nginx - weird ssl issue - ssl

I'm experiencing a weird Nginx SSL issue that I can't seem to figure out.
What's happening is some users were receiving invalid SSL certificate errors while browsing "site2.com", in the error it was saying that the SSL for site2 was actually for site1.com so for some reason Nginx was loading the SSL from site1 for site2.
So to troubleshoot, I tried removing the entire "SITE_1" block from nginx config, and then site2.com wouldn't load at all. So I'm super confused as to what I'm doing wrong.
Can someone assist me?
# SITE_1
server {
listen 443;
ssl on;
server_name site1.com;
client_max_body_size 10M;
client_body_buffer_size 128k;
ssl_certificate /home/sites/conf/ssl_site1.crt;
ssl_certificate_key /home/sites/conf/ssl_site1.key;
ssl_session_timeout 25m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 240;
proxy_connect_timeout 240;
proxy_send_timeout 240;
send_timeout 240;
proxy_pass http://apache_server;
}
}
# SITE_2
server {
listen 443;
server_name site2.com;
client_max_body_size 10M;
client_body_buffer_size 128k;
ssl_certificate /home/sites/conf/ssl_site2.crt;
ssl_certificate_key /home/sites/conf/ssl_site2.key;
ssl_session_timeout 25m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
gzip on;
gzip_static on;
gzip_buffers 16 8k;
gzip_comp_level 9;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/plain text/css application/x-javascript;
gzip_vary on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 240;
proxy_connect_timeout 240;
proxy_send_timeout 240;
send_timeout 240;
proxy_pass http://apache_server;
}
}

Looks like site2 server declaration is missing the ssl on; config. In site1, you have it directly under listen.

Related

Static files served with Nginx empty or don't load?

I was used to serving static files through express static but want to move to Nginx. I keep my static files in a public folder: /home/user/Documents/app.com/CURRENT PROJECT/public/.
On my websites they are called like this: app.com/css/styles.js, app.com/fonts/font.woff2, app.com/js/main.js.
I wasn't able to figure it out with nginxs examples. When I tried my config they just returned 302 codes. I have tried these versions of the config + I have the entire version bellow if anyone needs it for reference.
location ~ \.(css|js|woff|woff2|png|jpg|jpeg|webp|svg|mp3) {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
}
#for each path
location /css/ {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
autoindex on;
}
Full:
/etc/nginx/nginx.conf
user www-data;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 8192;
multi_accept on;
}
http {
upstream loadbalance {
least_conn;
server app:8003;
}
limit_req_zone $binary_remote_addr zone=ip:10m rate=4r/s;
http2_push_preload on;
server {
listen 80;
listen 443 ssl http2;
server_name www.app.com;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
return 301 https://app.com$request_uri;
}
server {
limit_req zone=ip burst=20 delay=14;
server_name app.com;
##
# SSL Settings
##
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
# added
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
location ~ \.(css|js|woff|woff2|png|jpg|jpeg|webp|svg|mp3) {
root '/home/user/Documents/app.com/CURRENT PROJECT/public';
gzip_static on;
expires max;
autoindex on;
#add_header Cache-Control private;
}
location / {
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://loadbalance;
}
}
# Gzip Settings
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 32 16k;
gzip_http_version 1.1;
gzip_min_length 1024;
gzip_types image/jpeg image/bmp image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;
client_body_timeout 16;
client_body_buffer_size 12K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;
access_log off;
error_log /dev/null;
include servers/*;
}

nginx forward single path to http

following situation:
I have an play framework server running on localhost:9000. If someone now acces from outside on that server via http, nginx redirect the http request to localhost:9000.
Now i run seperate on that server a rshiny server, that listen on port 9271(https), and has to redirect the traffic to 9270(http).
I tried already some stuff, this one is the last version, that i dont get to work:
server {
listen 9271;
server_name _;
ssl on;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/xxx.pem;
ssl_certificate_key /etc/nginx/ssl/xxx.key;
access_log /var/log/nginx/access.log xxx_host;
error_log /var/log/nginx/error.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:9270;
proxy_read_timeout 90;
proxy_redirect http://localhost:9270/ $scheme://$host/;
}
}

Site redirected too many times after setting let's encrypt

I have set up www.myapp.io which connects to a MEAN-stack application hosted by nginx. It works, now, I want to add SSL to it. I have followed this link to secure with let's encrypt.
However, after the configuration, https://www.myapp.io isn’t working: www.myapp.io redirected you too many times. ERR_TOO_MANY_REDIRECTS.
The follows is /etc/nginx/sites-enabled/myapp.io, does anyone know where is wrong?
server {
listen 80;
server_name myapp.io www.myapp.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name myapp.io www.myapp.io;
ssl_certificate /etc/letsencrypt/live/myapp.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.io/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:EC$
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location ~ /.well-known {
allow all;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Proxy "";
proxy_pass https://127.0.0.1:3000;
}
}
(I did not put ssl_session_cache shared:SSL:50m;, because I already have ssl_session_cache shared:SSL:10m; in /etc/nginx/nginx.conf.)
The config file before adding ssl, which worked:
server {
listen 80;
server_name myopp.io *.myopp.io;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Proxy "";
proxy_pass http://127.0.0.1:3000;
}
}
PS: The site is managed via cloudflare, at the moment, the SSL setting on clouldflare is Flexible, I don't know if I need to change it.
As #dave_thompson_085 suggested in his comment, changing Flexible to Full in Cloudflare will make https://www.myapp.io reachable...

Nginx unknow protocol via ssl

I have issue with configure nginx as reverse proxy via ssl.
This is my configuration:
worker_processes 4;
events { worker_connections 1024; }
http {
upstream oidc-app {
least_conn;
server oidc_1:44338;
server oidc_2:44338;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
server_name localhost;
ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
add_header Strict-Transport-Security max-age=15638400;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
error_log /var/log/nginx/error.log debug;
location / {
proxy_pass https://oidc-app;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_redirect http:// https://;
}
}
}
When I open my app in browser I have an error from nginx:
*2 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 172.18.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://172.18.0.5:44338/", host: "localhost"
Whats more, if I turn on Fiddler and capture https traffic with ignore certificate - everything is fine.
However if I disable Fiddler - an error occured again.
What I'm doing wrong?
If I configure nginx as http via 80 port - everything is fine again.

SSL Labs - HSTS not working - Nginx

I have trouble getting HSTS status working with SSL Labs. HSTS shows up as "No" when I test my website, but I have HSTS configured in my config file. I have nginx 1.6.2. Following is the conf file. Any help would be highly appreciated. Thanks!
server {
listen 443;
ssl on;
ssl_certificate <<path to cerificate>>;
ssl_certificate_key <<path to key>>
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
ssl_prefer_server_ciphers on;
ssl_ciphers "AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location /{
proxy_pass http://localhost:4002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
root /usr/share/nginx/html;
index index.html index.htm;
Put something in index.html in your root location and try to open it in a browser;
index.html should be reachable.