How to configure SNI in nginx? - nginx

I wish to serve two or more of my domain names from a single instance of nginx running on a raspberry pi, however something is not working alright.
Nginx was compiled with SNI support enabled:
> nginx -VC
nginx version: nginx/1.18.0
built with OpenSSL 1.1.1n 15 Mar 2022
TLS SNI support enabled
However I suspect that SNI is not in effect. I am trying to access my domains from multiple modern browsers guaranteed to have SNI support (firefoxes, chromes, opera and more).
My configurations are as follows:
/etc/nginx/sites_enabled/domain1.conf contains the following:
server {
listen 443 ssl;
server_name domain1.com www.domain1.com;
root /var/www/domain1.com/html;
index index.html index.htm;
ssl_certificate /var/www/domain1.com/ssl/cert.pub;
ssl_certificate_key /var/www/domain1.com/ssl/cert.key;
location / { try_files $uri $uri/ $uri.html =404; }
}
server {
listen 80;
server_name domain1.com www.domain1.com;
return 301 https://$server_name$request_uri;
}
whereas /etc/nginx/sites_enabled/domain2.conf containsthe following:
server {
listen 443 ssl;
server_name domain2.net www.domain2.net;
root /var/www/domain2.net/html;
index index.html;
ssl_certificate /var/www/domain2.net/ssl/cert.pub;
ssl_certificate_key /var/www/domain2.net/ssl/cert.key;
location / { try_files $uri $uri/ $uri.html =404; }
}
server {
listen 80;
server_name domain2.net www.domain2.net;
return 301 https://$server_name$request_uri;
}
The HTTP to HTTPS redirecting works as expected i.e. in a browsers http://domain1.com correctly redirects me to https://domain1.com, however only one of the domains are actually accessible (namely domain2.net).
What could be the cause of my problem?
Do I have to manually enable SNI somehow?
Note that when I set up both domains only through HTTP they both worked as expected.

Related

Nginx redirect http traffic to https

I have a domain which work only in our VPN network.
Recently we enabled the SSL on that and its working fine with https, but now i want to redirect all my http traffic also to https.
For this i added below block along with ssl block but still http request is not re-directing to https.
server {
listen 80;
server_name domain_name.com www.domain_name.com;
return 301 https://$domain_name$request_uri;
}
server {
server_name example.com;
access_log /var/log/nginx/example-access.log;
error_log /var/log/nginx/example-error.log;
root /var/www/html/web;
index index.html index.htm index.php;
location / {
try_files $uri $uri/ /index.php$uri?$args;
}
}
I tried with my domain_name,localhost with port number also, nothing works for me.

Change port for http to https -- Nginx

Sorry for limited understanding on Nginx, Iam new to Nginx.
I have a webapp running on React and Nginx. Recently I received the SSL certificates for my website. I tried to configure the website and it worked partially. The problem is when I tried to open "https://example.com", the SSL certificates are visible here but its showing nginx default home page. While when I open "http://example.com" it shows all the webcontent.
I attempted to:
change the port from 80 to 443
Reinstall nginx.
But nothing seems to work. Here is my nginx confs at the moment:
/etc/nginx/sites-available/example.org
server {
listen 443;
listen [::]:443;
ssl on;
ssl_certificate /etc/nginx/ssl/bundle.cer;
ssl_certificate_key /etc/nginx/ssl/example.key
root /var/www/html;
server_name example.org;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://example.org;
}
/etc/nginx/conf.d/www/example.org.conf
server {
listen 80 default_server;
server www.example.org;
location / {
root /usr/share/nginx/html;
index index.htm; index.html;
}
}
Note: I reload nginx at every new attempt.
Please help where am I going wrong.
Keeping just 1 file for config works for the above problem. I kept the "default" conf at "/etc/nginx/sites-available"

Your connection is not private (nginx, bluehost, google cloud and cloudflare)

I host a site in compute engine in google cloud with Nginx on Debian, I use a Bluehost domain and a Cloudflare SSL.
My site web sometimes works and sometimes not and show me this message: Your connection is not private.
what is the solution?
example.com file:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 302 https://$server_name$request_uri;
}
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
server_name example.com www.example.com;
root /var/www/example.com/html;
index index.html index.htm index.php;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
ssl_verify_client on;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
}
I think John H nailed it, seems you have a mixed content issue. You may end up having to edit as suggested, but I'd first recommend trying to enable "Automatic HTTPS Rewrites" on the Crypto tab. Other mixed content suggestions here, https://community.cloudflare.com/t/community-tip-fixing-mixed-content-errors/42476.
If you have more questions about Cloudflare, visit the Cloudflare Community, https://community.cloudflare.com/t/community-tip-welcome-stackoverflow-visitors/99529."

How to fix http redirects with Nginx?

I have a webpage where http redirects are a bit broken.
The current behavior is this:
www.example.com, example.com, http://www.example.com, http://example.com, https://www.example.com all gets redirected to https://www.example.com
and
https://example.com gets an error saying refused to connect.
I want the behavior to be like this:
example.com, http://example.com, https://example.com redirects to https://example.com
www.example.com, http://www.example.com, https://www.example.com redirects to https://www.example.com
Here is my Nginx config file
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location ~ /.well-known {
allow all;
}
location / {
try_files $uri $uri/ =404;
}
}
Reason is because I want these links to work
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
https://hstspreload.org/?domain=example.com
https://hstspreload.org/?domain=www.example.com
You have two independent issues:
Your requests all redirect to example.com, regardless of which specific domain is originally accessed.
This happens because the $server_name variable that you are using is effectively a static variable in a given server context, and has a very distant relationship to $http_host.
The correct way would be to use $host instead (which is basically $http_host with some edge-corner cleanups).
You're receiving connection issues when trying to contact https://example.com, but not https://www.example.com.
There is not enough information in your question to pinpoint the exact origin of this problem.
It can be a DNS issue (A/AAAA records of example.com set at an IP address where appropriate bindings to the https port aren't made).
It could be an issue with the mismatched certificate:
Does your certificate cover both example.com and www.example.com? If not, then you can't have both.
If you have separate certificates, you may also need to acquire separate IP addresses, or risk preventing a significant number of users from accessing your site due to lack of SNI.
As of note, it should also be pointed out that it is generally a sloppy practice to not have a unified notation on the way your site is accessed. Especially if SEO is of any concern to you, the best practice is to decide on whether you want to go with or without www, and stick to it.
You need something like this:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.example.com;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
add_header Strict-Transport-Security "max-age=300; includeSubdomains; preload";
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name example.com;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
add_header Strict-Transport-Security "max-age=300; includeSubdomains; preload";
location ~ /.well-known {
allow all;
}
location / {
try_files $uri $uri/ =404;
}
}
All your requests will be ultimately routed to https://example.com.
Your ssl certificate should also be valid for https://www.example.com which I note you have said it is.

NginX http redirection to https returns unreadable respone

I want to redirect all http requests to https with NginX, but I have some difficulties with it.
Here is my vhost file :
server {
gzip off;
listen 80;
listen [::]:80;
server_name mydomain.fr www.mydomain.fr sub.otherdom.fr otherdom.fr;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
server_name mydomain.fr www.mydomain.fr sub.otherdom.fr otherdom.fr;
ssl_certificate /root/tmp/live-ecdsa/mydomain.fr/0001_chain.pem;
ssl_certificate_key /root/tmp/live-ecdsa/mydomain.fr/privkey-p384.pem;
access_log /var/log/nginx/default.access.log;
charset utf-8;
location / {
try_files $uri $uri/ /index.html;
}
}
Trying to access these domain over plain http with different browsers results in the following :
Chrome/Firefox : downloading a file filled with bytes data
Edge : displays a blank page with €ÿÿÿÿ
A curl -I mydomain.fr outputs ▒▒
Accessing these domains directly over https works.
I have already tried with both return 301 https://$host$request_uri; and return 301 https://$server_name$request_uri;
I suspect it has something to do with the fairly large number of server names you are declaring in the one server name field inside a pretty locally scoped context. Although, if I'm honest thats a fairly unfounded assertion based on habits I've become user to.
I'd suggest a few things, although generally most of this wont fix your problem, it might make it easier to work out whats happening:
split your config into purposed files. Ie. Create a ssl.conf in another folder which contains all youe cert settings, cipher suites etc. Then add an include /path/to/ssl.conf in your config.
dont use $host, this variable can be set by the use so probably a less than great idea
Assuming you have all the other relevant ssl/tls settings referenced from somewhere else then the below should roughly work.
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mydomain.fr;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /usr/share/nginx/html;
$server_name mydomain.fr
location / {
try_files $uri $uri/ /index.html;
}
}
Well, although user6788523 response helped me with the debugging, the fault was on my side.
I had several other vhost files with the http2 directive associated with the http port 80 (listen [::]:80 http2;). Removing the http2 directive resolved the problem.
This setting must be used only with ssl enabled server block

Resources