I want to allow traffic only from 10.10.10.94.
If I browse:
http://IP/api:5006 (from any machine other than allow), I'm getting access denied and it works as it should.
http://IP:5007 I get web page (although no data shown in WEB page - page should some graphs from allowed host only).
PROBLEM:
For /api location access works fine, it's allowed only from allowed IP, but for / no restrictions, can access from any IP.
server {
listen 80;
listen [::]:80;
server_name example.com;
client_max_body_size 16M;
return 301 https://$host$request_uri;
}
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name example.com;
client_max_body_size 16M;
ssl_certificate /etc/ssl/certs/star.pem;
ssl_certificate_key /etc/ssl/private/star.key;
location / {
allow 10.10.10.94;
deny 10.10.0.0/16;
proxy_pass http://127.0.0.1:5007/;
}
location /api/ {
allow 10.10.10.94;
deny 10.10.0.0/16;
proxy_pass http://127.0.0.1:5006/;
}
}
Try this location:
location / {
allow 10.10.10.94/32;
deny all;
proxy_pass http://127.0.0.1:5007/;
}
location /api/ {
allow 10.10.10.94/32;
deny all;
proxy_pass http://127.0.0.1:5006/;
}
Related
I'm trying to establish SSL connection, and I'm getting 400 No required SSL certificate was sent response from the server.
I used this tutorial for it
I tried everything to solve this issue, but it seems that there is something wrong with the Cloudflare certificate because when I disable ssl_verify_client it is working (with security alert).
Here is my nginx configuration:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
ssl_client_certificate /etc/ssl/cloudflare.crt;
ssl_verify_client on;
server_name example.com www.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/username/www/exampleproject;
}
location /media/ {
root /home/username/www/exampleproject;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/username/www/exampleproject/exampleproject.sock;
}
}
I have an Nginx setup whereby I included a file with whitelisted IPs that can access my site's admin portal admin.site.com. Usually all users are redirected to to site.com if the response is 403 or 404 i.e. if their IP is not in the whitelist. Here is what I have
server {
# listen on port 80 (http)
listen 80;
server_name admin.site.com;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/.well-known/acme-challenge/;
default_type "text/plain";
try_files $uri =404;
}
location / {
# redirect any requests to the same URL but on https
return 301 https://$host$request_uri;
}
}
server {
# listen on port 443 (https)
listen 443 http2 ssl;
server_name admin.site.com;
root /var/www/admin.site.com/site-frontend/;
index index.html;
location / {
include /etc/nginx/snippets/whitelist.conf;
error_page 403 404 =301 site.com;
}
# location of SSL certificate
ssl_certificate /etc/some/path/admin.site.com/fullchain.pem;
ssl_certificate_key /etc/some/path/admin.site.com/privkey.pem;
...
...
...
How do I allow unfiltered traffic to certain endpoints e.g. site.com/api/no-filters for all traffic?
I need to use two different ssl certs with nginx pointing to the same app.
https://domain1.com points to 1.1.1.1
https://domain2.com points to 1.1.1.1
.
.
.
.
https://domainN.com points to 1.1.1.1
Tried the following:
server {
listen 80;
server_name domain1.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name domain1.com;
root /app/dist;
index index.html;
ssl_certificate /etc/nginx/ssl/d1/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/d1/private.key;
location / {
try_files $uri $uri/ /index.html;
}
}
server {
listen 80;
server_name domain2.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name domain2.com;
root /app/dist;
index index.html;
ssl_certificate /etc/nginx/ssl/d2/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/d2/private.key;
location / {
try_files $uri $uri/ /index.html;
}
}
This doesn't work, it just loads the first cert resulting in invalid cert when accessed using the second domain.
The domain certs can't be combined.
I can't spin two different instances for nginx as the case needs to help me out with n-Domains pointing to same IP preferably using one nginx server.
Is there a way out?
Thanks to Richard Smith for pointing out just the right stuff!
So, to setup nginx to use different cert-key pair for domains pointing to the same nginx we have to rely on TLS-SNI (Server Name Indication), where the domain name is sent un-encrypted text as a part of the handshake. This helps nginx to decide which cert-key pair to use for the incoming secure request.
More can be read about SNI here.
Moving on to the configuration.
server {
listen 80;
server_name domain1.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name domain1.com;
root /app/dist;
index index.html;
ssl_certificate /etc/nginx/ssl/d1/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/d1/private.key;
location / {
try_files $uri $uri/ /index.html;
}
}
server {
listen 80;
server_name domain2.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name domain2.com;
root /app/dist;
index index.html;
ssl_certificate /etc/nginx/ssl/d2/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/d2/private.key;
location / {
try_files $uri $uri/ /index.html;
}
}
The above config forwards HTTP (80) for both domain1 and domain2 to respective HTTPS (443) server blocks, where respective cert-key pairs are loaded.
The HTTPS (443) request is handled directly.
nginx decides which block to hit by picking the server name using SNI.
As a test, I enabled the nginx status page as per these articles
server {
listen 80;
#listen on any host name
server_name _;
location /status {
stub_status on;
access_log off;
}
access_log /var/log/nginx/$host-access.log;
error_log /var/log/nginx/monitor-error.log;
}
I'm normally running a wordpress site, and redirecting any http request to an https request:
server {
server_name _;
listen 80;
return 301 https://$host$request_uri;
}
I have several https server blocks, one for each dns which has it's own server cert.
Is there some way of combining the two server blocks above, so that normally an http request will redirect to https, but if the /status url is used, it will activate the nginx status page?
You need do something like below
server {
server_name _;
listen 80;
location = /status {
stub_status on;
access_log off;
}
location / {
return 301 https://$host$request_uri;
}
access_log /var/log/nginx/$host-access.log;
error_log /var/log/nginx/monitor-error.log;
}
So in case of /status no redirection will happen. In rest cases it will just do the https redirect
There is lots of material about using ngix as a reverse proxy and it is working well for me as a basic proxy for a strange web server app I need to use. I even have redirect on so http gets redirected to https.
server {
listen 80;
server_name <my server>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name <my server>;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
ssl on;
ssl_certificate cert1.crt.pem;
ssl_certificate_key cert1.key.pem;
ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://localhost:81; # my existing apache instance
proxy_set_header Host $host;
}
Now I have one new wrinkle. I'd like to pick off one particular path and NOT have it get forwarded to the main server app. I need to do this to add in some Let's Encrypt challenge responses. Whenever the incoming url is http:///.well-known/acme-challenge/ then I want to use a static nginx path and NOT fwd to the main server.
Any ideas? I tried adding in a location directory but that wasn't working.
server {
listen 80;
server_name video.maritimeopscorp.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name video.maritimeopscorp.com;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
ssl on;
ssl_certificate cert1.crt.pem;
ssl_certificate_key cert1.key.pem;
ssl_session_cache shared:SSL:10m;
location ~ /.well-known {
<I've tried lots of combinations here.>
}
location / {
proxy_pass http://localhost:81; # my existing apache instance
proxy_set_header Host $host;
}
I'd also prefer to get this up into the 80 block rather than the 443 block but little steps first.
Any ideas?
You will need to use a root directive, to inform nginx where the .well-known directory can be found:
server {
listen 80;
server_name video.maritimeopscorp.com;
location / {
return 301 https://$server_name$request_uri;
}
location /.well-known {
root /path/to/enclosing/directory;
}
}
Enclose the return statement inside the default location block, otherwise it will always take precedence.