I'm trying to get the https working with some urls. but it seems that the https goes everywhere. In details, I have created 2 vhosts on Nginx. The first virtual host with port 80 and the other one with 443 containing SSL. now my site .i.e domain.com works for both http and https and this is not what I want. I want the https working on one some urls I specify with rules in Nginx vhost.
The main issue is when I try that I get my main site first with http then when I go to a url that contains https "secure_area", it works fine. However, whenever I go after that somewhere else in my site, the https keep going on all other urls.
here is my 443 vhost config:
ssl_session_cache shared:SSL:5m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
server {
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
#server_name www.mydomain.com;
ssl_session_timeout 5m;
root /vars/www/public_html/;
index index.php index.html index.htm;
ssl_certificate /path_to_ssl/certificate.pem;
ssl_certificate_key /path_to_key/server.key;
ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~ /\.ht {
deny all;
}
# Serve static files directly
location ~* \.(png|jpe?g|gif|ico)$ {
expires 1y; access_log off; try_files $uri $uri/ #rewrite; gzip off;
}
location ~* \.(css)$ {
expires 1d; access_log off;
}
location ~* \.(js)$ {
expires 1h; access_log off;
}
location /secure_area/ {
auth_basic "Restricted";
auth_basic_user_file htpasswd;
rewrite ^ https://$http_host$request_uri? permanent;
}
}
and here is my 80 vhost config:
server {
listen 80 default_server;
server_name mydomain.com;
return 301 http://www.mydomain.com;
}
server {
listen 80;
server_name www.mydomain.com;
root /vars/www/public_html/;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~ /\.ht {
deny all;
}
location /secure_area/ {
rewrite ^ https://$http_host$request_uri? permanent;
}
}
in case no one noticed, Nginx is working as reverse proexy at front end Apache
now does anyone have any idea how to force https only on some urls and in my case secure_area and force http on all other urls?
Thanks
You can tell the SSL server to redirect back to http if any other URL is visited
server {
listen 80;
server_name example.com;
# normal http settings
location /secure_area/ {
return 301 https://$http_host$request_uri$is_args$query_string;
}
}
server {
listen 443 ssl spdy;
server_name example.com;
# ssl settings;
location /secure_area/ {
#serve secure area content
}
location / {
return 301 http://$http_host$request_uri$is_args$query_string;
}
}
Related
Ive been reading on using Nginx as a reverse proxy for Apache and how i can get benefits from using both. I dot have much experience with nginx, so im hoping someone here with more experience can take a look at my configuration and let me know if its a good starting point/where it can be improved.
server {
listen 80 default_server;
# Here, we have told that we are to listen to any request made to port 80 & then redirect it to https.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
# This is the document root
root /var/www/html/;
# This is the file which gets loaded by default. index.html gets loaded if there is no index.php
index index.html index.htm index.php;
# This has to be the domain you want to use
server_name mysite.xyz;
ssl_certificate /etc/letsencrypt/live/mysite.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.xyz/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
# Reverse Proxy
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
proxy_pass https://127.0.0.1:444;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# This configuration prevent the logger to log not found robots.txt
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# This tells the Nginx server to rewrite any requests which do not access a valid file to rewrite on to the index.php
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# This configuration prevent the logger to log not found favicon
location = /favicon.ico {
log_not_found off;
access_log off;
}
# This says that all files with the given endings should be cached by the client
location ~* .(jpg|jpeg|png|gif|ico|svg)$ {
expires 365d;
}
# .htaccess, .htpasswd, etc, will not be served.
location ~ /\.ht {
deny all;
}
# hotlink protect your images and other file types
location ~ .(gif|png|jpg|jpeg|svg|css|js|ico)$ {
valid_referers none blocked mysite.xyz www.mysite.xyz;
if ($invalid_referer) {
return 403;
}
}
}
Use the below nginx configuration to run nginx as reverse proxy for apache
server {
listen 443 ssl;
server_name www.example.com example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
location /.git {
deny all;
return 404;
}
}
restart nginx server after modification
I have been searching for a solution to this problem. Here is my setup.
Server A: 192.168.1.99
Nginx Server Latest version: 01-2020 version. Serves as Reverse proxy for all sites served by Server B.
Apache Server ( Serves two purposes): 1. Serve sites, 2. Serve as Error server if "Server B being down"
Server B: 192.168.1.100
Apache Server: Main Site Server.
Requirement:
When Server B is down, Server A should serve as an "Error page" with same domain name. For example:
if Server B serves: example.com, and if it is down, then Server A will serve the error page as below:
example.com/error404.html
if the error is 502 error, it should serve example.com/error502.html from Server A.
Here is my configuration file:
Server A: (Nginx Server) /etc/nginx/conf.d/example.com.conf
server {
listen 80;
if ($host = www.example.com ) {
return 301 https://example.com$request_uri;
# return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com ) {
return 301 https://example.com$request_uri;
# return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 443 ssl;
server_name www.example.com;
root /var/www/example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
proxy_intercept_errors on;
error_page 404 500 502 503 504 = #fallback;
proxy_pass https://192.168.1.100:9443/;
proxy_read_timeout 90;
#rewrite http://www.example.com/ https://www.example.com/ redirect;
proxy_redirect https://192.168.1.100:9443/ https://example.com;
}
index index.php index.html index.htm index.nginx-debian.html;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
location ~ /\.ht {
deny all;
}
location #fallback {
root /var/www/example.com;
rewrite ^/(.*) https://example.com;
#proxy_pass https://192.168.1.99:6443/;
#proxy_redirect https://192.168.1.99:6443/ https://example.com;
#rewrite ^/(.*) https://192.168.1.99:6443/ permanent;
}
}
I need to configure nginx config for three (possibly four) server running on one physical server.
I have Rails API and Rails also do server rendering html pages + a separate Vue.js application.
Basically, I need two nginx servers for Rails with https protocol, server configs look like this (it's working :)):
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server_names_hash_bucket_size 64;
upstream puma {
server unix:///home/deploy/apps/example/shared/tmp/sockets/example-puma.sock;
}
server {
listen 443 ssl;
server_name www.example.me;
ssl on;
ssl_certificate /home/deploy/apps/example/current/certs/cert_chain.crt;
ssl_certificate_key /home/deploy/apps/example/current/certs/private.key;
root /home/deploy/apps/example/current/public;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://puma;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
keepalive_timeout 30;
}
So here I need to add Vue.js application server, and here is where thing are getting mess up and stop working (it's config for Vue in history mode):
server {
listen 80;
server_name backoffice.example.me;
root /home/deploy/apps/example-front;
index index.html;
location / {
try_files $uri $uri/ #rewrites;
}
location #rewrites {
rewrite ^(.+)$ /index.html last;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
}
Is there any way to make it work on one physical server?
I have a website and multiple subdomains. On each subdomain, except one, I use a CMS that generates it's own ssl using Let's Encrypt. On the remaining subdomain I want to add my own certificate from Cloudflare. I generated a certificate put it in my /var/www/my/ for now. Just for testing. And in nginx I configured this block:
server{
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /var/www/my/fullchain.cer;
ssl_certificate_key /var/www/my/my.domain.com.key;
root /var/www/my;
index index.php index.html;
server_name my.domain.com;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/my/$fastcgi_script_name;
}
location ~ /\.ht {
deny all;
}
}
There seems to be a problem with my implementation because now my.domain.com works but for everything else I get this error from Cloudflare: Error 525: SSL handshake failed.
Any ideas what I'm doing wrong?
Thank you
EDIT:
This is the conf file from the CMS. THis is how they set the certificate.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sub.domain.com;
root /var/www/sub/system/nginx-root;
ssl_certificate /home/domain/.acme.sh/sub.domain.com/fullchain.cer;
ssl_certificate_key /home/domain/.acme.sh/sub.domain.com/sub.domain.com.key;
include /var/www/sub/system/files/ssl-params.conf;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2369;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
I have an nginx setup like this:
/etc/nginx/sites-available/default-ssl.conf:
server {
listen 443 ssl;
server_name my.server.name;
ssl_certificate /etc/letsencrypt/live/my.server.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.server.name/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# root /usr/share/nginx/html;
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
location /proxiedhost/ {
rewrite ^/proxiedhost(/.*)$ $1 break;
proxy_pass http://127.0.0.1:6080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
<<<< A couple more of these blocks >>>>
}
server {
listen 80;
server_name origin.ticktockhouse.co.uk;
return 301 https://$host$request_uri;
}
/etc/nginx/sites-available/aptrepo.conf:
server {
listen 80; ## listen for ipv4; this line is default and implied
root /home/aptrepo/;
index index.html index.htm;
server_name aptrepo.server.name;
}
My problem is that when I browse to http://aptrepo.server.name, it automatically redirects to https://aptrepo.server.name, which I don't have a letsencrypt cert for. Of course, I could get one, but I don't particularly need it, and would like to get to the bottom of why this is happening.
I'm willing to believe it's the server block in the default-ssl.conf, but I'm confused as to why the other server block isn't something completely separate. I've looked around for an explanation, but unfortunately most articles/questions are around how to get https to redirect to http - obviously a problem I've already solved!
Might be the case of nginx not selecting the correct server {} block.
For testing purposes only, try commenting out return 301 https://$host$request_uri; and see if this solves the problem on aptrepo.server.name