Proxy Neo4j binary bolt protocol using nginx to add encryption and authentication - ssl

It is possible to use nginx to proxy Neo4j's http protocol to add encryption and authentication:
server {
server_name graph.example.org;
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
include snippets/ssl-params.conf;
location / {
proxy_pass http://localhost:7471/;
auth_basic "restricted";
auth_basic_user_file /path/to/users;
}
}
But I do not know how to proxy the bolt connection; a pseudo-configuration that contains all the necessary info:
server {
server_name graph.example.org;
listen 7687 ssl;
listen [::]:7687 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
include snippets/ssl-params.conf;
<some ‘location’ directive> {
<some-proxy-directive> localhost:7686;
# dbms.connector.bolt.address=localhost:7686
auth_basic "restricted";
auth_basic_user_file /path/to/users;
}
}
Given that location does not make sense in this context and that proxy_pass needs an http(s)-based url, this pseudo-configuration is probably not close to the wanted one.
In an answer to the the question “Is it possible to forward NON-http connecting request to some other port in nginx?”, the stream-core module is suggested. But it is not clear to me how I'd use it. Would the following work (I have not yet been able to test this):
stream {
server {
server_name graph.example.org;
listen 7687 ssl;
listen [::]:7687 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
include snippets/ssl-params.conf;
auth_basic "restricted";
auth_basic_user_file /path/to/users;
proxy_pass localhost:7686;
# dbms.connector.bolt.address=localhost:7686
}
}
Perhaps directive need to be modified or more directives need to be added to make this work?

Related

NGINX - One to many server same port

I have this setup of NGINX as a reverse proxy.
server {
listen 443 ssl;
server_name site1.example.com;
ssl_certificate /home/efwm/efwmsw/certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://127.0.0.1:8010;
}
}
server {
listen 443 ssl;
server_name site2.example.com;
ssl_certificate /certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://127.0.0.1:8020;
}
}
server {
listen 443 ssl;
server_name site3.example.com;
ssl_certificate /certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://192.168.1.50:8000;
}
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
For first two servers everything works fine but requests to third server get:ERR_CONNECTION_REFUSED.
I add that the first two services are contained in docker on the same server where NGINX runs, while the third is an autonomous server. Nothing is written in the error log. Of course I tried calling the exposed service on the third server and it works. Any suggestion is welcome. Thank you

Pass proxy depending on URL prefix

I'm new to NginX and I have been trying to figure out how to do the following;
example.com forwards to the express application running on port 3000 with the purpose of serving clients.
dashboard.example.com forwards to the express application running on port 3001 with the purpose of serving administrators.
For this, I have set up the following configuration;
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com dashboard.example.com;
return 302 https://$server_name$request_uri;
}
# dashboard.example.com for administrators.
server {
listen 80;
server_name dashboard.example.com;
location / {
proxy_pass http://localhost:3001;
}
}
# example.com for normal users.
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
server_name example.com www.example.com;
location / {
proxy_pass http://localhost:3000;
}
}
The problem is that dashboard.example.com and example.com (as does www.example.com) all forward to the client server running on port 3000. How can I make dashboard.example.com forward to 3001?
The issue seems to be that you always redirect to https (good job!), but you only listen for SSL traffic (port 443) on the server_name example.com and www.example.com, and have no proxy configuration for ssl on the dashboard. Try something like:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com dashboard.example.com;
return 302 https://$server_name$request_uri;
}
# dashboard.example.com for administrators.
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
server_name dashboard.example.com;
location / {
proxy_pass http://localhost:3001;
}
}
# example.com for normal users.
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
server_name example.com www.example.com;
location / {
proxy_pass http://localhost:3000;
}
}
Let me know if re-writing the middle block works for you. If the intention is not to have https on the dashboard for administrators, you need to remove dashboard.example.com from line 4 instead.

no "ssl_certificate" is defined for the "listen ... ssl" directive

I am trying to configure nginx server for my website. I am using the following code to configure my server. It works if I add default_server for my www.fastenglishacademy.fr (443) server block.
But in that case, All my subdomains also brings the content of www.fastenglishacademy.fr
And if I remove the default_server, I get the following error:
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/fastenglishacademy.fr.conf:14
nginx: configuration file /etc/nginx/nginx.conf test failed
My nginx configuration codes:
server {
listen 80;
listen [::]:80;
server_name fastenglishacademy.fr;
return 301 https://www.fastenglishacademy.fr$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name www.fastenglishacademy.fr;
return 301 https://www.fastenglishacademy.fr$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name fastenglishacademy.fr;
return 301 https://www.fastenglishacademy.fr$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /media/fea/www/fastenglishacademy.com;
index index.html index.htm index.nginx-debian.html;
server_name www.fastenglishacademy.fr;
location / {
etag on;
try_files $uri$args $uri$args/ /index.html;
}
location ~* \.(jpg|jpeg|png|gif|ico|ttf|woff2|woff|svg)$ {
expires 365d;
}
location ~* \.(css|js)$ {
expires 30d;
}
location ~* \.(pdf)$ {
expires 15d;
}
#WARNING: Please read before adding the lines below!
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# SSL Certificates
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_trusted_certificate /path/to/chain.pem;
}
My links:
https://www.fastenglishacademy.fr/
https://api.fastenglishacademy.fr/
Your server section is missing ssl_certificate and ssl_certificate_key declarations.
You need to have a .crt and a .key file to run with ssl.
It should looks like
server {
listen 80;
listen 443 default_server ssl;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
... other declarations
}
Had the same problem.
Adding directive
ssl on;
solved my problem.

Openerp always goes to http instead of https with nginx

I have openerp running on port 8069.
this is the nginx conf:
server {
listen 80;
listen [::]:80;
listen 443 default ssl;
server_name www.erp.mysite.hr;
ssl on;
ssl_certificate /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.crt;
ssl_certificate_key /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
if ($ssl_protocol = "") {
rewrite ^ https://$server_name$request_uri? permanent;
}
}
aand location goes here and port proxy which works...
and when access openerp, always is http unless specified in the url with https, that way it works, but it is not redirected to https automatically.
this is the link that i get
http://erp.mysite.hr/web/login?redirect=http%3A%2F%2Ferp.mysite.hr%2Fweb
Any idea what could be the problem?
Thanks
This should work correctly, any http request will be redirected to https, which will be taken later by the top block.
server {
listen 443 default ssl;
server_name www.erp.mysite.hr;
ssl on;
ssl_certificate /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.crt;
ssl_certificate_key /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
#do whatever you need here
}
}
server {
listen 80;
server_name www.erp.mysite.hr;
location / {
return 301 https://$host$request_uri$is_args$args;
}
}
First. Change your nginx code, second go to system parameters and change a parameter
web.base.url = "https://erp.mysite.hr"
to your url.
You can also add a parameter url freeze to prevent reloading of this attribute
web.base.url.freeze = True

nginx simple SSL connection

I am new to setup a simple SSL connection using nginx. The code I wrote below is accessible but it is not running with SSL. What am I missing?
My test site is just a simple index.html. My certificate and key is saved in /etc/ssl/certs.
server {
listen 80;
server_name example.com;
location / {
proxy_pass https://example.com:443;
}
}
server {
listen 443;
root /home/deploy/test;
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
}
You have to redirect non-HTTPS to HTTPS, not proxy pass.
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443;
server_name example.com;
root /home/deploy/test;
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
}