I have made reverse connection to one of web servers on which is SSL applied and the the content is in dir (http://webserver.com/directory) ,so i had to use rewrite rule and that works well.
The thing is that nginx can't pass SSL from backend webserver and i get error on silverlight application..
Could someone advise me on what to do ? Config is very basic as only rewrite is added additionally.
Looking forward for suggestions,ideas,answers.
Best regards.
Edit: pastebin.com/SnyHaUL4
As far as i know, you could say that "it's not a bug, it's a feature", one of the features of SSL that it prevents Man in the middle attacks, if you want to use SSL then nginx it self should have an SSL key and allow https connection, otherwise the user will see the well known yellow warning page about untrusted SSL,
If you implement the SSL for nginx, then the connection would be like this
client -> nginx ssl -> nginx -> server ssl -> server
The connection will be encrypted and decrypted twice on the way to the server, the client wont see the server SSL and will only see the nginx SSL.
If you don't have or don't want to use SSL on your nginx, then you need to make the connection to it unsecured, then the warning won't appear and every thing would work fine.
Related
I've just started using Zap, and am successfully running it in Firefox and Chrome.
I'd like to use it to automatically serve it's SSL cert for non https sites as well.
So for example, I'd like it to be able to serve
http://example.com
as
https://example.com
even though example.com normally wouldn't serve an SSL cert.
This would allow me to test local development sites without ever creating a self signed cert for them, or having to configure the cert with a webserver.
I've tried to port forward my dev port (18000) to port 443, but there's no SSL cert being served by my webserver, and the connection fails. I've also tried this with sni terminator zap plugin with no luck, though it feels like it's super close!
Any suggestions?
No application can choose communication protocol on which a client communicates. Web servers communication is strictly client driven except server redirects. For client to choose HTTP(s) out of two options http and http(s) you may install browser plugins like HTTP(s) everywhere which will seek for https first even if http is entered in browser
If I got a signed certificate from letsencrypt.org and baked it into my nginx web server, does that mean I still need to configure express.js to use https?
As in nginx serves me a secure webpage, and I see the https lock on the top left, but do I need to do any extra configuration with express at all??
No node/express does not need to handle ssl - you can have a separate service for node/express and have nginx act as a reverse proxy and do ssl offloading.
Under this configuration, browsers will first hit your nginx web server over HTTPS, nginx will handle the ssl decryption and forward the decrypted HTTP request to your node process.
Your node process doesn't have to know HTTPS is happening at all.
Digital Ocean really has the best docs for setting this up on linux with systemd.
The first link is a clear tutorial on setting up a an nginx reverse proxy to node
The second link shows configuring SSL in nginx w/ a simple reverse proxy (in this specific example - its not a node server on the receiving end but the concepts are the same) to accomplish the SSL termination
I got several https://*.rest-service.mydomain.com. As the number of services increases, I feel managing SSL cert is costly. I bought a wildcard cert for *.mydomain.com.
Newly added services are placed under mydomain.com with a new wildcard cert and it works well. However, as always, legacy is an issue.
I still have a lot of https traffic to https://*.rest-service.mydomain.com, and its old cert is going to expire.
In this situation, is there any good approach to redirect legacy https traffics to the new one?
Since the client still knows only legacy endpoint https://*.rest-service.mydomain.com, can I redirect the client to the new server https://*.mydomain.com and handle the request as well?
I use nginx as a web server and ELB for a load balancer.
... and its old cert is going to expire.
While you can redirect from ssl to ssl (see the other answer) you still need to have a valid certificate for the host you redirect from. This means the redirection will stop working (or at least cause certificate validation errors) once the old cert expired. To fix this you need to renew the certificate.
Apart from that you must be sure that the services can actually deal with redirection. While a browser handles redirection in a transparent way for the user that is not necessary the case for applications using a REST API. These might expect to get the response directly and not a redirection which they have to follow and resubmit the REST request.
Try this regexp-ed server:
server {
server_name ~^(?P<subdomain>.+)\.rest-service\.mydomain\.com$;
listen 443 ssl;
return 301 https://$subdomain.mydomain.com$request_uri;
}
I have uploaded my SSL certificates to IAM purchased from Comodo and evrything looks fine in chrome and opera. But mozilla is giving an error: "Connection Partially encrypted". I am not able gauge why this is happening.
Link : https://www.advisorcircuit.com/
Please tell me what is the possible culprit for this?
and also i want to know , how can i redirect my users to HTTPS ebven if they type http as even if i type http the website loads and opens.
I am using AWS t2.medium instance. So is there any configuration i need to do in my console??
Redirection:
You have a few options:
Block HTTP traffic, only allow HTTPS on the Security Group level ( Not the nicest solution.
Use an Elastic Load balancer, Listening only on HTTPS port. ( Same as above)
The webserver ( most of them like Tomcat, IIS, etc) supports a redirection, so it sends back "HTTP/1.1 301 Moved Permanently", then the client browser does the call again on HTTPS.
If you use Elastic Load Balancer with SSL termination ( which is a good practice, less load on your server, easier setup of the SSL Certificate). Then all your traffic inside your VPC goes on port 80. In this case you need to setup your webserver to redirect differently. Instead of the incoming port, the trigger for the redirection should be the based on the "X-Forwarded-Proto" header value, which is the original protocol what the client is using.
For production environment the last setup is an AWS Best practice. ( Of course there are also other solutions)
Your site is running Apache/2.2.29. You can redirect your virtual host traffic from 80->443 in Apache itself. That way if someone goes to http://www.yourdomain.com then get redirected to https://www.yourdomain.com
ServerFault has an post explaining how to use Apache mod_rewrite to accomplish this
https://serverfault.com/a/554183/280448
Also you need to adjust the SSL cipher suites that your site accepts. Your ELB has an option to change cipher suites and you can deselect some there. The two you definitely want deselected are RC4 and SSL3.
Here's the full report if you want to make more changes
https://www.ssllabs.com/ssltest/analyze.html?d=www.advisorcircuit.com&s=52.7.154.196&latest
I am in the process of migrating a webapp from one server to another, and the IP address of the servers are different. I need to change the A record for the domain to the new server. To make sure the traffic to the old server lands up in the new server I need to setup reverse proxy in the old server which will redirect all traffic to new server.
I have several domains in the same server with different SSL certificates. The client will have a SSL connection the old apache server and the new server will accept connections through SSL only. So I need to setup reverse proxy with SSL connection. Is this possible in apache ? How do I achieve this? I am also worried about slowness due to two SSL connection setup times.
Yes, it is perfectly possible using mod_proxy and mod_ssl. See :
https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxyengine
As mentioned by Remi, it is possible and to add, you do not have to worry about 2 SSL connections since I am assuming that the reverse proxy connection would have keep alive switched on and therefore the SSL connection setup between the two servers would only be carried out intermittently.
So remember to setup keep-alive. Any server worth its salt would support that and Apache does too.
In the old server I would perform browser redirection "301 moved permanently" to the other IP/hostname (probably on the app root too, just to annoy them enough to change their bookmark and stop using ip addresses in favor of hostnames) . Light and effective.