I am trying to push a docker image to a local docker repo on artifactory
docker push myNginxlb:2222/ubuntu
This gets a 403- Access is forbidden error. Folloing is my reverse proxy configuration under /etc/nginx/sites-enabled/artifactory
upstream artifactory_lb {
server mNginxLb.mycompany.com:8081;
server mNginxLb.mycompany.com backup;
}
log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/my-certs/myCert.pem;
ssl_certificate_key /etc/nginx/ssl/my-certs/myserver.key;
client_max_body_size 2048M;
location / {
proxy_set_header Host $host:$server_port;
proxy_pass http://artifactory_lb;
proxy_read_timeout 90;
}
access_log /var/log/nginx/access.log upstreamlog;
location /basic_status {
stub_status on;
allow all;
}
}
# Server configuration
server {
listen 2222 ssl;
server_name mNginxLb.mycompany.com;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
rewrite ^/(v1|v2)/(.*) /api/docker/my_local_repo_key/$1/$2;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_pass http://artifactory_lb;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
The access log indicate the following http requests
"GET /v2/ HTTP/1.1" 404 465 "-" "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.13.0-24-generic os/linux arch/amd64"
"GET /v2/ HTTP/1.1" 404 465 "-" "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.13.0-24-generic os/linux arch/amd64"
"GET /v1/_ping HTTP/1.1" 404 469 "-" "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.13.0-24-generic os/linux arch/amd64"
"PUT /v1/repositories/ubuntu/ HTTP/1.1" 403 449 "-" "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.13.0-24-generic os/linux arch/amd64"
Also in artifactory I have configured the docker local repo to use v2 api, what am I missing?
I fixed this by appending the intermediate certificate to the ssl certificate in context
Related
I configured my server with nginx as a reverse proxy for a Nuxt/Express SSR application. For the moment I have a login page, and a home page.
I can connect and disconnect without any problem.
However, when I'm connected and I refresh the page, the loading time is very long.
I don't know if this is due to Nginx configuration or the authentication API or redirection.
I've noticed that it also happens when I type my url myself in the address bar.
Thanks in advance for your help
Update :
Here is my nginx config
worker_processes 1;
error_log logs/error.log info;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
map_hash_max_size 64;
map_hash_bucket_size 64;
map $sent_http_content_type $expires {
"text/html" epoch;
"text/html; charset=utf-8" epoch;
default off;
}
server {
listen 9998 ssl;
server_name control.serenicity.fr;
ssl_certificate "C:/nginx-1.19.0/ssl/mydomain.fr.crt";
ssl_certificate_key "C:/nginx-1.19.0/ssl/mydomain.fr.key";
location / {
expires $expires;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://10.0.5.11:3000;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
Here are the request when I refresh :
https://drive.google.com/file/d/1PeHzCaHvLNL8_YN9ZOEFNv_gxQe2jpu9/view?usp=sharing
https://drive.google.com/file/d/1b9m3cDL_LOv1d3Kaaucnq4Qi308P8TLT/view?usp=sharing
https://drive.google.com/file/d/1xe_EBnb_XXWo7IlaI47EtlaLE6eFgd2k/view?usp=sharing
Update 2 :
After several hours of debugging, it seems that there is no link with nginx.
The problem comes from nuxt in SSR. When I disable SSR there is no more problem.
I had a working setup for static file serving with nginx, using http.
Later, when I switched to https, changing the port from 80 to 443 as well as adding ssl certificate and key, the web server cannot find the static files any more. I get 404 responses for all static files. This is my nginx configuration file:
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
upstream http_backend {
server 127.0.0.1:3001;
keepalive 32;
}
server {
listen 80;
server_name test.com;
# Redirect to https
location / {
rewrite ^ https://$host$request_uri permanent;
}
}
server {
listen 443 default_server ssl;
server_name localhost;
root /var/www/myblog/app/resources/public;
ssl on;
ssl_certificate /etc/nginx/certificate.crt;
ssl_certificate_key /etc/nginx/key.pem;
location / {
proxy_redirect off;
proxy_pass http://http_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
access_log /var/www/logs/myblog.access.log;
error_log /var/www/logs/myblog.error.log;
}
location ^~ /(css|js) {
root /var/www/myblog/app/resources/public;
}
}
}
My access log:
37.201.226.254 - - [26/Aug/2018:06:41:25 +0000] "GET /js/compiled/foo.js HTTP/1.1" 404 38 "https://www.test.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
37.201.226.254 - - [26/Aug/2018:06:41:25 +0000] "GET /css/mui.css HTTP/1.1" 404 38 "https://www.test.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
37.201.226.254 - - [26/Aug/2018:06:41:25 +0000] "GET /css/style.css HTTP/1.1" 304 0 "https://www.test.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
The files are in /var/www/myblog/app/resources/public: this is configured as root. I run the web server from /var/www/myblog/app.
Bear in mind this is my first deployment with NGINX. Does anyone have an idea what I forgot to configure to serve static files with https? My OS is linux.
I found out the problem through random trial and error. For some reason, changing
location ^~ /(css|js) {
root /var/www/myblog/app/resources/public;
}
to
location ~ ^/(css/|js/) {
root /var/www/myblog/app/resources/public/;
}
seems to work.
This is similar question to this one, but suggested answer does not work.
I have confirmed that the assets exist, and restart nginx as well as unicorn service.
$ service nginx restart
$ service unicorn_app_name restart
This is my /etc/nginx/sites-enabled/[app_name] config.
upstream unicorn {
server unix:/home/unicorn_user/apps/app_name/shared/sock/unicorn.unicorn_user.sock fail_timeout=0;
}
server {
listen 80;
server_name staging.mydomain.org mydomain.org;
# Do not use a /tmp folder or other users can obtain certificates.
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /etc/letsencrypt/webrootauth;
}
location / {
rewrite ^/(.*) https://staging.mydomain.org/$1 permanent;
}
}
ssl_certificate /etc/letsencrypt/live/staging.mydomain.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/staging.mydomain.org/privkey.pem;
server {
listen 443 ssl;
server_name www.staging.mydomain.org;
rewrite ^(.*) https://staging.mydomain.org/$1 permanent;
}
server {
listen 443 ssl;
server_name staging.mydomain.org;
root /home/unicorn_user/apps/app_name/current/public;
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_pass http://unicorn;
}
location ~ ^/(assets)/ {
gzip_static on;
expires max;
add_header Cache-Control public;
#add_header Last-Modified "";
#add_header ETag "";
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 60;
}
Seeing the 404's in the error and access logs. For example:
2016/05/18 07:46:01 [error] 2490#0: *4 open() "/home/unicorn_user/apps/app_name/current/public/assets/loading.gif" failed (2: No such file or directory), client: ip_address, server: staging.mydomain.org, request: "GET /assets/loading.gif HTTP/1.1", host: "staging.mydomain.org", referrer: "https://staging.mydomain.org/path/to/page"
Permissions on all the assets are 644 and 755, owned by unicorn_user and in same group name.
Can anyone make another suggestion for a log or configuration to check, a service to restart? Is there an nginx config misconfiguration?
the 404 i was getting was because one particular asset, loading.gif was generated in current/app/assets/ while the server is looking in current/public/assets/.
I had assumed that other javascript errors were being caused because of this setting, but it's simply because my Rails ignorance is so vast, I wasn't sure where to look for what.
I'm using AWS for deploying my Rails app. The request flow likes this
request -> AWS ELB (80, 443 SSL) -> EC2 (80) force to use https -> Unicorn
I've just followed devise document and use the callback link /users/auth/facebook.
When run with http then it works fine, but when I force to load https on EC2 then the callback will return
http://domain.com:443/users/auth/facebook
instead of
https://domain.com/users/auth/facebook
Then it stucks here.
What should I check? Since I already recheck the Nginx config, setting on Facebook app...
Thanks!
UPDATE
I tried to use this setting
80 ELB -> 80 EC2
443 ELB -> 443 EC2
And redirect http request to https on EC2 but the same issue happened.
I have two AWS Opsworks instances behind an Elastic Load Balancer.
The OpsWorks instances stack is Ruby on Rails + Nginx + Unicorn.
I want that my site is available both in http and https so for this reason I configured properly nginx server and in my Rails app I left this row commented:
config/environments/production.rb
# config.force_ssl = true
But I was having a problem like yours!
PROBLEM:
When a user login from http, everything is fine, but for users that are signing in from HTTPS, from facebook/twitter/instagram with devise omniauth, they were redirecting to a bad url like:
http://www.examplesite.com:443/users/auth/facebook/callback?code=xxx...xxx
I configured the ELB listener (inside AWS console) like you did in the way below, providing my certificate for the https part:
Note that HTTPS ==> HTTP
** The problem was inside my nginx configuration** and I fixed it deleting this line inside the 80 server parts:
proxy_set_header X-Forwarded-Proto http;
So at the end this is my nginx file (look unicorn inside servers 80):
upstream unicorn_examplesite.com {
server unix:/srv/www/examplesite_pics/shared/sockets/unicorn.sock fail_timeout=0;
}
server {
listen 443 default deferred;
server_name www.examplesite.com;
access_log /var/log/nginx/examplesite.com.access.log;
root /srv/www/examplesite_pics/current/public;
location ~ ^/(system|assets|img|fonts|css|doc)/ {
add_header "Access-Control-Allow-Origin" "*";
expires max;
access_log off;
allow all;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri #unicorn;
ssl on;
ssl_certificate /etc/nginx/ssl/examplesite.com.crt;
ssl_certificate_key /etc/nginx/ssl/examplesite.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_pass http://unicorn_examplesite.com;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 70;
}
server {
listen 80 default deferred;
server_name www.examplesite.com;
access_log /var/log/nginx/examplesite.com.access.log;
root /srv/www/examplesite_pics/current/public;
location ~ ^/(system|assets|img|fonts|css|doc)/ {
add_header "Access-Control-Allow-Origin" "*";
expires max;
access_log off;
allow all;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_pass http://unicorn_examplesite.com;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 70;
}
server {
listen 80;
server_name *.examplesite.com;
access_log /var/log/nginx/examplesite.com.access.log;
root /srv/www/examplesite_pics/current/public;
location ~ ^/(system|assets|img|fonts|css|doc)/ {
add_header "Access-Control-Allow-Origin" "*";
expires max;
access_log off;
allow all;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_pass http://unicorn_examplesite.com;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 70;
}
server {
listen 443;
server_name *.examplesite.com;
access_log /var/log/nginx/examplesite.com.access.log;
root /srv/www/examplesite_pics/current/public;
location ~ ^/(system|assets|img|fonts|css|doc)/ {
add_header "Access-Control-Allow-Origin" "*";
expires max;
access_log off;
allow all;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri #unicorn;
ssl on;
ssl_certificate /etc/nginx/ssl/examplesite.com.crt;
ssl_certificate_key /etc/nginx/ssl/examplesite.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_pass http://unicorn_examplesite.com;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 70;
}
server {
listen 443;
server_name examplesite.com www.examplesite.it examplesite.it;
access_log /var/log/nginx/examplesite.com.access.log;
return 301 $scheme://www.examplesite.com$request_uri;
}
server {
listen 80;
server_name examplesite.com www.examplesite.it examplesite.it;
access_log /var/log/nginx/examplesite.com.access.log;
return 301 https://www.examplesite.com$request_uri;
}
Hope it helps!
Currently, I'm working with an AWS Ubuntu EC2 instance, running a Node.js app on port 3000, that has an Nginx reverse proxy. I have been trying to enable HTTPS and add a SSL certificate and I've been successful in that I don't get any errors in the nginx.conf file. However, I am redirecting my main website, "example.com" to the public DNS of the AWS server and when I try to load the "http://example.com" or "https://example.com" page, I get a "Unable to Connect" error from Firefox, which is my testing browser. Also when I run sudo nginx -t, there are no syntactical errors in the configuration file and when I check the /var/log/nginx/error.log file it is empty. Below is my current nginx.conf file.
Update: I changed server_name from example.com to the public DNS of my server, lets call it amazonaws.com. Now, when I type in https://amazonaws.com the page loads and the SSL certificate shows up when running the website through ssllabs.com. However, when I type in amazonaws.com or http://amazonaws.com I get a blank page like before.
user root;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
# max_clients = worker_processes * worker_connections / 4
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
gzip on;
gzip_comp_level 6;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_buffers 16 8k;
# backend applications
upstream nodes {
server 127.0.0.1:3000;
keepalive 64;
}
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/example_com.crt;
ssl_certificate_key /etc/nginx/ssl/example_com.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name example.com;
# everything else goes to backend node apps
location / {
proxy_pass http://nodes;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Connection "";
proxy_http_version 1.1;
}
}
}
You should give this server definition
server {
listen 80;
return 301 https://$host$request_uri;
}
a server_name (eg amazonaws.com) as well.