I have got a ca certificate bundle trying to integrate client certificate authentication on nginx at the browser level i am not able to get a prompt asking for certificate to be sent for ssl authentication. I am not sure what's missed out here any help in this regard would be highly appreciated.
Below is the configuration of nginx
#
# HTTPS server configuration
#
server {
listen 10.0.111.118:8443;
ssl on;
server_name reverseproxy.in;
### SSL cert files ###
ssl_certificate conf.d/MonetServer.cer;
ssl_certificate_key conf.d/MonetServer.key;
ssl_client_certificate conf.d/Bundle.crt;
ssl_verify_client on;
server_tokens off;
access_log logs/ssl/esmarts-access.log;
error_log logs/ssl/esmarts-error.log;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Floof-SSL-Client-Serial $ssl_client_serial;
proxy_set_header X-Floof-SSL-Client-Verify $ssl_client_verify;
### We want full access to SSL via backend ###
location / {
proxy_pass http://10.0.111.125:8080/esmart/index.html;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
### Set headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-SSL-Client-S-DN $ssl_client_cert;
### Most PHP, Python, Rails, Java App can use this header ###
#proxy_set_header X-Forwarded-Proto https;##
#This is better##
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
### By default we don't want to redirect it ####
proxy_redirect off;
}
location /esmart/VAADIN
{
proxy_pass http://10.0.111.125:8080/esmart/VAADIN;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
### Set headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-SSL-Client-S-DN $ssl_client_cert;
### Most PHP, Python, Rails, Java App can use this header ###
#proxy_set_header X-Forwarded-Proto https;##
#This is better##
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
### By default we don't want to redirect it ####
proxy_redirect off;
}
location /esmart/jsp
{
proxy_pass http://10.0.111.125:8080/esmart/jsp;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
### Set headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-SSL-Client-S-DN $ssl_client_cert;
### Most PHP, Python, Rails, Java App can use this header ###
#proxy_set_header X-Forwarded-Proto https;##
#This is better##
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
### By default we don't want to redirect it ####
proxy_redirect off;
}
location /esmart/APP
{
proxy_pass http://10.0.111.125:8080/esmart/APP;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
### Set headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-SSL-Client-S-DN $ssl_client_cert;
### Most PHP, Python, Rails, Java App can use this header ###
#proxy_set_header X-Forwarded-Proto https;##
#This is better##
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
### By default we don't want to redirect it ####
proxy_redirect off;
}
}
I kept getting the error
400 Bad Request
No required SSL certificate was sent
Have already installed client certificate on my pc , Problem here is that i assume the browser is not requesting for the client certificate which is already installed on the client.
Just posted an answer here: https://serverfault.com/a/764509/344286
Make sure you can authenticate using cURL to validate that your nginx is set up correctly. Once you've confirmed this, you can focus on generating a PKCS12 profile and installing that in the browser.
I had encountered this problem while using Chromium. It looks like browser does not ask for client certificate on non-standard https port (other than 443). Adjusting config to listen on port 443 fixed issue for me.
Related
I have a domain configured with nginx proxy to route like this:
mydomain.com -> localhost:3000
But now, I want a particular subdomain, to point to something like this:
subdomain.mydomain.com -> localhost:3000/mypage
Tried several things but I can't make it work:
server {
listen 80;
server_name subdomain.mydomain.com;
server_tokens off;
proxy_hide_header X-Powered-By;
location /healthcheck {
access_log off;
proxy_pass http://localhost:3000;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
}
# NGINX will reject anything not matching /
location ~ /(?<section>.+)/ {
# Reject requests with unsupported HTTP method
if ($request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|DELETE)$) {
return 405;
}
# Only requests matching the whitelist expectations will
# get sent to the application server
proxy_pass http://localhost:3000/mypage/$section;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
}
}
Hi guys i am having a problem with nginx, i have configure phpmyadmin to run with nginx phpmyadmin is configured to run on port 8080. I access phpmyadmin via localhost/phpmyadmin and it give me the proper login screen below.
phpmyadmin login screen
after login the url on the address bar changes to the configure port from localhost/phpmyadmin to localhost:8080/phpmyadmin and it throws
error message
here is my nginx configuration:
server{
listen 443 ssl;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/certificate/live/localhost/permission.pem;
ssl_certificate_key /etc/certificate/live/localhost/privkey.pem;
include /etc/certificate/live/localhost/ssl-nginx.conf;
access_log /var/log/nginx/apache2-access.log;
error_log /var/log/nginx/apache2-error.log;
location /phpmyadmin{
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Host $http_host;
proxy_set_header X-Ssl on;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/phpmyadmin;
proxy_redirect off;
}
}
Thanks in advance.
You should not be using proxy_redirect off;. You want to change the redirects
location /phpmyadmin{
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Host $http_host;
proxy_set_header X-Ssl on;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/phpmyadmin;
proxy_redirect http://127.0.0.1:8080/ $scheme://$host/;
proxy_redirect http://localhost:8080/ $scheme://$host/;
proxy_cookie_domain 127.0.0.1 $host;
proxy_cookie_domain localhost $host;
}
And you also want to setup the cookie so login works
I'm getting this error for actioncable when I switched my site to https:
WebSocket connection to 'wss://domain.com/cable' failed: Error during
WebSocket handshake: Unexpected response code: 404
The https site works fine, but I get a 404 for the websocket address. My current setup has the SSL terminate at the ELB and nginx redirect http to https. I run actioncable together with my rail server, not as a standalone.
How would I set up secure websockets in ?
Here is my nginx conf file
upstream puma {
server unix://var/run/server.sock;
}
server {
listen 80;
server_name default_server;
root /var/www/apps/server/public;
location /cable {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_pass http://puma;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_next_upstream error;
if ($http_x_forwarded_proto != "https") {
rewrite ^(.*)$ https://$host$1 permanent;
}
proxy_pass http://puma;
...
}
And here is the configuration on ELB:
ELB Listeners
Fixed similar error (404 in actioncable /cable) in my setup like this
location /cable {
proxy_pass http://unix:/home/app/shared/tmp/puma/socket;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
so add same proxy_set_header as you have in the other location (X-Real-IP etc)
I have a Couchdb database that should not be accessed directly, so I need to use a reverse proxy.
How to configure Nginx or apache as a reverse proxy for Couchdb?
To reverse proxy in nginx, you need a config that looks like this https://www.nginx.com/resources/admin-guide/reverse-proxy/
upstream mycouch {
server 192.168.0.100:
}
server {
listen *:80;
server_name mycouch.mydomain.whatever.com;
underscores_in_headers on;
location / {
expires off;
proxy_pass http://mycouch;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
This will proxy HTTP calls for your couchdb. Since you tagged this question with docker, if you wanted to bake a container with this stuff, I'd suggest you start FROM nginx, https://hub.docker.com/_/nginx/ (or, just mount a config file in to nginx image as is)
Based on #djcrabhat replay, I created this config to enables replication
...
location / {
proxy_pass http://192.168.99.100:5984 //couchdb address
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ ^/(.*)/_changes {
proxy_pass http://192.168.99.100:5984 //couchdb address
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
...
I check the ip-address in the controller with
request.env['REMOTE_ADDR']
this works fine in my test environment.
But on the production server with nginx + unicorn I always get 127.0.0.1.
This is my nginx config for the site:
upstream unicorn {
server unix:/tmp/unicorn.urlshorter.sock fail_timeout=0;
}
server {
listen 80 default deferred;
# server_name example.com;
root /home/deployer/apps/urlshorter/current/public;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
I had trouble with this too; I found this question, but the other answer didn't help me.
I looked at Rails 3.2.8's implementation of Rack::Request#ip to see how it decided what to say; to get it to use an address passed via the environment without filtering out addresses from my local network (it's trying to filter out intermediate proxies, but that's not what I wanted), I had to set the HTTP_CLIENT_IP from my nginx proxy configuration block in addition to what you've got above (X-Forwarded-For has to be there too for this to work!):
proxy_set_header CLIENT_IP $remote_addr;
If you use request.remote_addr you'll get the of your Nginx proxy.
To get the real IP address of your user, you can use request.remote_ip.
According to Rails' source code, it checks for various http headers to give you the most relevant one : in Rails 3.2 or Rails 4.0.0.beta1
The answer is in your config file :) The following should do what you want:
real_ip = request.headers["X-Real-IP"]
more here: http://api.rubyonrails.org/classes/ActionDispatch/Request.html#method-i-headers
UPDATE: The proper answer is here in another Q:
https://stackoverflow.com/a/4465588
or in this thread:
https://stackoverflow.com/a/15883610
spoiler:
use request.remote_ip
For ELB - nginx - rails you want to follow this guide:
http://engineering.blopboard.com/resolving-real-client-ip-with-amazon-elb-nginx-and-php-fpm
See:
server {
listen 443 ssl spdy proxy_protocol;
set_real_ip_from 10.0.0.0/8;
real_ip_header proxy_protocol;
location /xxx {
proxy_http_version 1.1;
proxy_pass <api-endpoint>;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header CLIENT_IP $remote_addr;
proxy_pass_request_headers on;
}
...
The proxy_set_header CLIENT_IP $remote_addr; didn't work for me. Here's what did..
The solution I found after reviewing the actiondispatch code remote_ip.rb source. Now I get proper IP in my devise/warden processes as well as any other routine I'm looking at request.remote_ip
My config...
Ruby 2.2.1 - Rails 4.2.1 - NGINX v1.8.0 - Unicorn v4.9.0 - Devise v3.4.1
nginx.conf
HTTP_CLIENT_IP vs CLIENT_IP
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_CLIENT_IP $remote_addr; <-----
proxy_redirect off;
proxy_pass http://unicorn;
}
Source actionpack-4.2.1/lib/action_dispatch/middleware/remote_ip.rb
Line 114:
client_ips = ips_from('HTTP_CLIENT_IP').reverse
Line 126:
"HTTP_CLIENT_IP=#{#env['HTTP_CLIENT_IP'].inspect} " +