Develop Reference

Nginx listening on various ports

i have a small issue, i configured various server block with listen directive like below
but i can access toto1.com on port 444 and toto2.com on port 443, but I would prefer if it's was not possible, the listen directive is not only for the server block?
server {
listen 443 ssl http2;
server_name toto1.com;
include /etc/nginx/snippets/ssl.conf;
location /
{
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass https://x.x.x.x;
}
}
server {
listen 444 ssl http2;
server_name toto2.com;
include /etc/nginx/snippets/ssl.conf;
location /
{
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass https://x.x.x.x;
}
}
thanks

i found my answer here
https://www.computerworld.com/article/2987967/why-your-nginx-server-is-responding-with-content-from-the-wrong-site.html
you need to create a conf server like that and place it at the begining
server {
include /etc/nginx/snippets/ssl.conf;
server_name titi.com;
listen 444;
listen 443;
return 404 ;
access_log /var/log/nginx/default.access.log main;
error_log /var/log/nginx/default.error.log;
}

How to have multiple domains on 1 digital ocean droplet sharing self cert ssl cert

I have created a cert like this:
Following steps from:
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/ nginx-selfsigned.crt
Using my domain example:
Common Name (e.g. server FQDN or YOUR name): www.examplesite1.com
Within the article it says I can have only 1 default server, which I assume the self cert will work on.
Lets say I have 2 websites on my nginx like this:
/etc/nginx/sites-available/examplesite1.com
/etc/nginx/sites-available/examplesite2.com
Both with config that looks like this: (with examplesite2.com for 2nd example.)
Notice, I am forwarding to a proxy server - node.js in my case.
server {
listen 80;
server_name examplesite1.com www.examplesite1.com;
return 301 https://$server_name$request_uri;
client_max_body_size 10G;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:8000;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
server {
# SSL configuration
server_name www.examplesite1.com www.www.examplesite1.com;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
}
Symlinks appropriately set:
ln -s /etc/nginx/sites-available/examplesite1.com /etc/nginx/sites-enabled/examplesite1.com
ln -s /etc/nginx/sites-available/examplesite2.com /etc/nginx/sites-enabled/examplesite2.com
If I change 'default_server' to my url, it breaks the nginx config
listen 443 ssl http2 www.examplesite1.com;
Error
nginx: [emerg] invalid parameter "www.examplesite1.com" in /etc/nginx/sites-enabled/examplesite1.com:18
nginx: configuration file /etc/nginx/nginx.conf test failed
The problem is if I keep default_server like this it then does not forward proxy to my nginx server and goes to my default server, which is my nginx index.html landing page which is not desired.

I realised my mistake
This code was never reached in the first server block so needed to go into the listen:443 server block:
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:8000;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
The reference to default_server did not break it but I have removed it anyway.
Updated now:
server {
listen 80;
server_name examplesite1.com www.examplesite1.com;
# redirect to https
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
server_name examplesite1.com www.examplesite1.com;
# remove redirect and replae with proxy stuff here...
listen 443 ssl;
listen [::]:443 ssl;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:8000;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}

Keycloak Admin Console behind Nginx configured to use HTTPS

I'm trying to set up Keycloak, however the tutorials expect me to visit http://localhost:8080, but I'm setting it up on a remote host and need to access the admin console externally. I've tried to expose it via Nginx. Keycloak Administration Console seems to work with the new domain name and port seamlessly, but it still tries to use the "http" urls instead of the "https" ones (I've the Nginx configured to redirect HTTP to HTTPS and I want to keep it that way for security reasons). I have found the problem is that it internally sets a variable:
var authServerUrl = 'http://example.com/auth';
While the correct url would be https://example.com/auth.
As a result, when I open https://example.com/auth/admin/master/console/ in the browser, I get the error:
Refused to frame 'http://example.com/' because it violates the following Content Security Policy directive: "frame-src 'self'".
How to fix that? The Nginx config I use is:
server {
server_name example.com;
listen 80;
listen [::]:80;
location / {
return 301 https://$server_name$request_uri;
}
}
ssl_session_cache shared:ssl_session_cache:10m;
server {
server_name example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
# ... <SSL and Gzip config goes here> ...
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080;
client_max_body_size 16m;
}
}

You are doing SSL offloading in the nginx, but you need to forward information that https schema was used also to the Keycloak (X-Forwarded-Proto header). Try this:
server {
server_name example.com;
listen 80;
listen [::]:80;
location / {
return 301 https://$server_name$request_uri;
}
}
ssl_session_cache shared:ssl_session_cache:10m;
server {
server_name example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
# ... <SSL and Gzip config goes here> ...
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
client_max_body_size 16m;
}
}

Nginx redirect forum.example.com to example.com

in amazon route53 for example.com and forum.example.com I have records A with ip address to my server.
Nginx config:
server {
server_name example.com;
return 301 https://example.com$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name example.com;
client_max_body_size 50M;
# RSA
ssl_certificate /etc/letsencrypt/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/example.com/private.key;
# ECDSA
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/private.key;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:4567;
proxy_redirect off;
# Socket.IO Support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /ads.txt {
root /var/www/nodebb/public/;
}
location /loaderio-a92c8d2496979eca3c119f44e27ee2f6.txt {
root /var/www/nodebb/public/;
}
}
How can I redirect forum.example.com to example.com ? So that url in browser will be example.com.
I tried to add
server {
listen 443;
server_name forum.example.com;
return 301 https://example.com$request_uri;
}
but then nothing works ;) probably port blocked or smth.

Ok I see,
I saw error logs from nginx and realized that I am missing certs for this redirection

nginx dynamic proxy_pass with variable location

i want to setup a dynamic proxy pass.
If i enter for example https://sub.mydomain.com/33544 then i want that the proxy pass to
https://10.10.10.10/33544.
So the only thing that change is the $request_uri.
So how must i config the location block that it will be redirect with the correct $request_uri in my example 33544 to https://10.10.10.10/33544 or if i type in 34778 then i will redirect to https://10.10.10.10/34778.
https://sub.mydomain.com/33544 -> https://10.10.10.10/33544
https://sub.mydomain.com/34778 -> https://10.10.10.10/34778
server {
# Setup HTTPS certificates
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sub.mydomain.com;
ssl_certificate /etc/letsencrypt/live/sub.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sub.mydomain.com/privkey.pem;
location / {
proxy_pass https://10.10.10.10:8001/$request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
}