LetsEncrypt SSL for my React and NodeJS app not working - nginx

I have followed some tutorials that teaches to implement ssl but most of them are not working for some reason, http works fine tho, don't know what I'm missing
This is my default config, It looks like I have something wrong on my default config because I can create an httpServer in my backend.
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/metroville/{{domain}}/build;
index index.html index.htm index.nginx-debian.html;
server_name {{domain}};
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
try_files $uri /index.html;
}
location /api/ {
proxy_pass http://localhost:5000;
}
}

Related

Setup a nginx reverse proxy for keycloak

I installed keycloak following this guide
I can access it using http://pu.bl.ic.ip:8082
Now, I put it behind nginx with the following conf:
server {
if ($host = keycloak.mydomain.com) {
return 301 https://$host:$request_uri;
}
listen 80;
listen [::]:80;
server_name keycloak.mydomain.com;
return 404;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/keycloak.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/keycloak.mydomain.com/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
server_name keycloak.mydomain.com;
access_log /var/log/nginx/keycloak-access.log;
error_log /var/log/nginx/keycloak-error.log;
location / {
proxy_pass http://127.0.0.1:8082;
}
}
I can access it at https://keycloak.mydomain.com
The problem is the the link on the webpage use 127.0.0.1:8082 as baseurl. How do I use keycloak.mydomain.com instead ?
You have to play with proxy=edge setting and some environement variables (which may differs between v18 and v19. Check examples there: https://github.com/keycloak/keycloak/issues/14452
Or search the issues lists with these environement variable until you find the right combination
KC_HOSTNAME_STRICT
KC_HOSTNAME
KC_HOSTNAME_PORT
KC_HTTP_RELATIVE_PATH
KC_HOSTNAME_URL
KC_HOSTNAME_ADMIN_URL
KC_PROXY

NGINX + CentOS 8 mydomain.com shows NGINX welcome page whereas mydomain.com/index.html shows website index page

I'm trying to configure NGINX on CentOS 8 (with SSL). I believe I have configured it properly, but I can't get rid of the NGINX welcome page. I've tried a lot of things, even deleted the entire /usr/share/nginx/html directory, but I still get NGINX welcome on example.com, whereas example.com/index.html gives me the index page of my website. In fact I have noticed that the http to https and non-www to www redirections I have implemented below don't work on example.com, but do work on example.com/index.html. The root of my website is /var/www/example.com/html. The configure file which is given below is called example.com.conf and located at /etc/nginx/conf.d/.
server {
root /var/www/example.com/html;
index index.html index.htm;
server_name example.com www.example.com;
location / {
try_files $uri $uri/ =404;
}
access_log /var/log/nginx/example.com.access.log;
error_log /var/log/nginx/example.com.error.log;
listen [::]:443 ssl ipv6only=on default_server; # managed by Certbot
listen 443 ssl default_server; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Redirect non-SSL to SSL
server {
listen 80;
listen [::]:80;
server_name .example.com;
return 301 https://$host$request_uri;
}
# Redirect non-www to www
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
So it appears that you need to edit the global configuration file using sudo nano /etc/nginx/nginx.conf and comment out "default_server" in the listen statements. Alternatively deleting the whole server block in the global conf file also works, as long as you keep the include statement which reads the example.com.conf file.
include /etc/nginx/conf.d/*.conf;
server {
listen 80; # default_server;
listen [::]:80; # default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}

Nginx https wildcard subdomains to https www

I want to redirect https://*.example.com to https://www.example.com (* being any subdomain).
My Nginx configuration (unrelated lines removed):
server {
server_name www.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/vpsuser/example/example;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
listen 443 http2 ssl; # managed by Certbot
listen [::]:443 http2 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name example.com *.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
return 301 https://www.example.com$request_uri;
}
When I go to https://s.example.com no redirection happens and browser displays "this connections isn't secure". My code for same logic for http works without any problem.
And when I enter https://example.com it redirects to https://www.example.com successfully.
I tried return 404 to see if it is really done by the same code block and I got 404 page. So, why it redirects https://example.com but not https://*.example.com? How can I solve it?
I am using Django. Just saying if there can be any relation.

How to prevent redirects on nginx when domain in host header does not match domain in request url?

I have nginx running on my home server at keepsecret.ddns.net. When I request e.g. keepsecret.ddns.net/foo/ it returns to me keepsecret.ddns.net/foo/index.html. So far, so good.
Now I am trying to treat my home server as an upstream server. In front of that upstream server is a remote proxy server at www.mydomain.com. When I request e.g. www.mydomain.com/foo/index.html, it is returned to me no problem. However, when I request www.mydomain.com/foo/, nginx first issues a 301 redirect so that I then get sent to keepsecret.ddns.net/foo/, revealing my home IP Address :(
I have no idea why nginx behaves this way. My only guess is that it has something to do with the fact that the domain in the request host header does not match the domain in the request url.
Questions in summary:
Why does nginx do this?
How can I prevent nginx performing this redirect so that I always remain on www.mydomain.com?
Here is the salient part of my config for reference:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name keepsecret.ddns.net www.mydomain.com;
location / {
try_files $uri $uri/ =404;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/keepsecret.ddns.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/keepsecret.ddns.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = keepsecret.ddns.net) {
return 301 https://$host$request_uri;
}
if ($host = www.mydomain.com) {
return 301 https://$host$request_uri;
}
listen 80 ;
listen [::]:80 ;
server_name keepsecret.ddns.net www.mydomain.com;
return 404; # managed by Certbot
}
NGINX will be doing an internal redirect to the index.html file in all cases, but it seems to get externalised when the server_name does not match the primary server_name. I suspect that changing the server_name order so that your public (proxied) name is first may get rid of that behaviour.
The alternative would be to focus on the reverse proxy, and take a look at proxy_redirect to make the reverse-proxy rewrite location headers for you.
See: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect

Nginx HTTPS only works after page is refreshed

I have set up letsencrypt for https and it works fine when there is no www. For some reason I can only get 'example.com' to work fine with https (ie. redirect to https://example.com) but when I go to 'www.example.com' it doesn't go straight to https, only after I refresh the page it does so. Heres my nginx default conf:
server {
listen 80;
server_name www.example.com example.com;
return 301 https://$host$request_uri;
}
server {
# listen 80 default_server;
# listen [::]:80 default_server;
listen 443 ssl;
server_name example.com www.example.com;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
}
I've tried all sorts of redirects in the conf but none of them seem to be working. So the https seems to be working but only after a page refresh. Any help would be appreciated, thanks.
I have noticed you have use two entries for server name.
I want to know what was the purpose.
Please try this configuration.
server {
listen 80;
server_name www.example.com example.com;
rewrite ^ https://$host$request_uri? permanent;
}
server {
listen 443;
server_name example.com www.example.com;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_session_cache shared:SSL:2m;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
I have no idea why this worked and other answers didn't which seemed to do the exact same thing. I changed the top server block to this. Might be useful as I couldn't find an answer to this particular problem.
server {
listen 80;
listen [::]:80;
server_name www.example.com;
return 301 https://example.com$request_uri;
}
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
}

Resources