SSL_do_handshake() failed - nginx

hello i am deployed a node backend with an angular app to digital ocean droplet, and managed ssl with cert bot, i used nginx for reversed proxy,everything seems to work fine,but then i noticed a bug, sometimes i am able to log in fine, but other time the entire app returns a 404 error from both the backend and frontend app,
I added an error_log to inspect the problem i see
[crit] 15895#15895: *623 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 167.99.214.63, server: 0.0.0.0:443
i tried searching for solutions online but nothing seems to be actually clear as to why i am having the issues, please i need help and suggestions on how i can solve this, i will really appreciate it, thanks.
when i view the errors fron the fronend app
15895#15895: *327 client 185.180.143.138 closed keepalive connection
please i need help
here is my config.default file
upstream backend {
server localhost:3000;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
# listen [::]:443 ssl default_server;
server_name admin.vhfpremiuminvestment.com www.admin.vhfpremiuminvestment.com;
location / {
# alias /usr/share/nginx/html;
root /var/www/admin.vhfpremiuminvestment.com/accion;
try_files $uri $uri/ /index.html;
index index.html index.htm;
access_log /var/log/nginx/frontend.access.log main;
error_log /var/log/nginx/frontend.error.log debug;
}
location /api/ {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
access_log /var/log/nginx/backend.access.log main;
error_log /var/log/nginx/backend.error.log debug;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
error_page 404 /404.html;
location = /40x.html {
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
ssl_certificate /etc/letsencrypt/live/admin.vhfpremiuminvestment.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/admin.vhfpremiuminvestment.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

Related

How to disable redirection of http to https (Nginx, CertBot)

Im trying to not redirect http to https....
I tried to research but found nothing...
BTW I DID BOTH THIS COMMANDS TO MAKE NEW FILE INSTEAD OF USING DEFAULT FILE ON SITES ENABLED:
sudo touch /etc/nginx/sites-available/imallbd
sudo nano /etc/nginx/sites-available/imallbd
then:
sudo ln -s /etc/nginx/sites-available/imallbd /etc/nginx/sites-enabled/imallbd
This is my sites-enabled file
server {
server_name imallbd.com;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# For API
location /api {
alias /var/www/imallbd/api/public;
try_files $uri $uri/ #api;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
}
location #api {
rewrite /api/(.*)$ /api/index.php?/$1 last;
}
# For FrontEnd -> GraphQL
location /{
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /admin{
proxy_pass http://localhost:3000/admin;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/imallbd.com/fullchain.pem; # managed >
ssl_certificate_key /etc/letsencrypt/live/imallbd.com/privkey.pem; # manage>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = imallbd.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name imallbd.com;
return 404; # managed by Certbot
}
pls help!!! btw when i go to my website it gives me 502 bad gateway... ik thats not the question im asking but if you can give me some help tips or the answer i would be so grateful :)
when i run:
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
If you want more details or information i can give, just tell me on the comments!
THANKS IN ADVANCE!!!
first of all why do you want to remove the https redirect ?
Either way you can remove this part:
if ($host = imallbd.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
This will remove the http -> https redirect.
Also, if you make any changes in nginx you need to restart te service.
assuming you are using a linux based os run:
systemctl restart nginx
The problem of your 502 error of nginx has to do with php.
The php process is not running, has crashed or nginx cannot communicate with it.
What kind of php instalation do you have ? php-fpm ? If that's the case run
systemctl restart php-fpm
If not. Let me know in the comments (not enough rep to say this in the comments)

GeoServer on a subpath behind NGINX proxy

I have an Ubuntu 20.04 LTS server with NGINX, Wordpress and GeoServer (deployed on Tomcat) installed.
I would like to have the Wordpress site available on the URL root foo.bar.com/ and have the GeoServer available on a subpath foo.bar.com/geoserver. The Wordpress site is working and shows up on foo.bar.com/, but the GeoServer isn't working correctly on foo.bar.com/geoserver, see screenshot below.
I have the following NGINX configuration:
server {
server_name foo.bar.com;
root /var/www/site;
index index.html index.htm index.php;
location /geoserver/ {
proxy_pass http://localhost:8080/geoserver/;
proxy_pass_header Set-Cookie;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
listen 443 ssl; # managed by Certbot
ssl_certificate ***; # managed by Certbot
ssl_certificate_key ***; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = foo.bar.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name foo.bar.com;
return 404; # managed by Certbot
}
I did set the proxy base URL in the GeoServer global settings and did configure CSRF protection conform this document.
Am i still missing some configuration in NGINX?

Nginx - Primary script unknown while reading response header from upstream

Recently we have migrated from Apache2 to Nginx server. Consider we have domain www.test.com and following is the www.test.com.conf and I had disabled default Nginx default file.
server {
server_name www.test.com;
# Character Set
charset utf-8;
# Logs
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Directory Indexes
index index.html index.htm index.php;
# Document Root
root /var/www/html/project1/public;
# Location
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# Error Pages
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
# PHP-FPM Support
location ~ \.php$ {
fastcgi_read_timeout 240;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; #/var/run/php5-fpm.sock;
#include fastcgi.conf;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# Block access to .htaccess
location ~ \.htaccess {
deny all;
}
client_body_timeout 10s;
client_header_timeout 10s;
client_max_body_size 100M;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.test.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.test.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.test.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen *:80;
server_name www.test.com;
return 404; # managed by Certbot
}
With the above configuration, I can access https://www.test.com without issues. In this case root /var/www/html/project1/public. Now to access multiple applications from the same domain I had changed the root directive to /var/www/html/ and tried to access https://www.test.com/project1/public but I'm getting the following error
FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream
May I know the reason for this issue? my application is Lumen which is a mirco service framework by Laravel.
By changing the following blocks it is working for me
from root /var/www/html/project1/public; to root /var/www/html;
And we need to add multiple location blocks based on the requirement. Consider I want to access two Lumen/ Laravel applications from single domain, then I need to add two location blocks as
location /project1/public {
try_files $uri $uri/ /project1/public/index.php$is_args$args;
}
location /project2/public {
try_files $uri $uri/ /project2/public/index.php$is_args$args;
}
Credits go to Richard Smith

nginx redirect to wrong website

I have config two node apps running behind nginx.
nginx is used as revers proxy, one domain redirects to wrong app on it default url,
app1 port 3000
domain http://www.site1.com and https://www.site1.com
app2 port 3001
domain http://www.site2.com
http://www.site1.com and https://www.site1.com works fine and serves app1
but when http://www.site2.com it redirect to https://www.site2.com and servers app1
but when http://www.site2.com/someurl is requested it servers app2
here is nginx config
site1
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.site1.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.site.com;
ssl on;
ssl_certificate /certificate.crt;
ssl_certificate_key /psa.rsa;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_cookie_path / "/; HTTPOnly; Secure";
}
}
site1 conf
server {
listen 80;
server_name www.site2.com;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
default conf
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
#listen 80 default_server;
#listen [::]:80 default_server;
# SSL configuration
#
#listen 443 ssl default_server;
#listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
you only have one https server conf and it proxies all request to app1(port 3000), it will not serve app2 on https for you.
proxy to app2 or app1 conditionally by checking the Host header requested, eg:
server {
listen 443 ssl;
...
location / {
if ($host = 'www.site1.com') {
proxy_pass http://localhost:3000;
}
if ($host = 'www.site2.com') {
proxy_pass http://localhost:3001;
}
}
}

Setting Up Uberjar with Nginx on Digital Ocean VPS

I used the instructions on the following link:
"Hosting Clojure Web Apps in 7 Easy Steps"
I know the uberjar works because i tested it both on my dev machine and the VPS.
It's just that Nginx doesn't seem to be able to find it.
I suspect that it has something to do with this site code:
# Web sockets
location /chsk {
proxy_pass http://backend/chsk;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
...but I don't know how to correct it...thanks for the help!
One other thing: on the "upstream backend" in the site file i tried both 127.0.0.1:3000 AND 0.0.0.0:3000 with no success.
Here's the default site config:
server {
# Replace this port with the right one for your requirements
listen [::]:80 ipv6only=off;
# Multiple hostnames separated by spaces. Replace these as well.
server_name clmitchell.net www.clmitchell.net main.clmitchell.net
books.clmitchell.net dna.clmitchell.net help.clmitchell.net
history.clmitchell.net svcs.clmitchell.net;
server_name_in_redirect off;
root /data/nginx/www/$host;
error_page 401 /error/401.shtml;
error_page 402 /error/402.shtml;
error_page 403 /error/403.shtml;
error_page 404 /error/404.shtml;
error_page 500 501 502 503 504 /error/500.shtml;
location ^~ /error/ {
internal;
root /data/nginx/www/www.clmitchell.net;
}
access_log /var/log/nginx/$host-access.log;
error_log /var/log/nginx/error.log;
index index.php index.html index.htm default.html default.htm;
# Support Clean (aka Search Engine Friendly) URLs
location / {
try_files $uri $uri/ /index.php?$args;
}
# serve static files directly
location ~* \.(jpg|jpeg|gif|css|png|js|ico)$ {
access_log off;
expires max;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ \.scm$ {
include fastcgi_params;
fastcgi_intercept_errors on;
# By all means use a different server for the fcgi processes if you need to
fastcgi_pass 127.0.0.1:9981;
}
location ~ /\.ht {
deny all;
}
}
I removed history.clmitchell.net from the list of server names.
Here's the current history site config:
upstream backend {
server 104.131.29.212:3000 fail_timeout=0;
}
server{
listen [::]:80 ipv6only=off;
server_name localhost history.clmitchell.net;
access_log /var/log/hist_access.log;
error_log /var/log/hist_error.log;
root /var//resources/public;
# Web sockets
location /chsk {
proxy_pass http://backend/chsk;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Static assets
location / {
try_files $uri #backend;
}
# The backend server
location #backend {
proxy_pass http://backend;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
}
there was a duplicate "listen" directive on the history site config, which i removed...but for some reason I'm still getting the error: '
sudo nginx -t
nginx: [emerg] duplicate listen options for [::]:80 in /etc/nginx/sites-enabled/hist:6
nginx: configuration file /etc/nginx/nginx.conf test failed
Please try
proxy_pass http://backend;
And make sure you can access http://127.0.0.1:3000/chsk if your upstream is defined as below
upstream backend {
server 127.0.0.1:3000;
}
Or if we has only one backend server we can just use proxy_pass without upstream backend defined. e.g.
proxy_pass http://127.0.0.1:3000;
I learned a new lesson today: no two sites on a Nginx web server can have the same listen port!
I moved the new site to a new port and updated all the links...PROBLEM SOLVED!

Resources