How to setup secure websockets with nginx - nginx

I have a webserver running on port 9000 I want to make it available on port 80, and also I want to make a websocket connection available on port 9021. If i run this over http everything works fine. But when I go to https the websocket cannot be connected.
Here's my nginx config: this gives the warning:
nginx: [warn] conflicting server name "oyun.net" on 0.0.0.0:443, ignored
server {
listen 443 ssl;
server_name oyun.net;
ssl_certificate /etc/key.pem
ssl_certificate_key /etc/key2.pem
listen 80;
location / {
proxy_pass http://localhost:9000
}
}
server {
listen 443 ssl;
server_name oyun.net;
ssl_certificate /etc/key.pem
ssl_certificate_key /etc/key2.pem
listen 9021;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header upgrade $http_upgrade;
proxy_set_header connection "upgrade";
proxy_set_header x-real-ip $remote_addr;
proxy_set_header host $host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
Here's the browser error:
WebSocket connection to 'wss://oyun.net:9021/socket/v1?sri=tcylqwzjnl' failed:
Error in connection establishment: net::ERR_SSL_PROTOCOL_ERROR

I've created a new certification for socket.oyun.net and this config helped
server {
listen 80;
server_name oyun.net;
return 301 https://oyun.net$request_uri;
}
server {
listen 443 ssl;
server_name oyun.net;
ssl_certificate /etc/letsencrypt/live/oyun.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oyun.net/privkey.pem;
location / {
proxy_pass http://localhost:9000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 9021 ssl;
server_name socket.oyun.net;
ssl_certificate /etc/letsencrypt/live/socket.oyun.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/socket.oyun.net/privkey.pem;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

Related

How to remove port number in nginx when redirecting

This is my domain.conf file in nginx:
server {
listen 80;
listen 8080;
server_name EXAMPLE.COM www.EXAMPLE.COM;
return 301 https://EXAMPLE.COM$request_uri;
}
server {
listen 443 ssl;
root /home/path;
ssl_certificate /etc/letsencrypt/live/EXAMPLE.COM/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.COM/privkey.pem;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
# Socket.IO Support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Now when I type http://EXAMPLE.COM:8080 or http://EXAMPLE.COM:8080/some_folder/, my website over the port number 8080 works, but I want to remove this port number.
But what I want is:
--> Whenever I type http://EXAMPLE.COM:8080/folder, it redirects to https://EXAMPLE.COM/folder
I think the answer of what you are looking for is in proxy_redirect option, after proxy_pass.
This nginx configuration sample can be useful: (Take a look on proxy redirect line)
location /one/ {
proxy_pass http://upstream:port/two/;
proxy_redirect http://upstream:port/two/ /one/;
I think adding this should do the trick:
proxy_redirect http://127.0.0.1:8000 /blog;
You can find full documentation and examples in the nginx documentation.
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect

How to setup nginx multiple apps and mutiple ports with one ssl

I have already deployed in HTTPS. This is my nginx.conf
server {
listen 3000 ssl;
listen [::]:3000 ssl;
server_name localhost hostname.com;
ssl_certificate ssl-bundle.crt;
ssl_certificate_key privatekey.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:4000/;
proxy_redirect off;
proxy_read_timeout 240s;
}
}
I want to run new app with new port on the same domain, I try to add this:
server {
listen 4000 ssl;
listen [::]:4000 ssl;
server_name localhost hostname.com;
ssl_certificate ssl-bundle.crt;
ssl_certificate_key privatekey.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:8000/;
proxy_redirect off;
proxy_read_timeout 240s;
}
}
When run two app I can use https only port 3000 but can not use app on port 4000. How to config file?

Issue in configuring Nginx for multiple apps on same server

I am having multiple apps each listening on different ports and i am trying to configure nginx so i can proxy pass to each of them separately.
I am able to configure the root location of my domain to proxy pass to a bokeh app which is listening on port 5006 using this config:
server {
listen 80 default_server;
listen 443 ssl;
root /var/www/mydomain/html;
index index.html index.htm index.nginx-debian.html;
server_name mydomain www.mydomain;
ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem;
location / {
proxy_pass http://127.0.0.1:5006;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_buffering off;
}
The above part works. However, when i try to create an additional location so that i can have the location / serving a landing page (from root) and then location /env to proxy to localhost:5006 it shows empty page at mydomain/env. Here is the config i am trying with:
server {
listen 80 default_server;
listen 443 ssl;
root /var/www/mydomain/html;
index index.html index.htm index.nginx-debian.html;
server_name mydomain www.mydomain;
ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_buffering off;
}
location /env/ {
rewrite ^/env/(.*)$ /$1 break;
proxy_cache_bypass $http_upgrade
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host:$server_port;
proxy_buffering off;
proxy_pass http://127.0.0.1:5006;
}
}
It would be great if someone could point out on where i am making the mistake.
Thanks.

Regex for nginx server_name

I would like to use a regex on my nginx server_name that functions almost like a wildcard.
*-dev.mydomain.com -> dev server (localhost port 3001)
*-staging.mydomain.com -> staging server (localhost port 3002)
everything else -> prod server (localhost port 3000)
However I cannot for the life of me get this to work.
I seemingly get it working on https://regexr.com/51teh - but I'm not able to apply it correctly to my nginx config.
Here is my staging config now (not working, not catching requests to *-staging.mydomain.com):
server {
listen 443 ssl;
server_name "~.*-staging\.mydomain\.com";
location / {
proxy_pass http://localhost:3002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header x-forwarded-for $remote_addr;
}
}
Try adding another virtual server block with default_server to the listen directive. Something like the following:
server {
listen 443 ssl default_server;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
server {
listen 443 ssl;
server_name "~.*-staging\.mydomain\.com";
location / {
proxy_pass http://localhost:3002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header x-forwarded-for $remote_addr;
}
}
This should work.

Neo4j with a reverse proxy and NGINX

I'm having trouble addressing Neo4j via a reverse proxy with NGINX.
The web client works without problems, but I have no idea about the Bolt protocol.
Here's how the web client works:
server {
listen 80;
server_name XXX;
location / {
proxy_pass http://YYY:7474/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
}
}
But how does the Bolt protocol over port 7687 work?
Thanks.
PS: Google translator ftw.
You need to use nginx compiled with --with-stream. Then you can add below section to your nginx config
stream {
server {
listen 7687;
proxy_pass neo4j:7687;
}
}
Basically you need to use tcp reverse proxy and not http proxy. The above configuration section will be at top level and not inside http or server block
You will need to open port 7687 between your laptop and the server hsoting neo4j.
If you are using let's encrypt and try to connect though SSL. neo4j embedded certificate were not signed by an Authority which was generating the error in my chrome browser.
To make it works, I had to copy my certs in neo4j certificates :
sudo su
cp /etc/letsencrypt/live/MYDOMAIN/fullchain.pem /var/lib/neo4j/certificates/neo4j.cert
cp /etc/letsencrypt/live/MYDOMAIN/privkey.pem /var/lib/neo4j/certificates/neo4j.key
service neo4j restart
Here is what works:
worker_processes auto;
events {
worker_connections 1024;
}
http {
map $http_upgrade $connection_upgrade {
"" close;
default upgrade;
}
upstream neo4j_bolt {
server neo4j:7687;
}
upstream neo4j_insecure {
server neo4j:7474;
}
upstream neo4j_secure {
server neo4j:7473;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://neo4j_insecure;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
}
}
server {
listen 443 ssl;
server_name localhost;
#SSL/https
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ecdh_curve secp384r1;
ssl_certificate /etc/nginx/conf.d/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/nginx.key;
ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
location / {
proxy_pass https://neo4j_secure;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 7687 ssl;
server_name localhost;
#SSL/https
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ecdh_curve secp384r1;
ssl_certificate /etc/nginx/conf.d/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/nginx.key;
ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
location / {
proxy_pass https://neo4j_bolt;
proxy_http_version 1.1;
proxy_set_header Connection Upgrade;
proxy_set_header Host $host;
proxy_set_header Upgrade $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 7688;
server_name localhost;
location / {
proxy_pass http://neo4j_bolt;
proxy_http_version 1.1;
proxy_set_header Connection Upgrade;
proxy_set_header Host $host;
proxy_set_header Upgrade $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
Dockerized solution here: https://github.com/joehoeller/nginx-server-neo4j-graph-db

Resources