Privacy error after changing nginx config - nginx

We have a website that was previously available under 3 addresses
report.example.com
www.live.example.com
live.example.com
all working with https and http and using letsencrypt certs.
It's been decided that the site will only be available under 1 address - live.example.com
The nginx config is setup as follows
server {
listen 80;
server_name report.example.com www.live.example.com live.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name report.example.com www.live.example.com live.example.com;
...
}
I have changed this to the following:-
server {
listen 80;
listen 443 ssl;
server_name report.example.com www.live.example.com;
return 301 $scheme://live.example.com$request_uri;
}
server {
listen 80;
server_name live.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name live.example.com;
...
}
However when I try and navigate the site with the new config I get
Attackers might be trying to steal your information from www.live.example.com (for example, passwords, messages or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
The certificate is the same, so contains all the correct details.


Turns out that as they're on the same server I had to include the certificate details in the old virtualhost as well as the new one

Related

Nginx How to prevent processing requests with undefined server names

Nginx is 1.14.1 version
have several virtual hosts and default in the /etc/nging/sites-enabled:
I've tried to configure using this doc: http://nginx.org/en/docs/http/request_processing.html
default
server {
listen 80;
server_name "";
return 444;
}
server {
listen 443 ssl http2 default_server;
server_name _;
ssl_certificate ....
ssl_certificate_key .....
add_header Strict-Transport-Security 'max-age=31536000';
return 444;
}
domain1
server{
listen 80;
server_name domain1;
return 301 https://$server_name;
}
server {
server_name domain1;
listen 443 ssl;
..................
}
but when tried to get access using server IP nginx redirect to domain1. please help what's wrong here. I'd like to deny access by IP to sites and leave only requests with domain name

nginx config catches domains not specified in server_name

I have two configs enabled in my nginx sites-enabled folder.
The first one (my-domain.fr.conf) looks like this:
server {
listen 443 ssl http2;
server_name my-domain.fr;
index index.html;
location / {
root /www/my-domain.fr;
}
include ssl_certif.conf;
}
# HTTP redirect
server {
listen 80 default_server;
server_name my-domain.fr;
location / {
return 301 https://my-domain.fr$request_uri;
}
}
The second one (sub.my-domain.fr.conf) looks like this:
server {
location / {
proxy_pass http://127.0.0.1:8080;
}
include ssl_certif.conf;
server_name sub.my-domain.fr;
listen [::]:443 ssl;
}
server {
if ($host = sub.my-domain.fr) {
return 301 https://$host$request_uri;
}
server_name sub.my-domain.fr;
listen [::]:80;
return 404;
}
I would expect the last one to only catch requests to sub.my-domain.fr subdomains, but instead it catches anything (I have wildcards subdomains set up on my DNS), and even masks my-domain.fr.
How can I make sure it only catches sub.my-domain.fr requests?

I found the reason.
sub.my-domain.fr supports ipv6 (listen [::]:443 ssl;). my-domain.fr doesn't.
I suppose my connection is using ipv6 when it can, and in this case, sub.my-domain.fr is the only match.
Adding ipv6 support (listen 443 ssl => listen [::]:443 ssl;, and listen 80; => listen [::]:80;) in all server entries fix it.

Nginx configure root domain redirect to subdomain

my current setup of webpage is:
forum.xyz.pl
I need xyz.pl redirect to forum.xyz.pl
current nginx.conf:
nodebb.conf
I am using aws route53, not sure what value should I put there for root domain also.
thanks

pl to forum.xyz.pl you can simply do:
server {
server_name xyz.pl;
rewrite ^ forum.xyz.pl$request_uri? permanent;
}
This should solve your problem, let me know if you have any other problems. I don't really understand the problem with Route 53 since it is just handling the DNS entries.

I'd do it like this
server {
listen 80;
server_name xyz.pl;
return 301 https://forum.xyz.pl/;
}
server {
listen 80;
server_name forum.xyz.pl;
#Force Https
return 301 https://$host$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
#listen [::]:80;
#listen 80;
server_name forum.xyz.pl;
##rest of config goes here
}

CentOs Nginx redirect https://www to https://

Im using Nginx in centos. Im facing an issue with redirection.
I want to redirect all requests to https://some-domain.com/url
Im able to redirect
http://www.some-domain.com to https://some-domain.com
www.some-domain.com to https://some-domain.com
http://some-domain.com to https://some-domain.com
But im not able to redirect https://www.some-domain.com
conf file:
server
{
listen 443 ssl;
server_name some-domain.com www.some-domain.com;
ssl_certificate /etc/nginx/ssl/some-domain.com.chained.crt;
ssl_certificate_key /etc/nginx/ssl/some-domain.com.key;
if ($host = https://www.some-domin.com) {
return 301 https://some-domin.com$request_uri;
}
}

It's best to separate two server brackets to evade the use of "if". Your problem was that you added "https://" to the host, when it's only www.some-domain.com what you needed to compare.
This example is simpler:
#Server bracket for https connections that come with host www.some-domain.com
server
{
listen 443 ssl;
server_name www.some-domain.com;
ssl_certificate /etc/nginx/ssl/some-domain.com.chained.crt;
ssl_certificate_key /etc/nginx/ssl/some-domain.com.key;
#redirects to https://non-www
location / {
return 301 https://some-domin.com$request_uri;
}
}
# and then you can set a server bracket for non-www https connections.
# nginx will sort the connections depending on host for itself
server
{
listen 443 ssl;
server_name some-domain.com;
ssl_certificate /etc/nginx/ssl/some-domain.com.chained.crt;
ssl_certificate_key /etc/nginx/ssl/some-domain.com.key;
#Here it arrives 443 and without www, do what you wanted here
}

how to disable direct access to a web site by ip address

I have a website on a VPS.
The issue I am having is that when I enter the IP of the server, it links to the website.
Even when entering mail.domain.com, it does the same thing.
How do I disable that, so a visitor would get a message or be directed to the domain?
I tried disabling the IP and mail a record on cloud flare but it didn't work.
My setup is:
VPS on Linux Debian
Nginx
no control panel just command line
Cloudflare
DNS setup with BIND

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name "";
return 444;
}
You need to specify default_server parameter so that all non available server requests goes to this server block which throws 444 error.
444 : CONNECTION CLOSED WITHOUT RESPONSE
ref: https://httpstatuses.com/444

You can use redirect, nginx config:
server {
listen 80;
server_name IP_ADDRESS;
return 301 http://YOUR.DOMAIN;
}

You can just add a server directive before others.
server {
listen 80;
server_name _;
return 404;
}

You can use redirect, nginx config:
server {
listen 80;`enter code here`
server_name IP_ADDRESS;
return 301 http://YOUR.DOMAIN;
}

you can return any error you find suitable. A list of errors can be found here List_of_HTTP_status_codes
server {
listen x.x.x.x:80;
server_name x.x.x.x;
return 404;
}

You may try to set the server IP address in:
/etc/nginx/conf.d/default.conf
So it looks like this:
server {
listen 80;
server_name localhost IP.OF.VPS.HERE;
Then you can specify the subdomain vhost, like:
server {
listen 80;
server_name subdomain.domain.com;
And the main domain, like:
server {
listen 80;
server_name www.domain.com domain.com;
Then restart Nginx:
/etc/init.d/nginx restart
Each vhost should have its own *.conf file (for better organization), like:
/etc/nginx/conf.d/subdomain.domain.com.conf
/etc/nginx/conf.d/domain.com.conf
/etc/nginx/conf.d/default.conf

Put this at top of your /etc/nginx/conf.d/SERVER_IP_ADDRESS.conf file and comment everything what is below it.
#disabling accesing server by ip address
server {
listen SERVER_IP_ADDRESS:80 default;
server_name _;
return 404;
}
Then restart your Nginx server (on Ubuntu it is done by service nginx restart this command)
Now when you will put your server's ip address to browser url field you will get 404 error.

server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server;
listen [::]:443 default_server;
return 444;
}
Don't bother supporting HTTP/2 or SSL connection for a sink.
It does catch-all without those unnecesities.
For the unsupported, it just refuses such connections.
See https://stackoverflow.com/a/68042877/4510033.

Neither of above helped in my case - IP connection to http works as expected but https was redirecting to alphabetically first https virtual site.
What was working witn nginx below 1.19.4 was to add null certificate to block:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server;
listen [::]:443 default_server;
ssl_certificate /etc/ssl/null.crt;
ssl_certificate_key /etc/ssl/null.key;
server_name "";
return 444;
}
Certificte can be generated with empty CN so you need no worry about fill it.
openssl req -x509 -newkey rsa:2048 -days 10000 -nodes -subj '/CN=' -keyout null.key -out null.crt
Then http/https returns 444 (ERR_EMPTY_RESPONSE), in different configurations https returns ERR_HTTP2_PROTOCOL_ERROR with your null certificate which is also fine to show there is nothing there.
For nginx 1.19.4 it is simpler.
It introduced ssl_reject_handshake on | off (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake) you can replace certificates 'stuff' with:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server;
listen [::]:443 default_server;
ssl_reject_handshake on;
server_name "";
return 444;
}
And now you get http 444 (ERR_EMPTY_RESPONSE) and for https ERR_SSL_UNRECOGNIZED_NAME_ALERT. No null certificates are needed.

if ($http_host != "example.com") {
return 301 https://example.com;
}

Resources