Runnning NGINX SSL and the browser continues to timeout.
Here is my NGINX conf file:
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
proxy_next_upstream error;
charset utf-8;
include mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
keepalive_timeout 65;
keepalive_requests 0;
proxy_read_timeout 200;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml
application/x-javascript application/xml
application/atom+xml text/javascript;
server{
### WEB Address ###
server_name mydomain.com;
### SSL log files ###
access_log /var/log/nginx/ssl-access.log;
error_log /var/log/nginx/ssl-error.log;
listen 443;
### SSL Certificates ###
ssl on;
ssl_certificate /etc/nginx/unified.crt;
ssl_certificate_key /etc/nginx/ssl.key;
keepalive_timeout 60;
### PROXY TO TORNADO ###
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://127.0.0.1:8889;
}
}
}
The SSL access log and error log is blank.
I've tried restarting NGINX a couple of times. As a side note commenting out SSL and setting listen to 80 works for non-SSL connections.
Any help would be great?
Maybe 443 port is closed on your server? Check this with http://www.yougetsignal.com/tools/open-ports/
I agree with Klen´s answer, and I would add more.
First, go and check that your port 443 is open in http://www.yougetsignal.com/tools/open-ports/
If it´s closed, go to your aws console, select your instance and go to description -> security groups -> launch_wizard-1
Then click on edit -> Add Rule
Select HTTPS from the options and you should see this
There are several things to check out
#1: Check if https is allowed in your ubuntu server
sudo ufw allow https && sudo ufw enable
#2: Check if port 443 is opened
First i checked what is listening on port 443 by this command:
lsof -iTCP -sTCP:LISTEN -P
I saw nginx which was correct
Then i checked whether the 443 is opened by the tool mentioned by klen (http://www.yougetsignal.com/tools/open-ports/)
Port 443 was closed so I had to run
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
to open port 443
Related
I have Ant Media Server community edition running on a KVM VM server on onsite server hardware (testing for now) and would like to serve up staff how-to videos for an intranet to those inside and outside the firewall for our little NPO. We do this with a number of different web, chat, wiki, code-library, etc. servers and functions using an nginx proxy server that manages Lets Encrypt certs for each and provides access to people onsite or at home. We have the port forwarding set up correctly on the router and it all runs pretty nice.
When I proxy Ant Media Server this way it works fine to get to the admin gui--it comes right up on port 443, proxied from port 5080. But streaming does not work through the proxy---either inside or outside the firewall---with all ports open in both media and proxy server. It shows the webpage with the "Stream will start playing automatically when it is live" message for a VOD link and then just stops---does not start player or stream video. The VOD video plays correctly when accessed directly via port 5080.
I realize that maybe you've taken steps to make sure people cannot do what I am trying to do--- which circumvents the community edition license features that do not include the SSL feature. If so, just let me know.
I am aware that there is a feature to allow SSL via Lets Encrypt directly on Ant Media Server. But I cannot keep public port 80 forwarding to Ant Media Server to allow for Lets Encrypt cert updating---port 80 is forwarded to the dedicated proxy/cert machine that I mentioned above and which does this job very well for us.
Otherwise, if this should work and anyone can look at my settings and tell me what's awry, here are my proxy_pass settings:
---------------proxy_pass directive--------------------
server {
listen 443 ssl http2;
server_name antmedia.my.org;
add_header 'Access-Control-Allow-Origin' '*';
location / {
proxy_pass http://192.168.254.194:5080;
proxy_redirect http://192.168.254.194:5080 https://antmedia.my.org;
}
}
Thanks so much!! I think it's really cool that Ant Media is giving Wowza such a run for their money!!
The nginx.conf settings are stock/default for this docker---which is optimized for the reverse proxy role. Here they are with only the active lines listed:
user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
variables_hash_max_size 2048;
large_client_header_buffers 4 16k;
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/*;
lua_load_resty_core off;
}
Can you try please as follows?
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
server_name yourdomain.com;
location / {
proxy_pass http://192.168.254.194:5080;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
Most/many visitors to the site https://example.org get a connection timeout. Some visitors get through, possibly ones redirected from http://example.org or those who've previously visited the site.
I'm trying to determine if this is a firewall issue or an nginx configuration issue.
Firewall
I'm using UFW as a firewall, which has the following rules:
To Action From
-- ------ ----
SSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
SSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
I could give some relevant rules from iptables if anyone needs that, but I'd need some direction on what to look for.
For sudo netstat -anop | grep LISTEN | grep ':443' I get
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 120907/nginx: worke off (0.00/0/0)
tcp6 0 0 :::443 :::* LISTEN 120907/nginx: worke off (0.00/0/0)
Not sure what "worke off" means.
nginx
It's a virtual host with the server name myservername.com which serves up two websites, example.org and example.com/directory. Example.org points to a docker container running eXist-db. Example.com/directory is serving up a directory on localhost:8080 proxied from another server where example.com lives. Example.com/directory is running smoothly on https when I access it in the browser -- I presume this is because it actually talks to the example.com host over http.
Example.org and myservername.com both have certs from let's encrypt generated by certbot.
When I try nmap from my local machine I get some results I can't explain. Notice the discrepancy between ports 80 and ports 443 and between IPv4 and IPv6
$ nmap -A -T4 -p443 example.org
443/tcp filtered https
$ nmap -A -T4 -p443 my.server.ip.address
443/tcp filtered https
$ nmap -A -T4 -p443 -6 my:server:ip::v6:address
443/tcp open ssl/http nginx 1.10.3
$ nmap -A -T4 -p80 example.org
80/tcp open http nginx 1.10.3
$ nmap -A -T4 -p80 my.server.ip.address
80/tcp open http nginx 1.10.3
My nginx.conf is
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
client_max_body_size 50M;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
and my nginx server blocks:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _ myservername.com;
return 301 https://myservername.com$request_uri;
}
server {
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _ myservername.com;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
ssl_certificate /etc/letsencrypt/live/myservername.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myservername.com/privkey.pem;
}
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
gzip off;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
}
server {
listen 80;
listen [::]:80;
server_name example.org www.example.org;
return 301 https://example.org$request_uri;
}
server {
# SSL configuration
#
listen 443 ssl;
listen [::]:443 ssl;
server_name example.org www.example.org;
gzip off;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://docker.container.ip.address:port/exist/apps/example/;
}
location /workshop2020/ {
return 302 http://example.org/forum2020/;
}
location /exist/apps/example/ {
rewrite ^/exist/apps/example/(.*)$ /$1;
}
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # managed by Certbot
}
Very grateful for any help!!
It turns out it was the firewall, not nginx. Although I'm using ufw as my firewall, there was a preexisting INPUT DROP rule in iptables (but not in ip6tables) that was catching https requests.
Thanks to Francis Daly over in the nginx forums who explained how to identify whether the https request to port 443 was even getting to nginx.
I disabled IPv6 in my browser and then tried loading the site. By looking at tcpdump while trying to load the site, I was able to see what was happening with the requests -- $ sudo tcpdump -nnSX -v port 443 showed a bunch of packets with Flags [S]. Thus the request was getting to the machine but there was no handshake.
Comparing this to the nginx access log, I was able to see that the request didn't get to nginx at all.
So I examined iptables more carefully and found the offending rule.
Please also note that some hosters/cloud providers have an additional hardware-level/external firewall, often enabled by default (with SSH port 22 the only allowed port), that also needs to be configured (e.g. Hetzner; Ionos; OVH; ...)!
I am trying to deploy my local nginx server to the public. The nginx server runs as a reverse proxy to my node express app which is also running locally on port 3000. Therefore I have created a symbolic link from /etc/nginx/sites-available/express TO /etc/nginx/sites-enabled/express, so my configuration file is called express and looks like this.
/etc/nginx/sites-enabled/express
upstream express_servers{
server 127.0.0.1:3000;
}
server {
listen 80;
location / {
proxy_pass http://express_servers;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
I have removed the default file from the sites-enabled folder and I have not changed my nginx.conf file which looks like this
/etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
I also changed my firewall settings with ufw (uncomplicated firewall) to allow in http access (especially nginx). My ufw status looks like the following:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80/tcp (Nginx HTTP) ALLOW IN Anywhere
80 ALLOW IN Anywhere
80/tcp (Nginx HTTP (v6)) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
when I am running load tests with wrk or loadtest(npm) everything seems to work fine. For example
wrk -t12 -c50 -d5s http://192.168.178.57/getCats/eng
so locally I can access the nginx server, but when I try to access the server from public with my Phone (3G/4G), I can't reach the server. What exactly did I miss ?
EDIT: I'm trying to access the service by http://PUBLIC_IP_ADDR/getCats/eng, not the local addr.
Your nginx config looks perfectly fine.
To be able to access your server from outside you need a public static IP from your ISP. Also ISP should not block incoming traffic to ports 80 and 443(in case you decide to go with https).
Then you probably have a LAN like this:
ISP <---> Router <---> Server
^
|
----> your other devices
In this case public IP will be assigned to router, all other devices will have local private ips like 192.168.x.x/24/10.x.x.x/8/172.16.0.0/20
You need to configure port forwarding to server's private ip from router. Depending on router's vendor this feature may be called virtual server or so and is usually found somewhere near WAN configuration. Set it up to forward TCP port 80 to server local port 80 and the same for 443.
Also you may need to configure server to static ip so that local ip address will not change
I think you have to put
listen *:80
in your file /etc/nginx/sites-enabled/express
nginx listen doc
I think it's not listening for requests from you ISP public IP as you have it now.
I have a Docker Server where I have installed GitLab from sameersbn/docker-gitlab
I have a nginx container that listen to 443:433 and 80:80, I will use this one to load balance HTTP and HTTPs (with signed cert) requests
nginx.conf
worker_processes auto;
events { worker_connections 1024; }
http {
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
upstream gitlab {
server gitlab:10080;
}
server {
listen 80;
listen 443 ssl;
server_name www.domain.tld;
ssl on;
ssl_certificate /usr/local/share/ca-certificates/domain.crt;
ssl_certificate_key /usr/local/share/ca-certificates/domain.key;
ssl_trusted_certificate /usr/local/share/ca-certificates/GandiStandardSSLCA2.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
root /usr/share/nginx/html;
location /git/ {
proxy_pass http://gitlab;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Without SSL, working url to acces gitlab is http://www.domain.tld:10080/git
With SSL, I want the url to be https://www.domain.tld/git
Using this nginx load balancer configuration
When I go on http://www.domain.tld/git
400 Bad Request
The plain HTTP request was sent to HTTPS port
When i go on https://www.domain.tld/git
ERR_CONNECTION_REFUSED
These are my first signed certificate, how is this supposed to work ?
To solve the problem there are 2 steps required:
make Nginx redirect HTTP to HTTPS
Make Gitlab to listen port
80 via HTTP
Why to make Gitlab to listen port 80? This technique called SSL offload that prevent redundant HTTPS encryption/decryption to happen between upstream and web-server. It is rarely required and only makes sense in case of different hosts with complex security requirements.
Nginx
server {
listen 80;
server_name www.domain.tld;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.domain.tld;
[....]
}
Gitlab
vi ./gitlab/config.yml
gitlab_url: "http://server1.example.com" # http rather than https
I am trying to set up as a front end reverse proxy with Haproxy forwarding requests to Apache web servers in the back end. My problem is that I have been unsuccessful in getting it to work with SSL requests using Apache.
I know that Haproxy can not handle SSL requests so I am trying to set up Apache to accept the clients requests on port 443 and forward it to Haproxy which will then pick up and forward the requests to the right Apache back end web server. Has anyone done this successfully? If yes can you provide examples of the Apache and Haproxy config please?
Yes I have please see the configuration here link text
I use nginx, here is an example nginx.conf:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/localhost.crt;
ssl_certificate_key /etc/pki/tls/private/localhost.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://127.0.0.1:8000;
break;
}
}
In haproxy.cfg, set:
listen http_proxy 127.0.0.1:8000