I have the 2 Nginx config files (the domains are changed for privacy).
server {
listen 80;
listen 443 ssl http2;
server_name beta.mydomain.io;
ssl_certificate /etc/letsencrypt/live/mydomain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.io/privkey.pem;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
location / {
proxy_pass http://localhost:3001;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 80;
listen 443 ssl http2;
server_name mydomain.io, www.mydomain.io;
ssl_certificate /etc/letsencrypt/live/mydomain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.io/privkey.pem;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
location / {
proxy_pass http://127.0.0.1:3002;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
}
}
For some reason navigating to mydomain.io takes you to the beta one, only www.mydomain.io takes you to the one on port 3002. I can't seem to find anyone else running into this issue.
I was just about to post this question then realised my mistake. I included a comma in between the domains which isn't correct syntax for the server_name directive. I hope it helps someone else. I removed it and restarted the nginx server. It's working perfectly now.
Related
After a lot of tries, I succeed to add proper SSL from namecheap,
that will secure my domain (with multiple ports).
I have some apps - that run on NGINX. My droplet is of Digital Ocean.
So I have a few blocks with this configuration:
#this is the default 80 port
server {
#listen 80; # - will cause nginx complain on already in use.
listen 443;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
root /var/www/my-domain.com/so-ev;
server_name my-domain.com;
#all those tries didn't help
# return 301 https://so-ev-qa.shop$request_uri;
#return 301 https://$server_name$request_uri;
#rewrite ^(.*) https://so-ev-qa.shop$1 permanent;
}
server {
listen 26;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
root /var/www/my-domain.com/html;
server_name my-domain.com;
}
server {
listen 3000 ;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
root /var/www/my-domain.com/html2;
server_name my-domain.com;
}
server {
listen 27;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
server_name my-domain.com;
index index.html index.htm;
access_log /var/log/nginx/bmiapp.log;
error_log /var/log/nginx/bmiapp-error.log error;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:26;
proxy_redirect off;
}
}
Currently the problem is that it's not doing redirect from http to https.
While https://example.com is secured,
http://example.com isn't.
I am trying to do the simple redirecting action.
All my tries ended unsuccessfully.
If I'm trying to add block for listen 80, it's complain about
All my other tries didn't work.
Help will be appreciated, I have spent on this SSL issues a lot of hours.
I found the problem.
There was an old-client service that was running on the background.
We can use
udo lsof -i:80
To get a clue
I have got 2 different URLs that are correctly redirected by Proxy_Pass.
However as soon as I add the default_server (first server below), my 2 URLs are not redirected anymore. They fall into the catch all.
Why is that? I don't understand what is wrong in the default configuration. Thanks for your help!
# default server for this IP
server{
listen xx.xx.xx.xx:8443 default_server;
server_name _;
return 404;
}
server{
listen xx.xx.xx.xx:8443;
server_name *.staging1.yyyy.com staging1.yyyy.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/yyyy.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yyyy.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:6981;
proxy_set_header Host $host;
}
}
server{
listen xx.xx.xx.xx:8443;
server_name *.staging2.yyyy.com .staging2.yyyy.com
ssl on;
ssl_certificate /etc/letsencrypt/live/yyyy.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yyyy.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:6982;
proxy_set_header Host $host;
}
}
Setup: Ubuntu 18.04 Nginx Apache Varnish PHP Server
Nginx handles the traffic in the first place.
I have two domains pointing to the same server.
The first Domain works correct, the second one only redirects to the first one.
What is wrong with my configs?
First config which works fine
(Here the nginx works as an reverse proxy for the varnish and Apache.)
upstream varnish {
server 127.0.0.1:6081;
}
upstream apache {
server 127.0.0.1:8080;
}
server {
if ($host = domain1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80 default_server;
server_name domain1.com;
include inc/acme-challenge.conf;
location / {
return 301 https://domain1.com$request_uri;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2;
#client_max_body_size 120M;
server_name domain1.com;
location /wp-content/uploads {
alias /var/www/website/wp-content/uploads;
include inc/gzip.conf;
include inc/browser-cache.conf;
}
error_page 502 /502.html;
location = /502.html {
alias /var/www/website/502.html;
}
location / {
proxy_pass http://varnish;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
location ^~ /phpmyadmin {
allow 45.77.141.32; #qundg
allow 87.191.170.222; #qundg
deny all;
proxy_pass http://varnish;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem; # managed by Certbot
}
And here ist the second config (this one does not work)
The Domain should only be managed by the nginx without the Apache or Varnish service.
server {
listen 80;
listen [::]:80;
server_name domain2.com *.domain2.com;
root /var/www/domain2.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain2.com *.domain2.com;
root /var/www/domain2.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Here ist the default config
server {
server_name _;
listen *:80 default_server deferred;
error_log /var/log/nginx/default_server_error.log;
return 444;
}
You're using a wildcard in the second DNS name, that should be something that's not recognized in your certificate.
To get a wildcard you could follow instruction here https://medium.com/#saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7
I have few case in which I have more than 1 DNS pointing to the same website and for those I created different nginx configuration files, and applied for each che certbot authentication. I noticed that using 3rd level dns (something.mysyte.com) in the same config file brouth certbot to override certificates when I had more than 1.
In your specific case you have 2 dns name in the second configuration and one has a wildcard. If you try to remove the dns with the wildcard and reinstall certificates it should work. You can then setup a new block with each 3rd level domain and get certificate for each one, or follow the guide to get the wildcard certificate.
here's my nginx.conf:
upstream blah_upstream {
server web:7000;
}
server {
listen 80;
server_name blah.com www.blah.com;
# redict to HTTPS for all requests
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name blah_upstream;
server_tokens off;
# generated with help of certbot
ssl_certificate /etc/letsencrypt/live/blah.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blah.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://blah_upstream;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /static/ {
alias /usr/src/app/public/;
}
}
this works for http://www.blah.com -> https://www.blah.com (it redirects fine).
however http://blah.com -> https://blah_upstream which of course absolutely doesn't work.
what am I doing wrong? I don't understand why it would work for the www version and not the other.
I tried switching the server_name order in
server_name blah.com www.blah.com;
but that didn't work either.
I got Nginx server with HTTP (80 port) and HTTPS (443). But it is behind router and port forwarding is like 17014 for HTTP and 17004 for HTTPS. Redirection from HTTP to HTTPS works well but I have problems with request for HTTPS. For example I should see my application when I'm going to address "https://domain:17004" but I can see it only when I'm going to "https://domain:port/panel_admin/login". How to write correct rewrite rule or something? Here is my actually configuration:
server {
listen 80;
listen [::]:80;
rewrite ^ https://strona:port_1$request_uri? permanent;
}
server {
listen 443 ssl;
ssl_certificate /var/projekt/release_candidate/tags/0.4.1/trunk/zlight/webapp/cert/ssl.cert;
ssl_certificate_key /var/projekt/release_candidate/tags/0.4.1/trunk/zlight/webapp/cert/ssl.key;
location / {
proxy_pass http://localhost:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /static {
alias /var/projekt/release_candidate/tags/0.4.1/trunk/zlight/webapp/static/;
}
}
I solved the problem. Correct configuration looks like
server {
listen 80;
listen [::]:80;
rewrite ^ https://strona:port_https$request_uri? permanent;
}
server {
listen 443 ssl;
ssl_certificate /var/projekt/release_candidate/tags/0.4.1/trunk/zlight/webapp/cert/ssl.cert;
ssl_certificate_key /var/projekt/release_candidate/tags/0.4.1/trunk/zlight/webapp/cert/ssl.key;
location / {
proxy_pass http://localhost:4000;
proxy_set_header Host $host:port_http;
proxy_set_header X-Real-IP $remote_addr;
}
location /static {
alias /var/projekt/release_candidate/tags/0.4.1/trunk/zlight/webapp/static/;
}
}
So no rewrite. :)