I have an nginx setup like this:
/etc/nginx/sites-available/default-ssl.conf:
server {
listen 443 ssl;
server_name my.server.name;
ssl_certificate /etc/letsencrypt/live/my.server.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.server.name/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# root /usr/share/nginx/html;
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
location /proxiedhost/ {
rewrite ^/proxiedhost(/.*)$ $1 break;
proxy_pass http://127.0.0.1:6080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
<<<< A couple more of these blocks >>>>
}
server {
listen 80;
server_name origin.ticktockhouse.co.uk;
return 301 https://$host$request_uri;
}
/etc/nginx/sites-available/aptrepo.conf:
server {
listen 80; ## listen for ipv4; this line is default and implied
root /home/aptrepo/;
index index.html index.htm;
server_name aptrepo.server.name;
}
My problem is that when I browse to http://aptrepo.server.name, it automatically redirects to https://aptrepo.server.name, which I don't have a letsencrypt cert for. Of course, I could get one, but I don't particularly need it, and would like to get to the bottom of why this is happening.
I'm willing to believe it's the server block in the default-ssl.conf, but I'm confused as to why the other server block isn't something completely separate. I've looked around for an explanation, but unfortunately most articles/questions are around how to get https to redirect to http - obviously a problem I've already solved!
Might be the case of nginx not selecting the correct server {} block.
For testing purposes only, try commenting out return 301 https://$host$request_uri; and see if this solves the problem on aptrepo.server.name
Related
Ive been reading on using Nginx as a reverse proxy for Apache and how i can get benefits from using both. I dot have much experience with nginx, so im hoping someone here with more experience can take a look at my configuration and let me know if its a good starting point/where it can be improved.
server {
listen 80 default_server;
# Here, we have told that we are to listen to any request made to port 80 & then redirect it to https.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
# This is the document root
root /var/www/html/;
# This is the file which gets loaded by default. index.html gets loaded if there is no index.php
index index.html index.htm index.php;
# This has to be the domain you want to use
server_name mysite.xyz;
ssl_certificate /etc/letsencrypt/live/mysite.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.xyz/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
# Reverse Proxy
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
proxy_pass https://127.0.0.1:444;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# This configuration prevent the logger to log not found robots.txt
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# This tells the Nginx server to rewrite any requests which do not access a valid file to rewrite on to the index.php
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# This configuration prevent the logger to log not found favicon
location = /favicon.ico {
log_not_found off;
access_log off;
}
# This says that all files with the given endings should be cached by the client
location ~* .(jpg|jpeg|png|gif|ico|svg)$ {
expires 365d;
}
# .htaccess, .htpasswd, etc, will not be served.
location ~ /\.ht {
deny all;
}
# hotlink protect your images and other file types
location ~ .(gif|png|jpg|jpeg|svg|css|js|ico)$ {
valid_referers none blocked mysite.xyz www.mysite.xyz;
if ($invalid_referer) {
return 403;
}
}
}
Use the below nginx configuration to run nginx as reverse proxy for apache
server {
listen 443 ssl;
server_name www.example.com example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
location /.git {
deny all;
return 404;
}
}
restart nginx server after modification
I have an out-of-the-box devpi-server running on http://
I need to get it to work on https:// instead.
I already have the certificates for the domain.
I followed the documentation for nginx-site-config, and created the /etc/nginx/conf.d/domain.conf file that has the server{} block that points to my certificates (excerpt below).
However, my devpi-server --start --init is totally ignoring any/all nginx configurations.
How do i point the devpi-server to use the nginx configurations? Is it even possible, or am I totally missing the point?
/etc/nginx/conf.d/domain.conf file contents:
server {
server_name localhost $hostname "";
listen 8081 ssl default_server;
listen [::]:8081 ssl default_server;
server_name domain;
ssl_certificate /root/certs/domain/domain.crt;
ssl_certificate_key /root/certs/domain/domain.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
gzip on;
gzip_min_length 2000;
gzip_proxied any;
gzip_types application/json;
proxy_read_timeout 60s;
client_max_body_size 64M;
# set to where your devpi-server state is on the filesystem
root /root/.devpi/server;
# try serving static files directly
location ~ /\+f/ {
# workaround to pass non-GET/HEAD requests through to the named location below
error_page 418 = #proxy_to_app;
if ($request_method !~ (GET)|(HEAD)) {
return 418;
}
expires max;
try_files /+files$uri #proxy_to_app;
}
# try serving docs directly
location ~ /\+doc/ {
try_files $uri #proxy_to_app;
}
location / {
# workaround to pass all requests to / through to the named location below
error_page 418 = #proxy_to_app;
return 418;
}
location #proxy_to_app {
proxy_pass https://localhost:8081;
proxy_set_header X-outside-url $scheme://$host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
}
}
This is the answer I gave to the same question on superuser.
Devpi doesn't know anything about Nginx, it will just serve HTTP traffic. When we want to interact with a web-app via HTTPS instead, we as the client need to talk to a front-end which can handle it (Nginx) which will in turn communicate with our web-app. This application of Nginx is known as a reverse proxy. As a reverse proxy we can also benefit from Nginx's ability to serve static files more efficiently than getting our web-app to do it itself (hence the "try serving..." location blocks).
Here is a complete working Nginx config that I use for devpi. Note that this is /etc/nginx/nginx.conf file rather than a domain config like yours because I'm running Nginx and Devpi in docker with compose but you should be able to pull out what you need:
worker_processes 1;
events {
worker_connections 1024;
}
http {
# Define the location for devpi
upstream pypi-backend {
server localhost:8080;
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name example.co.uk; # This is the accessing address eg. https://example.co.uk
root /devpi/server; # This is where your devpi server directory is
gzip on;
gzip_min_length 2000;
gzip_proxied any;
proxy_read_timeout 60s;
client_max_body_size 64M;
ssl_certificate /etc/nginx/certs/cert.crt; Path to certificate
ssl_certificate_key /etc/nginx/certs/cert.key; Path to certificate key
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/pypi.access.log;
# try serving static files directly
location ~ /\+f/ {
error_page 418 = #pypi_backend;
if ($request_method !~ (GET)|(HEAD)) {
return 418;
}
expires max;
try_files /+files$uri #pypi_backend;
}
# try serving docs directly
location ~ /\+doc/ {
try_files $uri #pypi_backend;
}
location / {
error_page 418 = #pypi_backend;
return 418;
}
location #pypi_backend {
proxy_pass http://pypi-backend; # Using the upstream definition
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-outside-url $scheme://$host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
With Nginx using this configuration and devpi running on http://localhost:8080, you should be able to access https://localhost or with your machine with appropriate DNS https://example.co.uk. A request will be:
client (HTTPS) > Nginx (HTTP) > devpi (HTTP) > Nginx (HTTPS) > client
This also means that you will need to make sure that Nginx is running yourself, as devpi start won't know any better. You should at the very least see an Nginx welcome page.
I am using a ssl certificate provided by comodo that seems to me to be propely configured because my website is showing the https correctly. However, I am getting 502 Bad Gateway when I access my store with ssl.
I am using nginx server and this is how I am doing this.
server {
root /var/www/html/public/;
index index.php index.html;
listen 80 default_server;
error_log /var/log/nginx/error-zzdefault.log;
access_log /var/log/nginx/access-zzdefault.log;
location / {
proxy_pass http://magento/;
}
location /phpmyadmin/ {
proxy_pass http://phpmyadmin/;
}
}
server {
listen 443 ssl;
server_name mydomain.com.br;
keepalive_timeout 70;
ssl_certificate /etc/nginx/ssl/mydomain-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
error_log /var/log/nginx/error-zzdefault.log;
access_log /var/log/nginx/access-zzdefault.log;
root /var/www/html/public/;
index index.php index.html;
location / {
proxy_pass https://magento/;
}
}
Alter the proxy_pass on the second server location who has SSL certified:
The Ip 32.999.999.999:80 should be your server main Ip address. Passing
the default port 80.
location / {
proxy_pass http://32.999.999.999:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host; }
I have a website and multiple subdomains. On each subdomain, except one, I use a CMS that generates it's own ssl using Let's Encrypt. On the remaining subdomain I want to add my own certificate from Cloudflare. I generated a certificate put it in my /var/www/my/ for now. Just for testing. And in nginx I configured this block:
server{
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /var/www/my/fullchain.cer;
ssl_certificate_key /var/www/my/my.domain.com.key;
root /var/www/my;
index index.php index.html;
server_name my.domain.com;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/my/$fastcgi_script_name;
}
location ~ /\.ht {
deny all;
}
}
There seems to be a problem with my implementation because now my.domain.com works but for everything else I get this error from Cloudflare: Error 525: SSL handshake failed.
Any ideas what I'm doing wrong?
Thank you
EDIT:
This is the conf file from the CMS. THis is how they set the certificate.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sub.domain.com;
root /var/www/sub/system/nginx-root;
ssl_certificate /home/domain/.acme.sh/sub.domain.com/fullchain.cer;
ssl_certificate_key /home/domain/.acme.sh/sub.domain.com/sub.domain.com.key;
include /var/www/sub/system/files/ssl-params.conf;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2369;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
I'm trying to get the https working with some urls. but it seems that the https goes everywhere. In details, I have created 2 vhosts on Nginx. The first virtual host with port 80 and the other one with 443 containing SSL. now my site .i.e domain.com works for both http and https and this is not what I want. I want the https working on one some urls I specify with rules in Nginx vhost.
The main issue is when I try that I get my main site first with http then when I go to a url that contains https "secure_area", it works fine. However, whenever I go after that somewhere else in my site, the https keep going on all other urls.
here is my 443 vhost config:
ssl_session_cache shared:SSL:5m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
server {
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
#server_name www.mydomain.com;
ssl_session_timeout 5m;
root /vars/www/public_html/;
index index.php index.html index.htm;
ssl_certificate /path_to_ssl/certificate.pem;
ssl_certificate_key /path_to_key/server.key;
ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~ /\.ht {
deny all;
}
# Serve static files directly
location ~* \.(png|jpe?g|gif|ico)$ {
expires 1y; access_log off; try_files $uri $uri/ #rewrite; gzip off;
}
location ~* \.(css)$ {
expires 1d; access_log off;
}
location ~* \.(js)$ {
expires 1h; access_log off;
}
location /secure_area/ {
auth_basic "Restricted";
auth_basic_user_file htpasswd;
rewrite ^ https://$http_host$request_uri? permanent;
}
}
and here is my 80 vhost config:
server {
listen 80 default_server;
server_name mydomain.com;
return 301 http://www.mydomain.com;
}
server {
listen 80;
server_name www.mydomain.com;
root /vars/www/public_html/;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~ /\.ht {
deny all;
}
location /secure_area/ {
rewrite ^ https://$http_host$request_uri? permanent;
}
}
in case no one noticed, Nginx is working as reverse proexy at front end Apache
now does anyone have any idea how to force https only on some urls and in my case secure_area and force http on all other urls?
Thanks
You can tell the SSL server to redirect back to http if any other URL is visited
server {
listen 80;
server_name example.com;
# normal http settings
location /secure_area/ {
return 301 https://$http_host$request_uri$is_args$query_string;
}
}
server {
listen 443 ssl spdy;
server_name example.com;
# ssl settings;
location /secure_area/ {
#serve secure area content
}
location / {
return 301 http://$http_host$request_uri$is_args$query_string;
}
}