Nginx - Default server catches all - why? - nginx

I have got 2 different URLs that are correctly redirected by Proxy_Pass.
However as soon as I add the default_server (first server below), my 2 URLs are not redirected anymore. They fall into the catch all.
Why is that? I don't understand what is wrong in the default configuration. Thanks for your help!
# default server for this IP
server{
listen xx.xx.xx.xx:8443 default_server;
server_name _;
return 404;
}
server{
listen xx.xx.xx.xx:8443;
server_name *.staging1.yyyy.com staging1.yyyy.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/yyyy.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yyyy.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:6981;
proxy_set_header Host $host;
}
}
server{
listen xx.xx.xx.xx:8443;
server_name *.staging2.yyyy.com .staging2.yyyy.com
ssl on;
ssl_certificate /etc/letsencrypt/live/yyyy.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yyyy.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:6982;
proxy_set_header Host $host;
}
}

Related

Redirect HTTP to HTTPS nginx with SSL

After a lot of tries, I succeed to add proper SSL from namecheap,
that will secure my domain (with multiple ports).
I have some apps - that run on NGINX. My droplet is of Digital Ocean.
So I have a few blocks with this configuration:
#this is the default 80 port
server {
#listen 80; # - will cause nginx complain on already in use.
listen 443;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
root /var/www/my-domain.com/so-ev;
server_name my-domain.com;
#all those tries didn't help
# return 301 https://so-ev-qa.shop$request_uri;
#return 301 https://$server_name$request_uri;
#rewrite ^(.*) https://so-ev-qa.shop$1 permanent;
}
server {
listen 26;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
root /var/www/my-domain.com/html;
server_name my-domain.com;
}
server {
listen 3000 ;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
root /var/www/my-domain.com/html2;
server_name my-domain.com;
}
server {
listen 27;
ssl on;
ssl_certificate /my/folder/forssl/my-domain_com_chain.crt;
ssl_certificate_key /home/projects/ssl-files/my-domain.com.key;
server_name my-domain.com;
index index.html index.htm;
access_log /var/log/nginx/bmiapp.log;
error_log /var/log/nginx/bmiapp-error.log error;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:26;
proxy_redirect off;
}
}
Currently the problem is that it's not doing redirect from http to https.
While https://example.com is secured,
http://example.com isn't.
I am trying to do the simple redirecting action.
All my tries ended unsuccessfully.
If I'm trying to add block for listen 80, it's complain about
All my other tries didn't work.
Help will be appreciated, I have spent on this SSL issues a lot of hours.
I found the problem.
There was an old-client service that was running on the background.
We can use
udo lsof -i:80
To get a clue

Nginx sending traffic to wrong port

I have the 2 Nginx config files (the domains are changed for privacy).
server {
listen 80;
listen 443 ssl http2;
server_name beta.mydomain.io;
ssl_certificate /etc/letsencrypt/live/mydomain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.io/privkey.pem;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
location / {
proxy_pass http://localhost:3001;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 80;
listen 443 ssl http2;
server_name mydomain.io, www.mydomain.io;
ssl_certificate /etc/letsencrypt/live/mydomain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.io/privkey.pem;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
location / {
proxy_pass http://127.0.0.1:3002;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
}
}
For some reason navigating to mydomain.io takes you to the beta one, only www.mydomain.io takes you to the one on port 3002. I can't seem to find anyone else running into this issue.
I was just about to post this question then realised my mistake. I included a comma in between the domains which isn't correct syntax for the server_name directive. I hope it helps someone else. I removed it and restarted the nginx server. It's working perfectly now.

nginx config does not get second domain on same server correctly

Setup: Ubuntu 18.04 Nginx Apache Varnish PHP Server
Nginx handles the traffic in the first place.
I have two domains pointing to the same server.
The first Domain works correct, the second one only redirects to the first one.
What is wrong with my configs?
First config which works fine
(Here the nginx works as an reverse proxy for the varnish and Apache.)
upstream varnish {
server 127.0.0.1:6081;
}
upstream apache {
server 127.0.0.1:8080;
}
server {
if ($host = domain1.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80 default_server;
server_name domain1.com;
include inc/acme-challenge.conf;
location / {
return 301 https://domain1.com$request_uri;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2;
#client_max_body_size 120M;
server_name domain1.com;
location /wp-content/uploads {
alias /var/www/website/wp-content/uploads;
include inc/gzip.conf;
include inc/browser-cache.conf;
}
error_page 502 /502.html;
location = /502.html {
alias /var/www/website/502.html;
}
location / {
proxy_pass http://varnish;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
location ^~ /phpmyadmin {
allow 45.77.141.32; #qundg
allow 87.191.170.222; #qundg
deny all;
proxy_pass http://varnish;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem; # managed by Certbot
}
And here ist the second config (this one does not work)
The Domain should only be managed by the nginx without the Apache or Varnish service.
server {
listen 80;
listen [::]:80;
server_name domain2.com *.domain2.com;
root /var/www/domain2.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain2.com *.domain2.com;
root /var/www/domain2.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Here ist the default config
server {
server_name _;
listen *:80 default_server deferred;
error_log /var/log/nginx/default_server_error.log;
return 444;
}
You're using a wildcard in the second DNS name, that should be something that's not recognized in your certificate.
To get a wildcard you could follow instruction here https://medium.com/#saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7
I have few case in which I have more than 1 DNS pointing to the same website and for those I created different nginx configuration files, and applied for each che certbot authentication. I noticed that using 3rd level dns (something.mysyte.com) in the same config file brouth certbot to override certificates when I had more than 1.
In your specific case you have 2 dns name in the second configuration and one has a wildcard. If you try to remove the dns with the wildcard and reinstall certificates it should work. You can then setup a new block with each 3rd level domain and get certificate for each one, or follow the guide to get the wildcard certificate.

Can't redirect nginx HTTP traffic to HTTPS

here's my nginx.conf:
upstream blah_upstream {
server web:7000;
}
server {
listen 80;
server_name blah.com www.blah.com;
# redict to HTTPS for all requests
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name blah_upstream;
server_tokens off;
# generated with help of certbot
ssl_certificate /etc/letsencrypt/live/blah.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blah.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://blah_upstream;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /static/ {
alias /usr/src/app/public/;
}
}
this works for http://www.blah.com -> https://www.blah.com (it redirects fine).
however http://blah.com -> https://blah_upstream which of course absolutely doesn't work.
what am I doing wrong? I don't understand why it would work for the www version and not the other.
I tried switching the server_name order in
server_name blah.com www.blah.com;
but that didn't work either.

How do i get nginx to serve assets adjacent to index.html when using proxy_pass?

How do i get nginx to serve assets adjacent to index.html when using proxy_pass?
Context: I have a github repository that serves up content using github pages. When serving from a repository, GHP requires a url path that matches the repository name
rightisleft.github.io/repo_name/
Currently index.html and all subdirectories are working as expected. Loading assets from (css/*, images/*) return 200s.
However, assets like robots.txt and other files in the repository root return 404s.
Here's my domain .conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.redacted.com;
# SSL
ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
location / {
proxy_set_header Host rightisleft.github.io;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://rightisleft.github.io/redacted/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name www.redacted.com,redacted.com;
include nginxconfig.io/letsencrypt.conf;
location / {
return 301 https://www.redacted.com$request_uri;
}
}
# subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name redacted.com;
# SSL
ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
return 301 https://www.redacted.com$request_uri;
}
EDIT
Nginx is used for certificate management to tie together a few different micro services.
Try this as it might work (if your css/assets are in github repo pages) and you do not need to setup many redirect unless you have a lot of domains/subdomains and I have also set redacted.com to server_name:
server {
listen 80 http2;
listen [::]:80 http2;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name redacted.com www.redacted.com;
# SSL
ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://rightisleft.github.io/redacted$request_uri;
proxy_buffering off;
proxy_redirect default; #or off
proxy_intercept_errors on;
# allow GitHub to pass caching headers instead of using your own
expires off;
}
}

Resources