I have 3 servers defined in Nginx (wich is used for serving static contents and as proxy for tomcat) :
One handling non-maching requests :
server {
listen 443 default_server;
return 444;
}
One for web-app A :
server {
listen 443;
server_name webAppA;
ssl on;
ssl_certificate /etc/nginx/ssl/webAppA/server.crt;
ssl_certificate_key /etc/nginx/ssl/webAppA/server.key;
index index.html;
root /var/www/webAppA/;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
try_files $uri $uri/ /index.html;
}
location /ws/ {
add_header Cache-Control no-cache;
proxy_pass http://localhost:8080/webAppA/ws/;
proxy_set_header X-Real-IP $remote_addr;
}
}
One for web-app B:
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/webAppB/server.crt;
ssl_certificate_key /etc/nginx/ssl/webAppB/server.key;
server_name webAppB
index index.html;
root /var/www/webAppB/;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location /ws/ {
add_header Cache-Control no-cache;
proxy_pass http://localhost:8080/webAppB/ws/;
proxy_set_header X-Real-IP $remote_addr;
}
location / {
#auth_basic "Restricted";
#auth_basic_user_file htpasswd;
try_files $uri $uri/ /index.html;
}
}
I'm trying to access to both apps with :
https://server_ip/webAppA
https://server_ip/webAppB
But default server is always selected. I have TSL SNI support enabled.
I tried to add server names to /etc/hosts but it changes nothing.
Do you have any idea ?
Thank's a lot :)
Founded solution was to make one server because server_name refers to
"https://server_ip"
and not "wabAppA" or "webAppB".
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
root /var/www/;
location /webAppA/ {
try_files $uri $uri/ /webAppA/index.html;
}
location /webAppB/ {
try_files $uri $uri/ /webAppB/index.html;
}
location /webAppA/ws/ {
add_header Cache-Control no-cache;
proxy_pass http://localhost:8080/webAppA/ws/;
proxy_set_header X-Real-IP $remote_addr;
}
location /webAppB/ws/ {
add_header Cache-Control no-cache;
proxy_pass http://localhost:8080/webAppB/ws/;
proxy_set_header X-Real-IP $remote_addr;
}
}
It's not as flexible as I'd like it to be but it works.
Related
I recently acquired a domain name that I want to point to my home server. It worked very well before I tried to implement SSL. Since then I get this error when I try to access https://cloud.mydomain.com/:
SSL_ERROR_RX_RECORD_TOO_LONG
I don't know how to debug on this at all.
With my host here is my config:
mydomain.com. A [my external IP]
cloud.mydomain.com. CNAME mydomain.com.
On my server I have this:
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
server_names_hash_bucket_size 64;
upstream php-handler {
server unix:/run/php/php7.3-fpm.sock;
}
set_real_ip_from 127.0.0.1;
set_real_ip_from 192.168.1.0/24;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
# include /etc/nginx/proxy.conf;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_redirect off;
# include /etc/nginx/ssl.conf;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# include /etc/nginx/header.conf;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Frame-Options "SAMEORIGIN";
# include /etc/nginx/optimization.conf;
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
fastcgi_buffers 64 64K;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 3840K;
fastcgi_cache_key $http_cookie$request_method$host$request_uri;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
gzip_disable "MSIE [1-6]\.";
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 192.168.1.1 valid=30s;
resolver_timeout 5s;
# include /etc/nginx/conf.d/*.conf;
# etc/nginx/conf.d/nextcloud.conf;
server {
server_name cloud.mydomain.com;
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name cloud.mydomain.com;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
#SOCIAL app enabled? Please uncomment the following row
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
#WEBFINGER app enabled? Please uncomment the following two rows.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
client_max_body_size 10240M;
location / {
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ~ \.(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 100M;
mp4_max_buffer_size 1024M;
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+).php(?:$|\/) {
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
expires 360d;
}
}
}
Here is the command I ran to generate the certificates:
sudo certbot --nginx -d mydomain.com -d cloud.mydomain.com
Note that when I access it from the local network with the address of the machine I have the certificate and the nextcloud is displayed.
My router is configured to transfer calls 80 and 443 on my machine and I can see the logs on /var/log/nginx/access.log
When I run the command:
openssl s_client -connect cloud.mydomain.com:443 -servername mydomain.com
I have the following result:
CONNECTED(00000003)
140509444985920:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Would you know how to debug this please?
I thought that i have only apache on my server, but i see that nginx catches some query's before apache do...
my .htaccess file:
RewriteEngine On
RewriteRule ^.*$ index.php [NC,L]
But when i go to url like
https://site.domain/folder/another/folder/file.png
I get 404 error, instead of result of my index.php-script!
I tried to change my nginx-config by many ways so it was in vain.
There is it:
server {
server_name site.domain www.site.domain;
charset off;
index index.html index.php;
disable_symlinks if_not_owner from=$root_path;
include /etc/nginx/vhosts-includes/*.conf;
include /etc/nginx/vhosts-resources/site.domain/*.conf;
access_log /var/www/httpd-logs/site.domain.access.log;
error_log /var/www/httpd-logs/site.domain.error.log notice;
ssi on;
return 301 https://$host:443$request_uri;
set $root_path /var/www/www-root/data/www/site.domain;
root $root_path;
location / {
location ~ [^/]\.ph(p\d*|tml)$ {
try_files /does_not_exists #fallback;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
try_files $uri $uri/ #fallback;
}
location / {
try_files /does_not_exists #fallback;
}
}
location #fallback {
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
access_log off;
}
listen 77.777.7.777:80;
}
server {
server_name ege2018.top www.site.domain;
ssl_certificate "/var/www/httpd-cert/www-root/site.domain_le1.crtca";
ssl_certificate_key "/var/www/httpd-cert/www-root/site.domain_le1.key";
ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:!NULL:!RC4;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
charset off;
index index.html index.php;
disable_symlinks if_not_owner from=$root_path;
include /etc/nginx/vhosts-includes/*.conf;
include /etc/nginx/vhosts-resources/site.domain/*.conf;
access_log /var/www/httpd-logs/site.domain.access.log;
error_log /var/www/httpd-logs/site.domain.error.log notice;
ssi on;
set $root_path /var/www/www-root/data/www/site.domain;
root $root_path;
location / {
location ~ [^/]\.ph(p\d*|tml)$ {
try_files /does_not_exists #fallback;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
try_files $uri $uri/ #fallback;
}
location / {
try_files /does_not_exists #fallback;
}
}
location #fallback {
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
access_log off;
}
listen 77.777.7.777:443 ssl;
}
(I changed-to-hide domain name and server ip)
Please, help me to solve this problem, i hope it's possible just by editing nginx-config.
Thank you!
Have you got access to both nginx and Apache HTTPd logs? tail -F both log files while you access the URL. #fallback does indeed look like it sends the request to HTTPd if it cannot find it locally, does the request get to the HTTPd log? You may find that index.php isn't where HTTPd is expecting to find it.
My bad! I changed-to-hide actually url, which i want to visit, but key was there.
The url was like
site.domain/icons/...
And apache go to his own icons folder despite .htaccess instructions...
I touched apache config to solve this problem - commented alias for /icons/
I need to configure nginx config for three (possibly four) server running on one physical server.
I have Rails API and Rails also do server rendering html pages + a separate Vue.js application.
Basically, I need two nginx servers for Rails with https protocol, server configs look like this (it's working :)):
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server_names_hash_bucket_size 64;
upstream puma {
server unix:///home/deploy/apps/example/shared/tmp/sockets/example-puma.sock;
}
server {
listen 443 ssl;
server_name www.example.me;
ssl on;
ssl_certificate /home/deploy/apps/example/current/certs/cert_chain.crt;
ssl_certificate_key /home/deploy/apps/example/current/certs/private.key;
root /home/deploy/apps/example/current/public;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://puma;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
keepalive_timeout 30;
}
So here I need to add Vue.js application server, and here is where thing are getting mess up and stop working (it's config for Vue in history mode):
server {
listen 80;
server_name backoffice.example.me;
root /home/deploy/apps/example-front;
index index.html;
location / {
try_files $uri $uri/ #rewrites;
}
location #rewrites {
rewrite ^(.+)$ /index.html last;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
}
Is there any way to make it work on one physical server?
for increment speed of my project, i want serve static file without ssl, problem is im very beginner with nginx, my actual nginx configuration is :
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/html text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
server_name selfmarket.net www.selfmarket.net;
ssl_certificate /etc/letsencrypt/live/selfmarket.net/cert.pem; # path to your cacert.pem
ssl_certificate_key /etc/letsencrypt/live/selfmarket.net/privkey.pem; # path to your privkey.pem
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
# Serve static files and uploads
location ^~ /static/ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
root /opt/master/app/;
}
location / {
proxy_pass 'http://127.0.0.1:8080/';
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
in this moment i'm force all traffic in ssl, need change for static not use ssl. How i can do this ?
I'm using AWS for deploying my Rails app. The request flow likes this
request -> AWS ELB (80, 443 SSL) -> EC2 (80) force to use https -> Unicorn
I've just followed devise document and use the callback link /users/auth/facebook.
When run with http then it works fine, but when I force to load https on EC2 then the callback will return
http://domain.com:443/users/auth/facebook
instead of
https://domain.com/users/auth/facebook
Then it stucks here.
What should I check? Since I already recheck the Nginx config, setting on Facebook app...
Thanks!
UPDATE
I tried to use this setting
80 ELB -> 80 EC2
443 ELB -> 443 EC2
And redirect http request to https on EC2 but the same issue happened.
I have two AWS Opsworks instances behind an Elastic Load Balancer.
The OpsWorks instances stack is Ruby on Rails + Nginx + Unicorn.
I want that my site is available both in http and https so for this reason I configured properly nginx server and in my Rails app I left this row commented:
config/environments/production.rb
# config.force_ssl = true
But I was having a problem like yours!
PROBLEM:
When a user login from http, everything is fine, but for users that are signing in from HTTPS, from facebook/twitter/instagram with devise omniauth, they were redirecting to a bad url like:
http://www.examplesite.com:443/users/auth/facebook/callback?code=xxx...xxx
I configured the ELB listener (inside AWS console) like you did in the way below, providing my certificate for the https part:
Note that HTTPS ==> HTTP
** The problem was inside my nginx configuration** and I fixed it deleting this line inside the 80 server parts:
proxy_set_header X-Forwarded-Proto http;
So at the end this is my nginx file (look unicorn inside servers 80):
upstream unicorn_examplesite.com {
server unix:/srv/www/examplesite_pics/shared/sockets/unicorn.sock fail_timeout=0;
}
server {
listen 443 default deferred;
server_name www.examplesite.com;
access_log /var/log/nginx/examplesite.com.access.log;
root /srv/www/examplesite_pics/current/public;
location ~ ^/(system|assets|img|fonts|css|doc)/ {
add_header "Access-Control-Allow-Origin" "*";
expires max;
access_log off;
allow all;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri #unicorn;
ssl on;
ssl_certificate /etc/nginx/ssl/examplesite.com.crt;
ssl_certificate_key /etc/nginx/ssl/examplesite.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_pass http://unicorn_examplesite.com;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 70;
}
server {
listen 80 default deferred;
server_name www.examplesite.com;
access_log /var/log/nginx/examplesite.com.access.log;
root /srv/www/examplesite_pics/current/public;
location ~ ^/(system|assets|img|fonts|css|doc)/ {
add_header "Access-Control-Allow-Origin" "*";
expires max;
access_log off;
allow all;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_pass http://unicorn_examplesite.com;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 70;
}
server {
listen 80;
server_name *.examplesite.com;
access_log /var/log/nginx/examplesite.com.access.log;
root /srv/www/examplesite_pics/current/public;
location ~ ^/(system|assets|img|fonts|css|doc)/ {
add_header "Access-Control-Allow-Origin" "*";
expires max;
access_log off;
allow all;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_pass http://unicorn_examplesite.com;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 70;
}
server {
listen 443;
server_name *.examplesite.com;
access_log /var/log/nginx/examplesite.com.access.log;
root /srv/www/examplesite_pics/current/public;
location ~ ^/(system|assets|img|fonts|css|doc)/ {
add_header "Access-Control-Allow-Origin" "*";
expires max;
access_log off;
allow all;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri #unicorn;
ssl on;
ssl_certificate /etc/nginx/ssl/examplesite.com.crt;
ssl_certificate_key /etc/nginx/ssl/examplesite.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_pass http://unicorn_examplesite.com;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 70;
}
server {
listen 443;
server_name examplesite.com www.examplesite.it examplesite.it;
access_log /var/log/nginx/examplesite.com.access.log;
return 301 $scheme://www.examplesite.com$request_uri;
}
server {
listen 80;
server_name examplesite.com www.examplesite.it examplesite.it;
access_log /var/log/nginx/examplesite.com.access.log;
return 301 https://www.examplesite.com$request_uri;
}
Hope it helps!