After a lot of tries, I succeed to add proper SSL from namecheap,
that will secure my domain (with multiple ports).
I have some apps - that run on NGINX. My droplet is of Digital Ocean.
So I have a few blocks with this configuration:
#this is the default 80 port
server {
#listen 80; # - will cause nginx complain on already in use.
listen 443;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
root /var/www/my-domain.com/so-ev;
server_name my-domain.com;
#all those tries didn't help
# return 301 https://so-ev-qa.shop$request_uri;
#return 301 https://$server_name$request_uri;
#rewrite ^(.*) https://so-ev-qa.shop$1 permanent;
}
server {
listen 26;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
root /var/www/my-domain.com/html;
server_name my-domain.com;
}
server {
listen 3000 ;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
root /var/www/my-domain.com/html2;
server_name my-domain.com;
}
server {
listen 27;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
server_name my-domain.com;
index index.html index.htm;
access_log /var/log/nginx/bmiapp.log;
error_log /var/log/nginx/bmiapp-error.log error;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:26;
proxy_redirect off;
}
}
Currently the problem is that it's not doing redirect from http to https.
While https://example.com is secured,
http://example.com isn't.
I am trying to do the simple redirecting action.
All my tries ended unsuccessfully.
If I'm trying to add block for listen 80, it's complain about
All my other tries didn't work.
Help will be appreciated, I have spent on this SSL issues a lot of hours.
I found the problem.
There was an old-client service that was running on the background.
We can use
udo lsof -i:80
To get a clue
Related
I've spent hours on multiple message boards and forums looking for this config pattern in NGINX. I want a subdomain to get redirected to port 8080 before the catch-all grabs everything else that comes into the domain, including all other subdomains, and points it at 443.
The 443 redirect already works perfectly. Any and all help would be appreciated thank you.
I have adminer.server.app that I want to goto HTTP://adminer.server.app (it really goes to 8080 after NGINX would do it's thing)
Again, all other traffic is taken care of so far.
Here is a snippet of my conf file:
server {
listen 80;
listen [::]:80;
server_name server.app www.server.app;
location / {
return 301 https://$host$request_uri;
}
#for certbot challenges (renewal process)
location ~ /.well-known/acme-challenge {
allow all;
root /data/letsencrypt;
}
}
#https://adminer.server.app
server {
listen 8080;
server_name adminer.server.app;
server_tokens off;
resolver 8.8.8.8;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
#https://server.app
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name server.app;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/certs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/certs/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
return 301 https://www.server.app$request_uri;
}
I can bring the phpmyadmin up by using my IP:8080, so at the moment this isn't critical. I'm not going to expose it after I'm done configuring the MySQL anyway. Closing request for help.
Facing a unique type of issue for hosting multiple port (5000, 5001) in ubuntu server. I am using Nginx to configure two subdomains in the directory "/etc/nginx/site-availabe" and I delink default configuration. but the main issue is when listen to port ":80" is working fine for both subdomain but when configured for both SSL cert file and listen to 443 is only pointing to port 5000 for both subdomain, not for 5001 port. I will share my config file if I have any config problem.
This setting for 5001 port
server {
listen 80;
server_name lenderapp.xxx.in;
return 301 https://lenderapp.xxx.in$request_uri;
# rewrite ^(.*) https://lenderapp.xxx.in$1 permanent;
}
server {
listen 443;
ssl on;
server_name www.lenderapp.xxx.in;
#root /home/dmin/OProjects/lender_demo;
error_log /var/log/nginx/error_lenderapp.log error;
access_log /var/log/nginx/lenderapp_access.log;
ssl_certificate /home/admin/OProjects/ssl_cert/lender_cert/ssl_cert.cert;
ssl_certificate_key /home/admin/OProjects/ssl_cert/lender_cert/ssl_cert_key.key;
location /{
proxy_pass http://0.0.0.0:5001;
root /home/admin/OProjects/lender_demo;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Now 2nd setting for port 5000
server {
listen 80;
server_name bcadmin.xxx.in;
return 301 https://bcadmin.xxx.in$request_uri;
#rewrite ^(.*) https://bcadmin.xxx.in$1 permanent;
}
server {
listen 443 ssl http2;
server_name www.bcadmin.tradefi.in;
root /home/admin/OProjects/admin_console;
error_log /var/log/nginx/lenderapp.log error;
access_log /var/log/nginx/lenderapp_access.log;
ssl_certificate /home/admin/OProjects/ssl_cert/ssl_cert.cert;
ssl_certificate_key /home/admin/OProjects/ssl_cert/ssl_cert_key.key;
location /{
proxy_pass 'http://0.0.0.0:5000';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Please help me guys... I need help badly
Cannot see a real error in you config on first glance. But using 0.0.0.0 as target IP - this IP is kind of "any IP". You should stick to 127.0.0.1 for local redirects. Also ssl on is deprecated since 06/2018...
I would recommend to split your config into several files to keep a better overview. It will make the config more readable and will really help you on daily routines (and enhancements).
For your config my approach would be the following. I am using this config for > 35 domains without problems on one of my servers. It will not just work, but also give you an A+ rating on SSLtest. This config adopts your log- and cert file names - that in my opinion are not optimal ;)
Main Config
# This block redirect any :80 traffic to its https counterpart.
server {
listen 80 default_server;
listen [::]:80 default_server; # <-- ipv6
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2; # <-- ipv6
server_name www.lenderapp.xxx.in;
error_log /var/log/nginx/error_lenderapp.log error;
access_log /var/log/nginx/lenderapp_access.log;
include params/ssl;
ssl_certificate /home/admin/OProjects/ssl_cert/lender_cert/ssl_cert.cert;
ssl_certificate_key /home/admin/OProjects/ssl_cert/lender_cert/ssl_cert_key.key;
location / {
proxy_pass http://127.0.0.1:5001;
include params/proxy_full;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2; # <-- ipv6
server_name www.bcadmin.tradefi.in;
error_log /var/log/nginx/lenderapp.log error;
access_log /var/log/nginx/lenderapp_access.log;
include params/ssl;
ssl_certificate /home/admin/OProjects/ssl_cert/ssl_cert.cert;
ssl_certificate_key /home/admin/OProjects/ssl_cert/ssl_cert_key.key;
location / {
proxy_pass http://127.0.0.1:5000;
include params/proxy_full;
}
}
params/ssl (for my /etc/nginx/params/proxy_full)
Caution: You'll need a dhparam file inside params to make it work. Use openssl dhparam -out /etc/nginx/params/dhparam.pem 4096 to create one if not existent.
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_dhparam params/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
resolver_timeout 5s;
params/proxy_full (for my /etc/nginx/params/proxy_full)
add_header X-Upstream $upstream_addr;
proxy_http_version 1.1;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
I have the 2 Nginx config files (the domains are changed for privacy).
server {
listen 80;
listen 443 ssl http2;
server_name beta.mydomain.io;
ssl_certificate /etc/letsencrypt/live/mydomain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.io/privkey.pem;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
location / {
proxy_pass http://localhost:3001;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 80;
listen 443 ssl http2;
server_name mydomain.io, www.mydomain.io;
ssl_certificate /etc/letsencrypt/live/mydomain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.io/privkey.pem;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
location / {
proxy_pass http://127.0.0.1:3002;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
}
}
For some reason navigating to mydomain.io takes you to the beta one, only www.mydomain.io takes you to the one on port 3002. I can't seem to find anyone else running into this issue.
I was just about to post this question then realised my mistake. I included a comma in between the domains which isn't correct syntax for the server_name directive. I hope it helps someone else. I removed it and restarted the nginx server. It's working perfectly now.
Setup: Ubuntu 18.04 Nginx Apache Varnish PHP Server
Nginx handles the traffic in the first place.
I have two domains pointing to the same server.
The first Domain works correct, the second one only redirects to the first one.
What is wrong with my configs?
First config which works fine
(Here the nginx works as an reverse proxy for the varnish and Apache.)
upstream varnish {
server 127.0.0.1:6081;
}
upstream apache {
server 127.0.0.1:8080;
}
server {
if ($host = domain1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80 default_server;
server_name domain1.com;
include inc/acme-challenge.conf;
location / {
return 301 https://domain1.com$request_uri;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2;
#client_max_body_size 120M;
server_name domain1.com;
location /wp-content/uploads {
alias /var/www/website/wp-content/uploads;
include inc/gzip.conf;
include inc/browser-cache.conf;
}
error_page 502 /502.html;
location = /502.html {
alias /var/www/website/502.html;
}
location / {
proxy_pass http://varnish;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
location ^~ /phpmyadmin {
allow 45.77.141.32; #qundg
allow 87.191.170.222; #qundg
deny all;
proxy_pass http://varnish;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem; # managed by Certbot
}
And here ist the second config (this one does not work)
The Domain should only be managed by the nginx without the Apache or Varnish service.
server {
listen 80;
listen [::]:80;
server_name domain2.com *.domain2.com;
root /var/www/domain2.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain2.com *.domain2.com;
root /var/www/domain2.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Here ist the default config
server {
server_name _;
listen *:80 default_server deferred;
error_log /var/log/nginx/default_server_error.log;
return 444;
}
You're using a wildcard in the second DNS name, that should be something that's not recognized in your certificate.
To get a wildcard you could follow instruction here https://medium.com/#saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7
I have few case in which I have more than 1 DNS pointing to the same website and for those I created different nginx configuration files, and applied for each che certbot authentication. I noticed that using 3rd level dns (something.mysyte.com) in the same config file brouth certbot to override certificates when I had more than 1.
In your specific case you have 2 dns name in the second configuration and one has a wildcard. If you try to remove the dns with the wildcard and reinstall certificates it should work. You can then setup a new block with each 3rd level domain and get certificate for each one, or follow the guide to get the wildcard certificate.
How do i get nginx to serve assets adjacent to index.html when using proxy_pass?
Context: I have a github repository that serves up content using github pages. When serving from a repository, GHP requires a url path that matches the repository name
rightisleft.github.io/repo_name/
Currently index.html and all subdirectories are working as expected. Loading assets from (css/*, images/*) return 200s.
However, assets like robots.txt and other files in the repository root return 404s.
Here's my domain .conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.redacted.com;
# SSL
ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
location / {
proxy_set_header Host rightisleft.github.io;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://rightisleft.github.io/redacted/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name www.redacted.com,redacted.com;
include nginxconfig.io/letsencrypt.conf;
location / {
return 301 https://www.redacted.com$request_uri;
}
}
# subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name redacted.com;
# SSL
ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
return 301 https://www.redacted.com$request_uri;
}
EDIT
Nginx is used for certificate management to tie together a few different micro services.
Try this as it might work (if your css/assets are in github repo pages) and you do not need to setup many redirect unless you have a lot of domains/subdomains and I have also set redacted.com to server_name:
server {
listen 80 http2;
listen [::]:80 http2;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name redacted.com www.redacted.com;
# SSL
ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://rightisleft.github.io/redacted$request_uri;
proxy_buffering off;
proxy_redirect default; #or off
proxy_intercept_errors on;
# allow GitHub to pass caching headers instead of using your own
expires off;
}
}