSL as the SSL certs will only be available in production so when I configure NGINX with SSL the development environment no longer works as the ssl certs are not present.
Here is the relevant part of my conf file -
server {
listen 80;
listen 443 default_server ssl;
server_name atvcap.server.com;
ssl_certificate /etc/nginx/certs/atvcap_cabundle.crt;
ssl_certificate_key /etc/nginx/certs/atvcap.key;
...
}
But this throws the following when running my application in development mode -
nginx: [emerg] BIO_new_file("/etc/nginx/certs/atvcap_cabundle.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/certs/atvcap_cabundle.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Is it possible to only turn on SSL if the "/etc/nginx/certs/atvcap_cabundle.crt" is available?
I had tried something like the following -
if (-f /etc/nginx/certs/atvcap_cabundle.crt) {
ssl_certificate /etc/nginx/certs/atvcap_cabundle.crt;
ssl_certificate_key /etc/nginx/certs/atvcap.key;
}
But that threw the following error -
nginx: [emerg] "ssl_certificate" directive is not allowed here in
/etc/nginx/conf.d/default.conf:7
Any one have any ideas on how to achieve something like this?
Thanks
You can create an additional file ssl.conf and put here ssl configs:
ssl_certificate /etc/nginx/certs/atvcap_cabundle.crt;
ssl_certificate_key /etc/nginx/certs/atvcap.key;
Then include from the main config:
server_name atvcap.server.com;
include /somepath/ssl.conf*;
Make sure to include * symbol - this will not break when the file does not exist at development mode.
The answer of #super_p is correct. But to answer to #AbdolHosein comment I add my answer here if it's not clear.
You need to include your ssl_certificate directive in the included file.
# sample nginx config
http {
server {
listen 80 deferred;
server_name _;
include /ssl/ssl.conf*;
client_body_timeout 5s;
client_header_timeout 5s;
root /code;
}
}
Then in your /ssl/ssl.conf you can do whatever you want, such as enabling HTTPS:
# this is the /ssl/ssl.conf file
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /ssl/cert.cer;
ssl_certificate_key /ssl/key.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
The trick is that we don't look if the certificate exists but we check if the /ssl/ssl.conf exists. This is thanks to the * in the include /ssl/ssl.conf*; directory as stated by #super_p
I'm running nginx server on my Raspberry Pi and it seems to be working just fine using HTTP protocol.
Recently, I decided to add HTTPS support to my server and got certificate from Let's Encrypt.
And it still works like a charm, if you are sending requests from local network. But every external request via HTTPS ends with 504 Gateway Timeout error.
Here is my config:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name domain.name;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_certificate /etc/letsencrypt/live/domain.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.name/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/domain.name/chain.pem;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ /.well-known {
allow all;
root /usr/share/nginx/html;
}
}
Found out that my ISP has a firewall service active by default. It was blocking all connections to 443 port. Disabling it resolved my issue.
After creating 7 SSL Certificates with Let's Encrypt, I have stumbled upon this error. I had setup all my configs correct and I scanned my whole site for SSL Vulnerabilities on [SSLLabs.com][1] and it told me that my server's certificate chain is incomplete.
The grading picture:
My SSL Grading
The error:
The error I got
I am running CentOS Linux release 7.2.1511 (Core) as a Reverse Proxy in NginX. And my configuration is:
# GhostAntiDDoS
server {
listen 443 ssl;
server_name ghostantiddos.com *.ghostantiddos.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/ghostantiddos.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=15768000;
# Bulletin
#limit_conn conn_limit_per_ip 10;
#limit_req zone=req_limit_per_ip burst=5 nodelay;
client_body_timeout 5s;
client_header_timeout 5s;
....
The rest of the parts are hidden as they will expose my origin.
If anyone could assist me in this, I'd be great!
Replace
certificate /etc/letsencrypt/live/ghostantiddos.com/cert.pem
by
certificate /etc/letsencrypt/live/ghostantiddos.com/fullchain.pem
then test again with https://ssllabs.com