nginx simple SSL connection - ssl

I am new to setup a simple SSL connection using nginx. The code I wrote below is accessible but it is not running with SSL. What am I missing?
My test site is just a simple index.html. My certificate and key is saved in /etc/ssl/certs.
server {
listen 80;
server_name example.com;
location / {
proxy_pass https://example.com:443;
}
}
server {
listen 443;
root /home/deploy/test;
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
}

You have to redirect non-HTTPS to HTTPS, not proxy pass.
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443;
server_name example.com;
root /home/deploy/test;
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
}

Related

NGINX - One to many server same port

I have this setup of NGINX as a reverse proxy.
server {
listen 443 ssl;
server_name site1.example.com;
ssl_certificate /home/efwm/efwmsw/certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://127.0.0.1:8010;
}
}
server {
listen 443 ssl;
server_name site2.example.com;
ssl_certificate /certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://127.0.0.1:8020;
}
}
server {
listen 443 ssl;
server_name site3.example.com;
ssl_certificate /certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://192.168.1.50:8000;
}
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
For first two servers everything works fine but requests to third server get:ERR_CONNECTION_REFUSED.
I add that the first two services are contained in docker on the same server where NGINX runs, while the third is an autonomous server. Nothing is written in the error log. Of course I tried calling the exposed service on the third server and it works. Any suggestion is welcome. Thank you

Pass proxy depending on URL prefix

I'm new to NginX and I have been trying to figure out how to do the following;
example.com forwards to the express application running on port 3000 with the purpose of serving clients.
dashboard.example.com forwards to the express application running on port 3001 with the purpose of serving administrators.
For this, I have set up the following configuration;
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com dashboard.example.com;
return 302 https://$server_name$request_uri;
}
# dashboard.example.com for administrators.
server {
listen 80;
server_name dashboard.example.com;
location / {
proxy_pass http://localhost:3001;
}
}
# example.com for normal users.
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
server_name example.com www.example.com;
location / {
proxy_pass http://localhost:3000;
}
}
The problem is that dashboard.example.com and example.com (as does www.example.com) all forward to the client server running on port 3000. How can I make dashboard.example.com forward to 3001?
The issue seems to be that you always redirect to https (good job!), but you only listen for SSL traffic (port 443) on the server_name example.com and www.example.com, and have no proxy configuration for ssl on the dashboard. Try something like:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com dashboard.example.com;
return 302 https://$server_name$request_uri;
}
# dashboard.example.com for administrators.
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
server_name dashboard.example.com;
location / {
proxy_pass http://localhost:3001;
}
}
# example.com for normal users.
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
server_name example.com www.example.com;
location / {
proxy_pass http://localhost:3000;
}
}
Let me know if re-writing the middle block works for you. If the intention is not to have https on the dashboard for administrators, you need to remove dashboard.example.com from line 4 instead.

Nginx - Using conf filename as server_name, instead of server_name itself

We're actually trying to setup a simple Nginx config. But actually, we're losing our head on this conf as nginx is doing a strange job :
We've setted up 2 sub-domains on a clean Nginx install from yesterday :
Domain 1 :
upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://430750ef-08ce-4463-bfae-88043ffc7c82-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
Domain 2 :
upstream 820528fd-a13f-496a-b124-8973f4367db6-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://820528fd-a13f-496a-b124-8973f4367db6-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
Actually, we're having SSL problems on the domain 2 : Firefox (and chrome aswell) are saying that Domain 2 SSL certificate is not trusted, as the domain 2 is using the cert of domain 1 and is not reached by this one.
We can't understand why the server_name property is not working. From our point of view, nginx should be using the domain 2 cert when any visitor reach 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com .
1 more specification :
I've updated the server_names_hash_bucket_size to 512 as we're using long subdomains.
"FUN" fact :
When we rename the domain 2 config file from /etc/nginx/sites-enabled/820528fd-a13f-496a-b124-8973f4367db6.conf to /etc/nginx/sites-enabled/000-820528fd-a13f-496a-b124-8973f4367db6.conf, the right cert is served.
In that case, we're thinking that, for a reason that we couldn't find, nginx is using the filename as the server_name property, instead of the server_name prop we've setted up in the file, and for another reason only using the first config file found in /etc/nginx/sites-enabled.
Any ideas ?
Thanks for your support by the way,
Regards,

Nginx rewrite http to https and proxy to another port, ERR_TOO_MANY_REDIRECTS error

Trying to use Nginx as a reverse proxy here. This is what I want to achieve:
Redirect example.com and www.example.com to https://example.com.
Proxy the request to another port.
This is the flow: example.com -> Nginx -> Go web server listening on port 5000
It seems that the rewriting is working properly, cause in the browser I get https://example.com, however I am getting this error in the browser:
ERR_TOO_MANY_REDIRECTS
If it matters, my DNS settings are as such:
# - A - 11.XX.XX.XX
www - A - 11.XX.XX.XX
Here is my /etc/nginx/nginx.conf file:
events {
worker_connections 1024;
}
http {
server {
listen 80;
listen [::]:80;
server_name www.example.com example.com;
rewrite ^(.*)$ https://example.com$request_uri permanent;
location / {
proxy_pass http://127.0.0.1:5000;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.example.com example.com;
ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
rewrite ^(.*)$ https://example.com$request_uri permanent;
location / {
proxy_pass http://127.0.0.1:5000;
}
}
}
Any help would be appreciated. Networking noob here.
In this server block, just redirect to HTTPS block, no need a location block here:
server {
listen 80;
listen [::]:80;
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
}
No need to add the redirection 443 block as it is already redirected from 80 block. So try the following configuration:
events {
worker_connections 1024;
}
http {
server {
listen 80;
listen [::]:80;
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
location / {
proxy_pass http://127.0.0.1:5000;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.example.com example.com;
ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
location / {
proxy_pass http://127.0.0.1:5000;
}
}
}
The other two answers were very helpful in fixing the answer to this question (Redirect loop). There was another bug however, which is that the www was showing up every time even though I redirected to non-www https version.
Here is the updated config that does the following:
Turn www to non-www
Turn http to https
events {
worker_connections 1024;
}
http {
server {
listen 80;
listen [::]:80;
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.example.com;
ssl_certificate "/etc/letsencrypt/live/example.com-0001/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/example.com-0001/privkey.pem";
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com;
ssl_certificate "/etc/letsencrypt/live/example.com-0001/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/example.com-0001/privkey.pem";
location / {
proxy_pass http://127.0.0.1:5000;
}
}
}

NGINX: redirect non-www https to https://www

I followed this answer https://stackoverflow.com/a/28068250/3108268 but it redirects only from http to https and non www to www, but if I go to my website at https://example.com I get 'your connection is insecure'.
How do I redirect it to https://www?
server{
listen 443 ssl;
server_name www.mydomain.com;
root /www/mydomain.com/;
ssl on;
ssl_certificate /ssl/domain.crt;
ssl_certificate /ssl/domain.key;
.
.
.
}
server{
listen 80;
server_name www.mydomain.com mydomain.com;
return 301 https://$server_name$request_uri;
}
server{
listen 443;
server_name mydomain.com;
return 301 https://www.$server_name$request_uri;
}
the third server is missing SSL certificates which is why the browser is saying the connection is insecure.
replace your last two servers with:
# redirect www.mydomain.com to https
server {
listen 80;
server_name www.mydomain.com;
return 301 https://$server_name$request_uri;
}
# redirect mydomain.com to https
server{
listen 80;
server_name mydomain.com;
return 301 https://www.$server_name$request_uri;
}
A good way to get the correct configuration is using new blocks for each redirect, one from http to https and one to non-www to www.
server {
listen 80;
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server_name www.example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server_name example.com;
# do the proper handling of the request
}