Develop Reference

SSL_do_handshake() failed

hello i am deployed a node backend with an angular app to digital ocean droplet, and managed ssl with cert bot, i used nginx for reversed proxy,everything seems to work fine,but then i noticed a bug, sometimes i am able to log in fine, but other time the entire app returns a 404 error from both the backend and frontend app,
I added an error_log to inspect the problem i see
[crit] 15895#15895: *623 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 167.99.214.63, server: 0.0.0.0:443
i tried searching for solutions online but nothing seems to be actually clear as to why i am having the issues, please i need help and suggestions on how i can solve this, i will really appreciate it, thanks.
when i view the errors fron the fronend app
15895#15895: *327 client 185.180.143.138 closed keepalive connection
please i need help
here is my config.default file
upstream backend {
server localhost:3000;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
# listen [::]:443 ssl default_server;
server_name admin.vhfpremiuminvestment.com www.admin.vhfpremiuminvestment.com;
location / {
# alias /usr/share/nginx/html;
root /var/www/admin.vhfpremiuminvestment.com/accion;
try_files $uri $uri/ /index.html;
index index.html index.htm;
access_log /var/log/nginx/frontend.access.log main;
error_log /var/log/nginx/frontend.error.log debug;
}
location /api/ {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
access_log /var/log/nginx/backend.access.log main;
error_log /var/log/nginx/backend.error.log debug;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
error_page 404 /404.html;
location = /40x.html {
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
ssl_certificate /etc/letsencrypt/live/admin.vhfpremiuminvestment.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/admin.vhfpremiuminvestment.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

Why does nginx think my root directory is /usr/share/nginx and not /var/www/html as my configuration states?

I am new to nginx and trying to get the hang of it. I've been reading the docs, and they say if use the directive root it should tell nginx where to find requests. For example, from my understanding, root /var/www/html should tell nginx to find requests in the directory /var/www/html, but my instance of nginx is not doing that. I am trying to load a file in that directory called test.html, but instead it is trying to look for the file in /usr/share/nginx. Note that this is a pretty fresh install of nginx and I have made few changes to the default config files. I also want to note the path prefix is set to /usr/share/nginx, but my understanding is using the root directive should override that. I am running Ubuntu 18.04 and installed nginx through apt. Let me know if you need any more information. Thanks!
nginx.conf - Please note this file has no uncommented root directives
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name kramericaindustries.hopto.org;
rewrite ^/rstudio$ $scheme://$http_host/rstudio/ permanent;
location /rstudio/ {
rewrite ^/rstudio/(.*)$ /$1 break;
proxy_pass http://localhost:8787;
proxy_redirect http://localhost:8787/ $scheme://$http_host/rstudio/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 20d;
}
location /heatmap/ {
proxy_pass http://127.0.0.1:8050;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# location /test/ {
# root /home/grant/test;
# index index.html;
# }
}
# server {
# listen 8050;
# server_name kramericaindustries.hopto.org;
# location /heatmap/ {
# proxy_pass http://127.0.0.1:8050;
# proxy_set_header Host $host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# }
# location /test/ {
# }
# }
# server {
# location /test {
# root /home/grant/www;
# }
# }
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
/etc/nginx/sites-available/default - Please note this file has been unchanged since I installed it and is where the root directive I'm referring to is.
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
EDIT: There is a soft symlink in /etc/nginx/sites-enabled/default which points to /etc/nginx/sites-available/default.

OK I've solved the issue by learning something new about nginx. The problem is the server block for port 80 in nginx.conf and /etc/nginx/sites-enabled/default were in conflict which I was unaware of. Though /etc/nginx/sites-enabled/default is listed as the default server (listen 80 default_server), nginx was using the server block in nginx.conf because this server block has the server name directive (server_name kramericaindustries.hopto.org;) which took precedence over the default_server. (Yes, I was using this domain name for testing.) nginx only uses one server block to fulfill the request.
Because the server block in nginx.conf did not specify a root, it used the nginx path prefix by default which is /usr/share/nginx which does not contain test.html. Therefore, the request failed. I added root /var/www/html; to nginx.conf and everything is now working as expected.

NGINX error - [emerg] "server" directive is not allowed here

I just installed nginx for my lab, in accidentally i deleted default file in /etc/nginx/site-available, then i copy the configuration on the internet, but it can not work with the new config, can someone help explain me what the error ?
here is the error that i got
Nginx error
root#kali:/etc/nginx/sites-enabled# [emerg] "server" directive is not allowed here in /etc/nginx/sites-enabled/default:16^C
root#kali:/etc/nginx/sites-enabled# nginx -s reload
nginx: [emerg] "server" directive is not allowed here in /etc/nginx/sites-enabled/default:16
here is the default file in /etc/nginx/sites-available
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# proxy_pass http://localhost:8080;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection 'upgrade';
# proxy_set_header Host $host;
# proxy_cache_bypass $http_upgrade;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

You might've to write this as below, server block comes inside http block.
http {
server {
// your rules
}
}
if you are including this virtual host as seperately in some other conf file. then you have to do below with default conf.
http {
server {
// your rules
}
include v.hosts/*.conf;
}

Running a Spring Boot app behind nginx

I have a Spring Boot + MVC app up and running on my server and it's bound to http://localhost:8000.
There is an nginx proxy (or is it a reverse proxy, not sure about the name) that listens to the outside world on ports 80 and 443. The root ( / ) will resolve correctly, but anything under it will not resolve and results in a 404 error ( /someControllerName/action, /images/, /css/ ).
I have this as my configuration:
upstream jetty {
server localhost:8000;
}
server {
listen 80;
server_name domain.com;
return 301 http://www.domain.com$request_uri;
}
server {
listen 443;
server_name domain.com;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
return 301 https://www.domain.com$request_uri;
}
server {
listen 80 default_server;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html index.htm;
server_name www.domain.com localhost;
#ssl on;
ssl_certificate /etc/nginx/ssl/ssl-unified.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
proxy_pass $scheme://jetty/$request_uri;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
try_files $uri $uri/ =404;
}
}
Any help is very much appreciated.

You can't combine proxy_pass with try_files in the way that you have attempted. As the comment in your configuration describes, the try_files directive causes nginx to look for a file that matches the URI and then look for a directory that matches the URI. If it doesn't find either, it responds with a 404. You can read more about try_files in the nginx documentation.
It's not clear from your question that you need to use try_files at all so the simplest way to fix your configuration is to remove the try_files line.

nginx one ipaddress but 2 sites served from subfolder

I have succesfully configured nginx. with default site it works correctly.
Now i have 2 sites, one at /home/bugz and another one /home/git/github/public. and only one ip 10.10.10.10 (i dont have dns setup hence cant use domain names)
i want to have the sites served at locations
http://10.10.10.10/bugz and http://10.10.10.10/github respectively
below are the two config files
server {
listen *:80;
server_name 10.10.10.10;
server_tokens off;
root /home/bugz;
# individual nginx logs for this gitlab vhost
access_log /var/log/nginx/bugzilla_access.log;
error_log /var/log/nginx/bugzilla_error.log;
location /bugz {
index index.html index.htm index.pl;
}
location ~ \.pl|cgi$ {
try_files $uri =404;
gzip off;
fastcgi_pass 127.0.0.1:8999;
fastcgi_index index.pl;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
and
upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
}
server {
# listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea
listen *:80; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea
server_name 10.10.10.10; # e.g., server_name source.example.com;
server_tokens off; # don't show the version number, a security best practice
root /home/git/gitlab/public;
# individual nginx logs for this gitlab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location /{
# serve static files from defined root folder;.
# #gitlab is a named location for the upstream fallback, see below
try_files $uri $uri/index.html $uri.html #gitlab;
}
# if a file, which is not found in the root folder is requested,
# then the proxy pass the request to the upsteam (gitlab unicorn)
location #gitlab {
proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://gitlab;
}
}
How do i achieve this ?

Your nginx.conf should contain something like this inside the http block :
include /etc/nginx/sites-enabled/*;
Then you will have 2 configuration files in the /etc/nginx/sites-available folder. (which has symlinks directed from the sites-enabled folder.
Each conf will need to either have them listening on a different ports; ie one on port 80 and on one port 81
server1.conf
server {
listen 80;
server_name localhost;
server2.conf
server {
listen 81;
server_name localhost;
-OR-
Have a different servername for each server in the conf files and play with the hosts file.

I don't understand why this huge configs, I'd configure only 1 site with 2 locations
server {
server_name 10.10.10.10;
location /bugz {
root /root/to/bugz;
access_log /var/log/nginx/bugzilla_access.log;
error_log /var/log/nginx/bugzilla_error.log;
index index.html index.htm index.pl;
# try_files statement
}
location /git {
root /home/git/gitlab/public;
#access and error log and rest of config
}
location ~ \.pl|cgi$ { }
location #gitlab { }
}