My website was working properly before I installed the ssl certificate. However, once it was installed, my website stopped working. Nginx starts fine as usual, and I get no errors, but the website just doesn't work. Here's my code for nginx config:
server {
listen 80;
server_name www.example.com; (example is replaced with my domain name in code)
location / {
rewrite ^ https://$server_name$request_uri permanent;
}
}
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/example_com/example.key;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://xxx.xx.xx.xxx:8004;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Related
I cannot manage to get Nginx to serve my static files. It always gives me 302 errors. I have my static files in a public folder (/home/user/Documents/myapp.com/CURRENT PROJECT/public) and want to serve them when a user goes to the site and requests myapp.com/css/style.css, myapp.com/js/main_script.js... I have the permission but from what I can tell it either can't find the file or ignores it completely and tries to serve them from the API(I can't use express.static anymore).
user www-data;
pid /run/nginx.pid
http {
upstream loadbalance {
least_conn;
server myapp:8003;
}
server {
listen 80;
listen 443 ssl http2;
server_name www.myapp.com;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
return 301 https://myapp.com$request_uri;
}
server {
root "/home/user/Documents/myapp.com/CURRENT PROJECT/public";
server_name myapp.com;
##
# SSL Settings
##
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
# This would not work
location /css/ {
autoindex on;
}
# This would not work
location ~ \.(css|js|woff|woff2|png|jpg|jpeg|webp|svg|mp3) {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
}
#Api
location / {
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://loadbalance;
}
}
}
Once you set up the reverse proxy, you should manage with express the routing of the static files.
My settings for the proxy:
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
I'm trying to deploy a Vue app with a Strapi backend on nginx.
I created 2 files in sites-available, and symlinks in sites-enabled.
I also got an ssl-cert from let’s encrypt.
When I visit the domain, I see nothing in the browser, and have a 304 and some 404 errors in the network tab. When I visit domain.com/admin, I see a strapi splashscreen, but not the login form that I need.
When I go directly to the ip, I see the frontend app, and when I visit :1337/admin, I see the backend. Any idea what I’m doing wrong here?
Thanks
my frontend.conf looks like this
server {
# Listen HTTP
listen 80;
server_name companynamefront.com;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
# Listen HTTPS
listen 443 ssl;
server_name companynamefront.com;
# SSL config
ssl_certificate /etc/letsencrypt/live/new.companyname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/new.companyname.com/privkey.pem;
# Static Root
location / {
root /var/www/html/companyname/v-frontend/dist;
}
}
and the backend.conf looks like this
server {
# Listen HTTP
listen 80;
server_name companyname.com;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
# Listen HTTPS
listen 443 ssl;
server_name companyname.com;
# SSL config
ssl_certificate /etc/letsencrypt/live/new.companyname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/new.companyname.com/privkey.pem;
# Static Root
location / {
root /var/www/html/companyname/backend/build;
}
# Strapi API and Admin
location /admin/ {
rewrite ^/admin/(.*)$ /$1 break;
proxy_pass http://localhost:1337;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass_request_headers on;
}
}
Now this might be a very simple issue but I can't seem to figure out how get SSL to work with Nginx. I will list what I have done so far:
Used certbot to create a fullchain.pem and privkey.pem file
Added the following code to /etc/nginx/conf.d/pubgstats.info
server {
listen 80;
server_name pubgstats.info www.pubgstats.info;
location '/.well-known/acme-challenge' {
root /srv/www/pubg-stats;
}
location / {
proxy_pass http://localhost:4200;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /secure {
auth_pam "Secure zone";
auth_pam_service_name "nginx";
}
}
server {
listen 443;
ssl on;
ssl_certificate /srv/www/pubg-stats/certs/fullchain.pem;
ssl_certificate_key /srv/www/pubg-stats/certs/privkey.pem;
server_name pubgstats.info www.pubgstats.info;
location / {
root /srv/www/pubg-stats/;
}
}
From what I understand, the configuration listens on port 80 and upgrades a HTTP request to HTTPS. The code was mostly taken from this article. I added the SSL part of the configuration as stated here. Now visiting the site over HTTP works. On HTTPS, the connection is reset. What am I missing in the configuration and what's the best way to configure SSL with Nginx in this case?
I don't understand why you didn't add this to /etc/nginx/nginx.conf, but the issue appears to be that you've declared multiple server blocks for the same server. In that case, nqinx will usually choose the first depending on different criteria.
With this configuration, nginx will use SSL by default. If that is not what you want, remove default_server. You don't need ssl on as that is now obsolete and replaced with the ssl parameter in the listen directive.
server {
listen 80;
listen 443 default_server ssl;
ssl_certificate /srv/www/pubg-stats/certs/fullchain.pem;
ssl_certificate_key /srv/www/pubg-stats/certs/privkey.pem;
server_name pubgstats.info www.pubgstats.info;
location '/.well-known/acme-challenge' {
root /srv/www/pubg-stats;
}
location / {
proxy_pass http://localhost:4200;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /secure {
auth_pam "Secure zone";
auth_pam_service_name "nginx";
}
}
I am trying attempting to get the 'www' sub-domain redirected to the same route without the 'www' but when accessing the address i receive the following error:
Your connection is not private
Attackers might be trying to steal your information from www.*.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
The sub-domain without the 'www' is fully active and set up with an SSL i've made using Lets Encrypt (both version of the sub-domains were registered when creating the SSL).
When doing a curl command on the 'www' domain i successfully get a '301 Moved Permanently'.
Here is the configuration file of my nginx:
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 sitename.com$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
edited, see comment
You could try a more complete solution. Using wildcards and a improved redirect. Please try it!
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
server_name .sitename.com; # Note the '.' before sitename!
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
Docs
.sitename.com;
A special wildcard name in the form “.example.org” can be used to match both the exact name “example.org” and the wildcard name “*.example.org”.
I've decided to tackle this issue in another way. I generated another Lets Encrypt SSL certificate for the 'www' subdomain and created another block.
Now everything works as expected.
Here is my updated config:
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
server_name sitename.com www.sitename.com;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/www.sitename.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.sitename.com-0001/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
I configured some basic proxies and then ran certbot. It endlessly redirects me, unfortunately.
I have tried numerous solutions to no avail. Is there something wrong with the other these server blocks are in? Any help would be much appreciated.
server {
server_name www.example.com;
return 301 https://example.com$request_uri;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name example.com; # managed by Certbot
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://localhost:3000/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Host $host;
}
location /api/ {
proxy_pass http://localhost:8000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 80;
listen [::]:80 default_server;
return 302 https://$host$request_uri;
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name www.example.com;
listen 80;
return 404; # managed by Certbot
}
Try:
server {
listen 80;
listen [::]:80 default_server;
server_name www.example.com example.com;
return 302 https://$host$request_uri;
}
server {
server_name www.example.com example.com; # managed by Certbot
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
location / {
proxy_pass http://localhost:3000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Host $host;
}
location /api/ {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}