I'm configuring nginx server to use SSL. Configuration looks like this (separate file in conf.d)
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/server.cer;
ssl_certificate_key engine:gost_capi:foobar.ru;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:MEDIUM:+GOST2001-GOST89;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
I'm using russian GOST cryptography, In order to access the private key I use "engine:" reserved word. Nginx should access the private key using defined engine, but it interprets is like a file instead. I get an error:
file /etc/nginx/engine:gost_capi:foobar.ru not found
Why it happens like this?
Related
I have an issue wherein I am building an nginx reverse proxy for directing to multiple microservices at different url paths.
The system is entirely docker based and as a result the same environment is used for development and production. This has caused an issue for me when installing SSL as the SSL certs will only be available in production so when I configure NGINX with SSL the development environment no longer works as the ssl certs are not present.
Here is the relevant part of my conf file -
server {
listen 80;
listen 443 default_server ssl;
server_name atvcap.server.com;
ssl_certificate /etc/nginx/certs/atvcap_cabundle.crt;
ssl_certificate_key /etc/nginx/certs/atvcap.key;
...
}
But this throws the following when running my application in development mode -
nginx: [emerg] BIO_new_file("/etc/nginx/certs/atvcap_cabundle.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/certs/atvcap_cabundle.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Is it possible to only turn on SSL if the "/etc/nginx/certs/atvcap_cabundle.crt" is available?
I had tried something like the following -
if (-f /etc/nginx/certs/atvcap_cabundle.crt) {
ssl_certificate /etc/nginx/certs/atvcap_cabundle.crt;
ssl_certificate_key /etc/nginx/certs/atvcap.key;
}
But that threw the following error -
nginx: [emerg] "ssl_certificate" directive is not allowed here in
/etc/nginx/conf.d/default.conf:7
Any one have any ideas on how to achieve something like this?
Thanks
You can create an additional file ssl.conf and put here ssl configs:
ssl_certificate /etc/nginx/certs/atvcap_cabundle.crt;
ssl_certificate_key /etc/nginx/certs/atvcap.key;
Then include from the main config:
server_name atvcap.server.com;
include /somepath/ssl.conf*;
Make sure to include * symbol - this will not break when the file does not exist at development mode.
The answer of #super_p is correct. But to answer to #AbdolHosein comment I add my answer here if it's not clear.
You need to include your ssl_certificate directive in the included file.
# sample nginx config
http {
server {
listen 80 deferred;
server_name _;
include /ssl/ssl.conf*;
client_body_timeout 5s;
client_header_timeout 5s;
root /code;
}
}
Then in your /ssl/ssl.conf you can do whatever you want, such as enabling HTTPS:
# this is the /ssl/ssl.conf file
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /ssl/cert.cer;
ssl_certificate_key /ssl/key.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
The trick is that we don't look if the certificate exists but we check if the /ssl/ssl.conf exists. This is thanks to the * in the include /ssl/ssl.conf*; directory as stated by #super_p
I'm running nginx server on my Raspberry Pi and it seems to be working just fine using HTTP protocol.
Recently, I decided to add HTTPS support to my server and got certificate from Let's Encrypt.
And it still works like a charm, if you are sending requests from local network. But every external request via HTTPS ends with 504 Gateway Timeout error.
Here is my config:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name domain.name;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_certificate /etc/letsencrypt/live/domain.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.name/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/domain.name/chain.pem;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ /.well-known {
allow all;
root /usr/share/nginx/html;
}
}
Found out that my ISP has a firewall service active by default. It was blocking all connections to 443 port. Disabling it resolved my issue.
I am web developer using nginx 1.6.2 ver using openssl 1.0.2h
I manage a lot of domains.
And very interested in security.
So My default nginx ssl setting is right here.
default.conf
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/SSL/***.crt;
ssl_certificate_key /etc/nginx/SSL/***.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location ~ {
root /etc/nginx/html;
index index.php;
return 470;
include /etc/nginx/sites-enabled/error_config;
}
}
as you can see, I used only ssl_protocols TLSv1, TLSv1.1, TLSv1.2
and I want to one of domains, getssltest.ga
Want to use only TLSv 1.1 & TLSv 1.2
But I tried to change virtual host configure file any way.
However, just adding 'ssl_protocols TLSv1.1 TLSv1.2;' doesn't validate.
like above this.
server {
listen 443;
server_name getssltest.ga www.getssltest.ga;
ssl_protocols TLSv1.1 TLSv1.2;
ssl on;
ssl_certificate **;
ssl_certificate_key **;
include /etc/nginx/sites-enabled/ssl_config;
proxy_http_version 1.1;
I can not find the way. ( I could check the protocols in here https://www.ssllabs.com/ssltest/analyze.html?d=getssltest.ga)
How can I override ssl_protocol to one of my virtual hosts?
Thx.
You can look it into documentation http://nginx.org/en/docs/http/configuring_https_servers.html, configuration should be how that:
server {
listen 443 ssl;
server_name getssltest.ga www.getssltest.ga;
ssl_certificate *;
ssl_certificate_key *;
ssl_protocols TLSv1.1 TLSv1.2;
...
}
So I'm having trouble getting my ssl cert working properly in a rails app with nginx. Do I need to use the sites-available folder, or can I just stick all my cert info in the /opt/nginx/conf/nginx.conf file? Currently, my nginx.conf file looks like this, but when I try to access the site using https it doesn't work. Before this, I have another server block that listens on port 80, and that works for http, but this one for https doesn't work. Any ideas?
server {
listen 443;
server_name www.mysite.com;
#localhost;
ssl on;
ssl_certificate reference to my pem file
ssl_certificate_key reference to my key file
root reference to app in /var/www
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
}
I spent a lot of time today setting up SSL on nginx. First thing I would suggest checking is that port 443 is open from something like www.checkmyports.net
Also, do you get an error when you restart nginx?
Is there anyway to have ssl configured for dynamic mass virtual hosts?
ssl_certificate ssl/$host/mysite.com.crt;
ssl_certificate_key ssl/$host/mysite.com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
ssl_prefer_server_ciphers on;
server {
listen 80;
server_name $host;
root /var/www/html/$host;
}
Using something like this to select the right ssl cert for the host.
I have several thousand sites that need a different document roots and some need ssl capability .