Nginx unknow protocol via ssl - ssl

I have issue with configure nginx as reverse proxy via ssl.
This is my configuration:
worker_processes 4;
events { worker_connections 1024; }
http {
upstream oidc-app {
least_conn;
server oidc_1:44338;
server oidc_2:44338;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
server_name localhost;
ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
add_header Strict-Transport-Security max-age=15638400;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
error_log /var/log/nginx/error.log debug;
location / {
proxy_pass https://oidc-app;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_redirect http:// https://;
}
}
}
When I open my app in browser I have an error from nginx:
*2 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 172.18.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://172.18.0.5:44338/", host: "localhost"
Whats more, if I turn on Fiddler and capture https traffic with ignore certificate - everything is fine.
However if I disable Fiddler - an error occured again.
What I'm doing wrong?
If I configure nginx as http via 80 port - everything is fine again.

Related

Configure Sonarqube with SSL with NGINX as reverse-proxy - Errorcode: SSL_ERROR_RX_RECORD_TOO_LONG

I am trying to configure Sonarqube that it works with SSL. I followed the following instructions:
https://docs.sonarqube.org/latest/setup/operate-server/
Below is my configuration:
server {
listen 443 ssl;
root /opt/sonarqube/sonarqube-6.7.7/web/;
index index.html index.htm;
server_name sonar;
location / {
root /var/www/sonar;
proxy_pass http://localhost:9000;
}
}
I have tested my SSL-Certificate and it works fine with a website, that I have created, but with Sonar it is not working.
Below is the error what I get in the Firefox browser:
Errorcode: SSL_ERROR_RX_RECORD_TOO_LONG

thank you for your answers. #Steffen Ullrich: you are right.
server {
listen 9090 ssl;
ssl_certificate <CERT_NAME>.pem;
ssl_certificate_key <DOMAIN>.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ...;
ssl_dhparam <DHPARAM>.pem;
ssl_prefer_server_ciphers on;
server_name sonar;
location / {
proxy_pass http://localhost:9000;
proxy_redirect http://localhost:9000 https://<DOMAIN.net>:9090;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
Thank you all for your help.

NGINX http proxy_pass over ssl

I'm trying to set up SSL on my nginx server, it works on the plain site which is just the nginx welcome default page, but when I try any of the configured proxy_pass locations I get a cloudflare 526 Invalid SSL certificate error which rapidly flicks to a 502 bad gateway. The certificate I'm using is self signed and cloudflare SSL is set to full (not strict).
This is the error I get on my logs:
2017/11/28 22:59:10 [error] 11457#11457: *2 upstream prematurely closed connection while reading response header from upstream, client: 141.101.104.32, server: web1.olympiccode.net, request: "GET /r/ HTTP/1.1", upstream: "http://127.0.0.1:2000/r/", host: "web1.olympiccode.net", referrer: "https://web1.olympiccode.net/r"
This is my config:
user www-data;
worker_processes 1;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
send_timeout 1800;
sendfile on;
keepalive_timeout 6500;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
server {
listen 80;
server_name web1.olympiccode.net;
return 200 "hi";
}
# HTTPS server
server {
listen 443 ssl;
server_name web1.olympiccode.net;
root /usr/share/nginx/html;
ssl on;
location / {
try_files $uri $uri/ =404;
}
location /r/ {
auth_basic "RethinkDB - Web Panel";
auth_basic_user_file /etc/nginx/.rethinkdb.pass;
proxy_pass http://localhost:2000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
location /status/ {
proxy_pass http://localhost:19999;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 1800;
proxy_connect_timeout 1800;
}
}
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

nginx forward single path to http

following situation:
I have an play framework server running on localhost:9000. If someone now acces from outside on that server via http, nginx redirect the http request to localhost:9000.
Now i run seperate on that server a rshiny server, that listen on port 9271(https), and has to redirect the traffic to 9270(http).
I tried already some stuff, this one is the last version, that i dont get to work:
server {
listen 9271;
server_name _;
ssl on;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/xxx.pem;
ssl_certificate_key /etc/nginx/ssl/xxx.key;
access_log /var/log/nginx/access.log xxx_host;
error_log /var/log/nginx/error.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:9270;
proxy_read_timeout 90;
proxy_redirect http://localhost:9270/ $scheme://$host/;
}
}

Site redirected too many times after setting let's encrypt

I have set up www.myapp.io which connects to a MEAN-stack application hosted by nginx. It works, now, I want to add SSL to it. I have followed this link to secure with let's encrypt.
However, after the configuration, https://www.myapp.io isn’t working: www.myapp.io redirected you too many times. ERR_TOO_MANY_REDIRECTS.
The follows is /etc/nginx/sites-enabled/myapp.io, does anyone know where is wrong?
server {
listen 80;
server_name myapp.io www.myapp.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name myapp.io www.myapp.io;
ssl_certificate /etc/letsencrypt/live/myapp.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.io/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:EC$
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location ~ /.well-known {
allow all;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Proxy "";
proxy_pass https://127.0.0.1:3000;
}
}
(I did not put ssl_session_cache shared:SSL:50m;, because I already have ssl_session_cache shared:SSL:10m; in /etc/nginx/nginx.conf.)
The config file before adding ssl, which worked:
server {
listen 80;
server_name myopp.io *.myopp.io;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Proxy "";
proxy_pass http://127.0.0.1:3000;
}
}
PS: The site is managed via cloudflare, at the moment, the SSL setting on clouldflare is Flexible, I don't know if I need to change it.

As #dave_thompson_085 suggested in his comment, changing Flexible to Full in Cloudflare will make https://www.myapp.io reachable...

Starting CouchDB with SSL

I'm trying to get CouchDB working on our server over SSL.
I've added the following to our default.ini:
[daemons]
...
httpsd = {couch_httpd, start_link, [https]}
[ssl]
cert_file = /the/path/to/my/certicifate/here
key_file = /the/path/to/my/key/here
When I restart couchdb I get the following in my couch.log file:
[Fri, 27 May 2011 00:18:38 GMT] [error] [<0.86.0>] {error_report,<0.31.0>,
{<0.86.0>,supervisor_report,
[{supervisor,{local,couch_secondary_services}},
{errorContext,start_error},
{reason,
{'EXIT',
{undef,
[{couch_httpd,start_link,[https]},
{supervisor,do_start_child,2},
{supervisor,start_children,3},
{supervisor,init_children,2},
{gen_server,init_it,6},
{proc_lib,init_p_do_apply,3}]}}},
{offender,
[{pid,undefined},
{name,httpsd},
{mfargs,{couch_httpd,start_link,[https]}},
{restart_type,permanent},
{shutdown,1000},
{child_type,worker}]}]}}
[Fri, 27 May 2011 00:18:38 GMT] [error] [<0.78.0>] {error_report,<0.31.0>,
{<0.78.0>,supervisor_report,
[{supervisor,{local,couch_server_sup}},
{errorContext,start_error},
{reason,shutdown},
{offender,
[{pid,undefined},
{name,couch_secondary_services},
{mfargs,{couch_server_sup,start_secondary_services,[]}},
{restart_type,permanent},
{shutdown,infinity},
{child_type,supervisor}]}]}}
Any tips or suggestions?

If anyone is interested how we eventually solved this: (Of course for future versions you should be able to do the thing I asked about in my question.)
We used nginx as a reverse proxy for couch: http://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy
The nginx config file:
user www-data;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
access_log /var/log/nginx/access.log;
sendfile on;
keepalive_timeout 65;
tcp_nodelay on;
gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
server {
listen 80;
server_name couch.touchmetric.com;
location / {
proxy_pass http://localhost:5984;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 443;
server_name couch.touchmetric.com;
ssl on;
ssl_certificate /path/here;
ssl_certificate_key /other/path/here;
ssl_protocols SSLv3;
ssl_session_cache shared:SSL:1m;
location / {
proxy_pass http://localhost:5984;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
}
}

Native SSL support is present in CouchDB 1.1, while the current CouchDB release is version 1.0.2 iirc. Unless you have a checkout from trunk or something like that, your CouchDB does not support SSL natively.