There is a VPS machine with nginx’om configured on which 10 sites are spinning structure
tester.example.com
api-one.tester.example.com
api-two.tester.example.com
api-3.tester.example.com
api-4.tester.example.com
api-5.tester.example.com
api-6.tester.example.com
central site spinning on a separate hosting
in nginx, I configured the default site tester.example.com to use ssl from the cloudflare service
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name tester.example.com www.tester.example.com;
return 302 https://$server_name$request_uri;
}
server {
# SSL configuration
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/private.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
ssl_verify_client on;
server_name tester.example.com www.tester.example.com;
root /var/server/site/;
index index.html index.htm index.nginx-debian.html;
location / {
# try_files $uri $uri/ =404;
proxy_pass http://localhost:8880;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
without https - using regular ip: Port, opening passes through all services
how can I make api-one.tester.example.com config, etc. so that they also open via ssl?
I tried to change the port in the subdomain config (8443 which supports cloudflare), but does not give the desired result
.....
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
ssl on;
.....
You normally have to setup subdomains separately in Cloudflare DNS settings, unless you use *.wildcard, but I don't think they support that any more.
If you want Cloudflare to route all subdomains on https/ssl, there is an option on Cloudflare dashboard > Crypto > Always use HTTPS. In this case, your domains will redirect to https if they were accessed by plain http. This of course requires that your server is setup to support SSL for the domain (regardless of Cloudflare) OR that you are using "Flexible" under Crypto > SSL settings, which allows Cloudflare to serve your website to the client on https, although the data from your server to Cloudflare is served without SSL.
Related
I have my REST APIs configured to work over https using nginx( java APIs deployed in tomcat and nginx is configured for DNS mapping). Our testing team has managed to access the APIs using burp tool (I assume it allows them to access with SSL verification disabled) and they were able to alter the API response before the client receives it. My nginx server is configured to work on SSL with proxy forward setup for http to https. How can I block the API requests which has SSL verification disabled, so that I can stop them altering the response? Below is my nginx config.
upstream mlljava{
server 172.31.5.222:8090;
}
server {
listen 443 ssl;
server_name mllwebapi.xyz.in www.mllwebapi.xyz.in;
underscores_in_headers on;
client_max_body_size 10M;
ssl_protocols TLSv1.3;
ssl_certificate /home/ubuntu/175e9.crt;
ssl_certificate_key /home/ubuntu/key.key;
location / {
proxy_pass http://mlljava/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
proxy_pass_request_headers on;
}
}
Does adding this to server configuration helps?
# force https-redirects
if ($scheme = http) {
return 401 https://$server_name$request_uri;
Configure Nginx SSL + force HTTP to redirect to HTTPS + force www to non-www on Serverpilot free plan (Using Nginx configuration file only)
Nginx: force SSL on one path, non-SSL on others
Below is my current nginx config.
server {
listen 80 default_server;
server_name _;
return 307 https://$host$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name localhost;
# Protect against the BEAST attack by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
# SSLv3 to the list of protocols below.
ssl_protocols TLSv1.2;
ssl_certificate /etc/nginx/ssl.crt;
ssl_certificate_key /etc/nginx/ssl.key;
location / {
proxy_pass http://localhost:80; # TODO: replace port if app listens on port other than 80
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
All has been working well, but I recently added the first 'server' block hoping to redirect my url to https:// whenever a http:// version of the URL is visited, but I am getting an 'ERR_TOO_MANY_REDIRECTS' message when visiting the URL in the browser.
My application's port is on 80 within an Azure Container.
Any help would be appreciated!
Let's say I have my main domain on one server and one of the subdomains to another server.
both of these addresses are using Cloudflare DNS to different ip addresses, so:
example.com => ip1
new.example.com => ip2
Now I want to proxy_pass a certain path on example.com to new.example.com without changing the url, so:
example.com/something should show content of new.example.com/somethingElse
These are my nginx config files, the problem is if I point example.com/something to google.com or even an ngrok server that I hosted for test, everything works just fine, but when I point it to new.example.com/something it gives me 502 error, so my guess is there's something wrong with my new.example.com config.
example.com Config:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/key.pem;
server_name example.com www.example.com;
resolver 8.8.8.8;
location = /something {
proxy_set_header X-Forwarded-Host new.example.com;
proxy_set_header Host new.example.com;
proxy_pass https://new.example.com/somethingElse;
}
}
new.example.com Config:
server {
listen 443;
server_name www.new.example.com new.example.com;
ssl_certificate /etc/ssl/private/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
location / {
proxy_pass http://container-name:80;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Please test the connectivity between the servers. Login into example.com server and send CURL request to the new.example.com service.
Looks like example.com server is not able to reach new.example.com server.
Please check nginx service logs.
Another option to achieve your requirements is cloudflare worker service.
I'm new to all of this.
I'm going to put you in context. I bought a domain miweb.pe and an instance in aws. Currently my domain redirects to my aws instance because I have registered the dns servers of my amazon instance in myweb.pe.
I bought an ssl certificate and am trying to install it on my amazon instance, where I also installed nginx. I am unable to make any request to myweb.pe redirect to the aws instance that currently has a nodejs service active under port 3000.
this is my current configuration. What am I doing wrong?
server {
listen 443;
server_name myweb.pe;
ssl on;
ssl_certificate /etc/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/beekey.key;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 80;
server_name www.myweb.pe;
return 301 https://myweb.pe$request_uri;
}
# Redirige de https://www.tudominio.com a https://tudominio.com
server {
listen 443;
server_name www.miweb.pe;
return 301 $scheme://myweb.pe$request_uri;
}
in summary, I want that when accessing myweb.pe it actually accesses thelocalhost: 3000 which is running on my amazon instance.
So, what is the issue you are facing, I can see one issue in your nginx rule for servername you need to type domain name and not localhost. The other thing is I am assuming your service on port 3000 should already be running.
NOTE: example.com is just that. Per the rules of stackoverflow, I'm not using an actual domain.
I've been trying to get it so my nginx server for a single site always uses https.
I have the certificate installed and if I view the site with:
https://www.example.com it works fine.
But by default it goes to http and shows the site as insecure.
Here is the config:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /var/www/nodeapp;
index index.html index.htm;
server_name www.example.com example.com;
location / {
proxy_pass https://[IP address here]:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
I esentially want everything to point to https://www.example.com
Because your site has both of http and https. (80 port and 443 port).
To activate the only https you have to remove the config for http.
Please remove listen 80 and use listen 443 instead.
If you want to redirect all traffics to https,
you could add redirection config as following.
server{
if ($host = your_domain) {
return 301 https://$host$request_uri;
}
server_name your_domain;
listen 80;
return 404;
}
I've assumed that your config has ssl part in your main config.
For example,
listen 443 ssl;
ssl_certificate /etc/***/fullchain.pem;
ssl_certificate_key /etc/**/privkey.pem; # managed by Certbot
ssl_dhparam /etc/**/ssl-dhparams.pem; # managed by Certbot