I use reverse proxy with Nginx and I want to force the request into HTTPS, so if a user wants to access the url with http, he will be automatically redirected to HTTPS.
I'm also using a non-standard port.
Here is my nginx reverse proxy config:
server {
listen 8001 ssl;
ssl_certificate /home/xxx/server.crt;
ssl_certificate_key /home/xxx/server.key;
location / {
proxy_pass https://localhost:8000;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
}
}
I've tried many things and also read posts about it, including this serverfault question, but nothing has worked so far.
Found something that is working well :
server {
listen 8001 ssl;
ssl_certificate /home/xxx/server.crt;
ssl_certificate_key /home/xxx/server.key;
error_page 497 301 =307 https://$host:$server_port$request_uri;
location /{
proxy_pass http://localhost:8000;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
}
Are you sure your solution is working? It is listening for 8001 ssl. Will it accept http request?
I do it this way:
server {
listen 80;
server_name yourhostname.com;
location / {
rewrite ^(.*) https://yourhostname.com:8001$1 permanent;
}
}
Then goes your config:
server {
listen 8001 ssl;
ssl_certificate /home/xxx/server.crt;
ssl_certificate_key /home/xxx/server.key;
location / {
proxy_pass https://localhost:8000;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
}
}
This worked for me:
server {
listen 80;
server_name localhost;
...
if ($http_x_forwarded_proto = "http") {
return 301 https://$server_name$request_uri;
}
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8080;
}
...
}
You can
use $server_name to avoid hard coding your domain name again (DRY),
use return 301 for a bit easier reading (a web dev should know this http status code)
Note: I put 443 for https server. You may listen to 8001 if you really want that.
server {
listen 80;
server_name your_hostname.com;
return 301 https://$server_name$request_uri;
}
...
server {
listen 443 ssl;
server_name your_hostname.com
...
}
This is my approach, which I think is quite clean and allows you to add further locations if needed. I add a test on the $http_x_forwarded_proto property which if true forces all HTTP traffic to HTTPS on a NGINX Reverse Proxy setup
upstream flask_bootstrap {
server flask-bootstrap:8000;
}
server {
# SSL traffic terminates on the Load Balancer so we only need to listen on port 80
listen 80;
# Set reverse proxy
location / {
proxy_pass http://flask_bootstrap;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect http://localhost/;
# Permanently redirect any http calls to https
if ($http_x_forwarded_proto != 'https') {
return 301 https://$host$request_uri;
}
}
}
Related
I'm trying to deploy a Vue app with a Strapi backend on nginx.
I created 2 files in sites-available, and symlinks in sites-enabled.
I also got an ssl-cert from let’s encrypt.
When I visit the domain, I see nothing in the browser, and have a 304 and some 404 errors in the network tab. When I visit domain.com/admin, I see a strapi splashscreen, but not the login form that I need.
When I go directly to the ip, I see the frontend app, and when I visit :1337/admin, I see the backend. Any idea what I’m doing wrong here?
Thanks
my frontend.conf looks like this
server {
# Listen HTTP
listen 80;
server_name companynamefront.com;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
# Listen HTTPS
listen 443 ssl;
server_name companynamefront.com;
# SSL config
ssl_certificate /etc/letsencrypt/live/new.companyname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/new.companyname.com/privkey.pem;
# Static Root
location / {
root /var/www/html/companyname/v-frontend/dist;
}
}
and the backend.conf looks like this
server {
# Listen HTTP
listen 80;
server_name companyname.com;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
# Listen HTTPS
listen 443 ssl;
server_name companyname.com;
# SSL config
ssl_certificate /etc/letsencrypt/live/new.companyname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/new.companyname.com/privkey.pem;
# Static Root
location / {
root /var/www/html/companyname/backend/build;
}
# Strapi API and Admin
location /admin/ {
rewrite ^/admin/(.*)$ /$1 break;
proxy_pass http://localhost:1337;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass_request_headers on;
}
}
Been working on setting up JFrog Container Repository and have been running into an issue with setting up the Docker Repository Ports.
I have gone through and set up Nginx as a reverse proxy and have generated a working sites-available conf file
## add ssl entries when https has been set in config
ssl_certificate /etc/nginx/ssl/secret.crt;
ssl_certificate_key /etc/nginx/ssl/secret.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
## server configuration
server {
listen 443 ssl;
listen 80 ;
server_name subdomain.domain.com;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
## access_log /var/log/nginx/artifactory.jfrog.com-access.log timing;
## error_log /var/log/nginx/artifactory.jfrog.com-error.log;
rewrite ^/$ /artifactory/webapp/ redirect;
rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect;
chunked_transfer_encoding on;
client_max_body_size 0;
location / {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
if ( $request_uri ~ ^/artifactory/(.*)$ ) {
proxy_pass http://localhost:8081/artifactory/$1;
}
proxy_pass http://localhost:8081/artifactory/;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I am able to view the page, login, create repositories...etc...
But when I go to the Advanced tab of a docker repository to try and set the HTTP settings, I am still greeted by the "To use this feature first configure reverse proxy." even though I am viewing the page through the reverse proxy at the time.
I don't know if I am missing something super simple or if I am just running into a bug of sorts. I looked through the JFrog jira and couldn't seem to find anything that matched this description.
Any help would be greatly appriciated.
Thank you!
Edit:
Should probably leave some system info as well...
OS: Centos 7
Nginx: 1.16.1
JCR: 6.17.0-61700900
This is a bug. I have filed RTFACT-21197 for you. That said, it is simply a generator and you can simply edit your existing configuration. For ports, all you need to do is copy/paste and add a docker line with the repository name. For example, let's say you have a repository called docker-local and you want that to be accessible at port 5000, your final configuration would look like this:
## add ssl entries when https has been set in config
ssl_certificate /etc/nginx/ssl/secret.crt;
ssl_certificate_key /etc/nginx/ssl/secret.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
## server configuration
server {
listen 443 ssl;
listen 80 ;
server_name subdomain.domain.com;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
## access_log /var/log/nginx/artifactory.jfrog.com-access.log timing;
## error_log /var/log/nginx/artifactory.jfrog.com-error.log;
rewrite ^/$ /artifactory/webapp/ redirect;
rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect;
chunked_transfer_encoding on;
client_max_body_size 0;
location / {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
if ( $request_uri ~ ^/artifactory/(.*)$ ) {
proxy_pass http://localhost:8081/artifactory/$1;
}
proxy_pass http://localhost:8081/artifactory/;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 5000 ssl;
server_name subdomain.domain.com;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
rewrite ^/$ /artifactory/webapp/ redirect;
rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect;
rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/docker-local/$1/$2;
chunked_transfer_encoding on;
client_max_body_size 0;
location / {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
if ( $request_uri ~ ^/artifactory/(.*)$ ) {
proxy_pass http://localhost:8081/artifactory/$1;
}
proxy_pass http://localhost:8081/artifactory/;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I am trying attempting to get the 'www' sub-domain redirected to the same route without the 'www' but when accessing the address i receive the following error:
Your connection is not private
Attackers might be trying to steal your information from www.*.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
The sub-domain without the 'www' is fully active and set up with an SSL i've made using Lets Encrypt (both version of the sub-domains were registered when creating the SSL).
When doing a curl command on the 'www' domain i successfully get a '301 Moved Permanently'.
Here is the configuration file of my nginx:
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 sitename.com$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
edited, see comment
You could try a more complete solution. Using wildcards and a improved redirect. Please try it!
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
server_name .sitename.com; # Note the '.' before sitename!
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
Docs
.sitename.com;
A special wildcard name in the form “.example.org” can be used to match both the exact name “example.org” and the wildcard name “*.example.org”.
I've decided to tackle this issue in another way. I generated another Lets Encrypt SSL certificate for the 'www' subdomain and created another block.
Now everything works as expected.
Here is my updated config:
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
server_name sitename.com www.sitename.com;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.sitename.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/www.sitename.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.sitename.com-0001/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
I have nginx as frontend for apache. Apache listen port 8008.
Nginx config
server {
listen 80;
server_name SERVER_NAME;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:8008;
}
}
When I open url SERVER_NAME, browser actualy opens url SERVER_NAME:8008. And apache respons to the browser, not nginx.
You should not have the forwarding if you want your proxy to act as front-end.
Thy just this:
server {
listen 80;
server_name SERVER_NAME;
location / {
proxy_pass http://localhost:8008;
}
}
I'm trying to setup Nginx to work with SSL. When I visit the home page, the webserver tells me the page is not available. But when I add the port 433 on the URL, it just works. What should I do to not require the port 433 on the URL?
server {
ssl on;
listen 433 ssl;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/server.key;
server_name mywebsite.com;
access_log on;
location / {
proxy_pass http://0.0.0.0:8001;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Protocol $scheme;
}
}
Standard port for SSL is 443, not 433.