I'm doing a proxy server with NGINX to redirect all traffic from port 80 to port 443 and then all traffic from port 443 to an app in one of my servers. I managed to make it work but only redirecting to my main IP 192.168.1.201:8006. When I try to point to my app (192.168.1.201:8006/customerSite/)the page gives me the error TOO MANY REDIRECTS.
Here is my .conf:
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
This is my ssl.conf:
server {
listen 443;
listen [::]:443;
server_name mydomain.com;
ssl on;
ssl_certificate /.../certificate.crt;
ssl_certificate_key /.../clientsmydomain.key;
large_client_header_buffers 4 10k;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /.../certificate.crt;
location / {
proxy_set_header Host $host;
proxy_pass http://192.168.1.201:8060;
}
location /weights {
root /var/www/virtual/server;
try_files $URI $uri/ = 404;
}
}
Thank you all for your time.
Related
My simple nginx.conf:
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /_nginx_logs/access.log;
error_log /_nginx_logs/error.log;
gzip on;
server {
server_name www.example.pro;
listen 80;
listen 443 ssl;
return 301 https://example.pro$request_uri;
ssl_certificate "/etc/letsencrypt/live/www.example.pro/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/www.example.pro/privkey.pem";
}
server {
server_name example.pro
listen 80;
listen 443 ssl;
ssl_certificate "/etc/letsencrypt/live/example.pro/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/example.pro/privkey.pem";
location / {
proxy_pass http://localhost:3000;
}
location /api {
proxy_pass http://localhost:7500;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
server_name _;
listen 80 default_server;
location / {
root /projects/site-stub;
}
}
}
When I open my site as https://example.pro everything is ok.
When I open my site as http://example.pro, nginx answers from server block with server_name _.
Why? IP and port are the same, server_name value has exact word for Host header, but server_name example.pro not works for http://.
But it works good for https://!
I'm currently trying to redirect all access from http to https on a nginx serv in VirtualBox.
When using a test machine in VirtualBox, everything is working perfectly.
My issue is with port redirection on VirtualBox.
I want to be redirect directly from my host machine.
For the moment when I access https it's fine, but when I try to access the http, I'm redirected to the nginx serv address in Virtualbox.
My ssl conf is :
server {
listen 443 http2 ssl;
server_name _;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
root /var/www/html;
location {
proxy_pass http://loadbalancing;
try_files $uri $uri/ =404
}
server {
listen 80;
server_name _;
return 301 https://srv.dmz.lan
}
upstream loadbalancing {
server srv1;
server srv2;
}
}
Dmz is a NAT network under VirtualBox with those redirections:
I am using centos6 linux vps and i have installed nginx on my server. I have installed letsencrypt SSL certificate . But the thing is that when i go to my website www.mywebsite.com ,it shows SECURE but when i go to www.mywebsite.com/otherpages ,it shows Insecure and letsencrypt certificate invalid.
The configuration of "/etc/nginx/conf.d/default.conf"
server {
listen 80 default_server;
# listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
the configuration of /etc/nginx/sites-available/quiznou.com.conf
server {
listen 80 ;
server_name quiznou.com www.quiznou.com;
return 301 https://$server_name$request_uri;
}
server{
listen 443 ssl http2;
server_name quiznou.com www.quiznou.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/quiznou.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/quiznou.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location ~ /.well-known {
allow all;
}
location /.well-known/acme-challenge/ {
root /var/www/quiznou.com;
}
}
this my own configuration files of NGINX as a revers_proxy: but I'm using configuration to proxy some docker. I modified directly the /etc/nginx/default.conf ,to proxy an apache web page I've created a VHost in nginx.
If it could help you.
server {
listen 80;
listen 443 ssl;
server_name some.name.com;
server_tokens off;
## Certificates
ssl_certificate /etc/letsencrypt/live/some.name.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/some.name.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/some.name.com/chain.pem;
if ($scheme = http){
return 301 https://$server_name$request_uri;
}
location / {
proxy_pass http://IP_du_serveur:port;
}
## Protocol
ssl_protocols TLSv1.2;
## Diffie-Hellman
ssl_ecdh_curve secp384r1;
## Ciphers
ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;
ssl_prefer_server_ciphers on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
## TLS parameters
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_session_tickets off;
## HSTS
add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload";
}
So I am trying to achieve 4 things:
support both ip-v4 and ip-v6
support letsencrypt ssl certificates (the acme-challenge location in http)
redirect www to non www
redirect http to https
I have come up with a config, but it seems not to work. I get a "page does not exist" when trying to access http://www.MY_DOMAIN.COM.
Due to the hsts setting, this does work after having visited the https non-www version once.
Note that I have ssl certificates for both the with and without www domain.
How can I achieve this / what am I doing wrong in my config:
# HTTP server
#
server {
listen [::]:80;
server_name MY_DOMAIN.COM www.MY_DOMAIN.COM;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
return 301 https://MY_DOMAIN.COM$request_uri;
}
}
# HTTPS server
#
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.MY_DOMAIN.COM;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.MY_DOMAIN.COM/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.MY_DOMAIN.COM/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.MY_DOMAIN.COM/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=86400; includeSubDomains";
return 301 https://MY_DOMAIN.COM$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server ipv6only=on;
server_name MY_DOMAIN.COM;
ssl on;
ssl_certificate /etc/letsencrypt/live/MY_DOMAIN.COM/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/MY_DOMAIN.COM/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/MY_DOMAIN.COM/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=86400; includeSubDomains";
root /var/www/MY_DOMAIN.COM;
index index.html;
}
Also, I do not find the copy-paste nature of the two server blocks very nice.
As #RichardSmith notes; I was not listening to the ipv4 version of the http://www variant. Hence, the redict was not triggered at all.
After fixing this, the setup is working.
I have a website running on EC2 machine behind an Amazon ELB.
I have configured SSL on ELB hence its handling http as well as https for me.
All requests on https works perfectly. But I want to force(redirect) http requests to https. For some reason, it does not work
I have added redirect rule in nginx but whenever I enable that rule, the nginx server stops responding.
server {
listen 80;
server_name domain1.com;
gzip on;
gzip_proxied any;
gzip_types text/plain text/xml text/css application/x-javascript;
gzip_vary on;
access_log /var/log/nginx/domain1.access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:4000/;
### Redirect http to https ####
if ($http_x_forwarded_proto != "https") {
rewrite ^(.*)$ https://$server_name$1 permanent;
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
}
}
Here is the configuration of Load Balancer:
Please help me where I am going wrong with the configuration.
TIA.
Try the following:
server {
listen 80;
listen [::]:80;
server_name domain1.com;
return 301 https://$host$request_uri;
}
I propose this code. Teste on my VPS, but not Amazon ELB
server {
server_name example.com www.example.com;
listen 80;
return 301 https://example.com$request_uri;
}
server {
server_name example.com;
root /home/user/www/example/;
include global.conf;
include php.conf;
include ssl.conf;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}
server{
server_name www.example.com;
include ssl.conf;
return 301 https://example.com$request_uri;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
}
File ssl.conf containt:
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AES$
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;