nginx serve static file without ssl - ssl

for increment speed of my project, i want serve static file without ssl, problem is im very beginner with nginx, my actual nginx configuration is :
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/html text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
server_name selfmarket.net www.selfmarket.net;
ssl_certificate /etc/letsencrypt/live/selfmarket.net/cert.pem; # path to your cacert.pem
ssl_certificate_key /etc/letsencrypt/live/selfmarket.net/privkey.pem; # path to your privkey.pem
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
# Serve static files and uploads
location ^~ /static/ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
root /opt/master/app/;
}
location / {
proxy_pass 'http://127.0.0.1:8080/';
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
in this moment i'm force all traffic in ssl, need change for static not use ssl. How i can do this ?

Related

Static files served with Nginx empty or don't load?

I was used to serving static files through express static but want to move to Nginx. I keep my static files in a public folder: /home/user/Documents/app.com/CURRENT PROJECT/public/.
On my websites they are called like this: app.com/css/styles.js, app.com/fonts/font.woff2, app.com/js/main.js.
I wasn't able to figure it out with nginxs examples. When I tried my config they just returned 302 codes. I have tried these versions of the config + I have the entire version bellow if anyone needs it for reference.
location ~ \.(css|js|woff|woff2|png|jpg|jpeg|webp|svg|mp3) {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
}
#for each path
location /css/ {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
autoindex on;
}
Full:
/etc/nginx/nginx.conf
user www-data;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 8192;
multi_accept on;
}
http {
upstream loadbalance {
least_conn;
server app:8003;
}
limit_req_zone $binary_remote_addr zone=ip:10m rate=4r/s;
http2_push_preload on;
server {
listen 80;
listen 443 ssl http2;
server_name www.app.com;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
return 301 https://app.com$request_uri;
}
server {
limit_req zone=ip burst=20 delay=14;
server_name app.com;
##
# SSL Settings
##
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
# added
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
location ~ \.(css|js|woff|woff2|png|jpg|jpeg|webp|svg|mp3) {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
autoindex on;
#add_header Cache-Control private;
}
location / {
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://loadbalance;
}
}
# Gzip Settings
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 32 16k;
gzip_http_version 1.1;
gzip_min_length 1024;
gzip_types image/jpeg image/bmp image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;
client_body_timeout 16;
client_body_buffer_size 12K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;
access_log off;
error_log /dev/null;
include servers/*;
}

Letsencrypt / nginx : SSL configuration went wrong

I recently acquired a domain name that I want to point to my home server. It worked very well before I tried to implement SSL. Since then I get this error when I try to access https://cloud.mydomain.com/:
SSL_ERROR_RX_RECORD_TOO_LONG
I don't know how to debug on this at all.
With my host here is my config:
mydomain.com. A [my external IP]
cloud.mydomain.com. CNAME mydomain.com.
On my server I have this:
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
server_names_hash_bucket_size 64;
upstream php-handler {
server unix:/run/php/php7.3-fpm.sock;
}
set_real_ip_from 127.0.0.1;
set_real_ip_from 192.168.1.0/24;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
# include /etc/nginx/proxy.conf;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_redirect off;
# include /etc/nginx/ssl.conf;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# include /etc/nginx/header.conf;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Frame-Options "SAMEORIGIN";
# include /etc/nginx/optimization.conf;
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
fastcgi_buffers 64 64K;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 3840K;
fastcgi_cache_key $http_cookie$request_method$host$request_uri;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
gzip_disable "MSIE [1-6]\.";
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 192.168.1.1 valid=30s;
resolver_timeout 5s;
# include /etc/nginx/conf.d/*.conf;
# etc/nginx/conf.d/nextcloud.conf;
server {
server_name cloud.mydomain.com;
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name cloud.mydomain.com;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
#SOCIAL app enabled? Please uncomment the following row
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
#WEBFINGER app enabled? Please uncomment the following two rows.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
client_max_body_size 10240M;
location / {
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ~ \.(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 100M;
mp4_max_buffer_size 1024M;
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+).php(?:$|\/) {
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
expires 360d;
}
}
}
Here is the command I ran to generate the certificates:
sudo certbot --nginx -d mydomain.com -d cloud.mydomain.com
Note that when I access it from the local network with the address of the machine I have the certificate and the nextcloud is displayed.
My router is configured to transfer calls 80 and 443 on my machine and I can see the logs on /var/log/nginx/access.log
When I run the command:
openssl s_client -connect cloud.mydomain.com:443 -servername mydomain.com
I have the following result:
CONNECTED(00000003)
140509444985920:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Would you know how to debug this please?

X-Accel-Redirect not working with SSL

I am using the X-Accel-redirect feature of Nginx for playing videos with a php file named video2.php with the following code:
header("X-Accel-Redirect: /Restr/" . $file);
(of course, much more executable code before, not necessary by now)
I also have the following file, pla.php, with 2 players embedded:
First player as source src="http://example.com/video2.php" type="video/mp4", The second as source src="video2.php" type="video/mp4"
First player works and second doesn't when I am in https mode.
Both players work when I am in http mode. The first player plays in https because the full link in http.
That means Nginx works fine with SSL in all cases but one. X-Accel-redirect feature is not working when the domain is set to https. It works perfectly in http mode.
The nginx.conf is
user nobody;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events
{
worker_connections 1024;
use epoll;
}
http
{
open_file_cache max=5000 inactive=30s;
open_file_cache_valid 120s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
open_log_file_cache max=1024 inactive=30s min_uses=2;
server_names_hash_max_size 10240;
server_names_hash_bucket_size 1024;
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 5;
gzip on;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
gzip_proxied any;
gzip_http_version 1.1;
gzip_min_length 1000;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_types text/plain text/xml text/css application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg application/xml+rss text/javascript application/atom+xml application/javascript application/json;
ignore_invalid_headers on;
client_header_timeout 3m;
client_body_timeout 3m;
client_max_body_size 200m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
proxy_temp_path /tmp/nginx_temp;
log_format bytes_log "$msec $bytes_sent .";
include /etc/nginx/conf.d/*.conf;
}
In xxx.xxx.xxx.xx.conf
server {
listen xxx.xxx.xxx.xx:82;
access_log /var/log/nginx/access.xxx.xxx.xxx.xx.log;
error_log /var/log/nginx/error.xxx.xxx.xxx.xx.log;
server_name xxx.xxx.xxx.xx;
root /usr/local/apache/htdocs;
location / {
location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot)\$ {
expires 7d; #Comment this out if you are using the apache backend cache-control/expires headers.
try_files \$uri \#backend;
}
error_page 405 = \#backend;
error_page 500 = \#custom;
add_header X-Cache "HIT from Backend";
proxy_pass http://xxx.xxx.xxx.xx:8181;
include proxy.inc;
}
location \#backend {
internal;
proxy_pass http://xxx.xxx.xxx.xx:8181;
include proxy.inc;
}
location \#custom {
internal;
proxy_pass http://xxx.xxx.xxx.xx:8181;
include proxy.inc;
}
location ~ .*\.(php|jsp|cgi|pl|py)?\$ {
proxy_pass http://xxx.xxx.xxx.xx:8181;
include proxy.inc;
}
location ~ /\.ht {
deny all;
}
}
It seems here is the key, all is set to http only, not https.
the code of proxy.inc below from etc/nginx/
proxy_buffering off;
proxy_connect_timeout 59s;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass_header Set-Cookie;
proxy_redirect off;
proxy_hide_header Vary;
proxy_hide_header X-Powered-By;
proxy_set_header Accept-Encoding '';
#If you want to get the cache-control and expire headers from apache, comment out 'proxy_ignore_headers' and uncomment 'proxy_pass_header Expires;' and 'proxy_pass_header Cache-Control
#proxy_pass_header Expires;
#proxy_pass_header Cache-Control;
proxy_ignore_headers Cache-Control Expires;
proxy_set_header Referer $http_referer;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Any help will be apreciated

Nginx Enable HTTPS/SSL when forwarding to other URL

Currently, I'm working with an AWS Ubuntu EC2 instance, running a Node.js app on port 3000, that has an Nginx reverse proxy. I have been trying to enable HTTPS and add a SSL certificate and I've been successful in that I don't get any errors in the nginx.conf file. However, I am redirecting my main website, "example.com" to the public DNS of the AWS server and when I try to load the "http://example.com" or "https://example.com" page, I get a "Unable to Connect" error from Firefox, which is my testing browser. Also when I run sudo nginx -t, there are no syntactical errors in the configuration file and when I check the /var/log/nginx/error.log file it is empty. Below is my current nginx.conf file.
Update: I changed server_name from example.com to the public DNS of my server, lets call it amazonaws.com. Now, when I type in https://amazonaws.com the page loads and the SSL certificate shows up when running the website through ssllabs.com. However, when I type in amazonaws.com or http://amazonaws.com I get a blank page like before.
user root;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
# max_clients = worker_processes * worker_connections / 4
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
gzip on;
gzip_comp_level 6;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_buffers 16 8k;
# backend applications
upstream nodes {
server 127.0.0.1:3000;
keepalive 64;
}
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/example_com.crt;
ssl_certificate_key /etc/nginx/ssl/example_com.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name example.com;
# everything else goes to backend node apps
location / {
proxy_pass http://nodes;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Connection "";
proxy_http_version 1.1;
}
}
}
You should give this server definition
server {
listen 80;
return 301 https://$host$request_uri;
}
a server_name (eg amazonaws.com) as well.

Nginx default server always selected - Multiple SSL servers

I have 3 servers defined in Nginx (wich is used for serving static contents and as proxy for tomcat) :
One handling non-maching requests :
server {
listen 443 default_server;
return 444;
}
One for web-app A :
server {
listen 443;
server_name webAppA;
ssl on;
ssl_certificate /etc/nginx/ssl/webAppA/server.crt;
ssl_certificate_key /etc/nginx/ssl/webAppA/server.key;
index index.html;
root /var/www/webAppA/;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
try_files $uri $uri/ /index.html;
}
location /ws/ {
add_header Cache-Control no-cache;
proxy_pass http://localhost:8080/webAppA/ws/;
proxy_set_header X-Real-IP $remote_addr;
}
}
One for web-app B:
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/webAppB/server.crt;
ssl_certificate_key /etc/nginx/ssl/webAppB/server.key;
server_name webAppB
index index.html;
root /var/www/webAppB/;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location /ws/ {
add_header Cache-Control no-cache;
proxy_pass http://localhost:8080/webAppB/ws/;
proxy_set_header X-Real-IP $remote_addr;
}
location / {
#auth_basic "Restricted";
#auth_basic_user_file htpasswd;
try_files $uri $uri/ /index.html;
}
}
I'm trying to access to both apps with :
https://server_ip/webAppA
https://server_ip/webAppB
But default server is always selected. I have TSL SNI support enabled.
I tried to add server names to /etc/hosts but it changes nothing.
Do you have any idea ?
Thank's a lot :)
Founded solution was to make one server because server_name refers to
"https://server_ip"
and not "wabAppA" or "webAppB".
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
root /var/www/;
location /webAppA/ {
try_files $uri $uri/ /webAppA/index.html;
}
location /webAppB/ {
try_files $uri $uri/ /webAppB/index.html;
}
location /webAppA/ws/ {
add_header Cache-Control no-cache;
proxy_pass http://localhost:8080/webAppA/ws/;
proxy_set_header X-Real-IP $remote_addr;
}
location /webAppB/ws/ {
add_header Cache-Control no-cache;
proxy_pass http://localhost:8080/webAppB/ws/;
proxy_set_header X-Real-IP $remote_addr;
}
}
It's not as flexible as I'd like it to be but it works.