I'm having trouble of being able to access http://example.com:8000 and https://example.com:8000 but I can't seem to get them both work. This will serve as our backend and will API requests all through out. I want to either
open http://example.com:8000 and https://example.com:8000 open for API request
or
redirect from http to https redirect including the CORS authentication and and everything so the client can still get the return even with the redirect
This is my configuration so far
server {
listen 8000 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;
charset utf-8;
location / {
proxy_pass http://ghost:8000;
proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 497 https://$host:$server_port$request_uri;
}
You need to use different ports:
server {
listen 8000;
listen 8443 ssl;
# other directives
}
Related
I installed Appwrite on an debian-server.
The https-port for Appwrite is 444 (443 was already used). Nginx redirects my subdomain to this port.
I have a custom SSL-certificate which is working for this domain and subdomains. I can open the appwrite via the subdomain but when I click "Sign Up" to create a root account for appwrite, I get the following Error:
Invalid Origin. Register your new client (appwrite.domain.de) as a
new Web platform on your project console dashboard
First I thought I have to set proxy_set_header Host $host; in the server-config, but then I am not able to open Appwrite... instead I get the Error
{"message":"Error: Server Error","code":500,"version":"1.0.1"}
Does someone has another idea or already fixed the same problem?
This is my Server-configuration in Nginx:
server {
server_name appwrite.domain.de;
location / {
proxy_pass https://localhost:444;
}
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/domain.de_ssl_certificate.cer;
ssl_certificate_key /etc/nginx/ssl/domain.de_private_key.key;
}
server {
listen 80;
server_name domain.de
www.domain.de
;
return 301 https://$host$request_uri;
}
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/domain.de_ssl_certificate.cer;
ssl_certificate_key /etc/nginx/ssl/domain.de_private_key.key;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name domain.de
www.domain.de
;
location / {
try_files $uri $uri/ =404;
}
Thanks for the help ;)
You're right, you need to include the proxy_set_header Host $host; directive. You might also want to include the following under server:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
and the following under location:
add_header X-Served-By $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass $forward_scheme://$server:$port$request_uri;
If you're seeing a 500 error, it would be best to check the docker logs for the appwrite container to see what the problem is.
On a side note, if you're looking for an easier way to manage Nginx, I highly recommend Nginx Proxy Manager (NPM). I use NPM in front of my Appwrite.
We have been trying for days (we tested hundreds of setups) to make a Nginx Reverse Proxy successfully reverse proxy a web application that needs FQDNs (this is mandatory for this web application to work).
Using the configuration below for the Nginx Reverse Proxy together with a local DNS service (see resolver attribute) that knows the FQDN we can successfully make these http calls...
server {
access_log /var/log/nginx/apps.mbr.domain.abc-access.log;
error_log /var/log/nginx/apps.mbr.domain.abc-error.log;
server_name *.apps.mbr.domain.abc;
location / {
proxy_pass https://$host$request_uri;
resolver 127.0.0.1:53;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.domain.abc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.domain.abc/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
... , however if I change the proxy_pass attribute to using an IP as shown here...
server {
access_log /var/log/nginx/apps.mbr.domain.abc-access.log;
error_log /var/log/nginx/apps.mbr.domain.abc-error.log;
server_name *.apps.mbr.domain.abc;
location / {
proxy_pass https://10.2.0.18:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.domain.abc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.domain.abc/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
... the web application reports not knowing the URL (error). In other words, clearly there is some parameter/data (we don't know what it is) that is added by the DNS service to the http call.
QUESTION: What is the local DNS service provided parameter/data that Nginx Reverse Proxy is not providing?
NOTE: We are asking this because we believe this is something that can be provided by the Nginx Reverse Proxy itself so that we will not need to use the local DNS service.
Thanks! =D
I have two sites to be used on my server load balancing them using nginx. First one www.something.club and other one is extras.something.club. The first one has https and http setup already, while extras.something.club I'm yet to set up https certs, so just need http.
The problem here is when I hit extras.something.club it opens same page as www.something.club and plus redirects to https://extras.something.club. Here the page should load extra.something.club owns page, and I do not nee https since certificate is of www, it starts giving me warning anyway. Below are the configurations I'm using.
www.something.com has file at /etc/nginx/sites-available/web.conf and has symlink at /etc/nginx/sites-enabled/web.conf. Below is config:
upstream webapp {
server 123.123.0.12:8080;
server 123.234.0.18:8080;
}
server {
listen 80;
server_name www.something.club;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name www.something.club;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.something.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.something.club/privkey.pem;
# skipping some more ssl settings.
access_log /var/log/nginx/web.access.log;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://webapp;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
extras.something.com has file at /etc/nginx/sites-available/extras.conf and has symlink at /etc/nginx/sites-enabled/extras.conf
upstream extraswebapp {
server 123.123.0.12:8081;
server 123.234.0.18:8081;
}
server {
listen 80;
server_name extras.something.club;
access_log /var/log/nginx/web.access.log;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://extraswebapp;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
I have verified this config with many sample available on various websites + documents. I was not able to locate anything wrong in this. Plus there nothing in code which redirects http to https for extra.something.club Plus if I access direct IPs with those port, it works perfectly fine & doesn't redirect to https as Nginx does.
Can somebody please help me to locate the problem?
This is my nginx file
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name api.website.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/api.website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.website.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
When trying to connect to my website, I get a too many redirect error. How can I fix this? For reference, I am following this SSL guide.
Edit: Using Cloudflare, full SSL
I'm trying to put an nginx together with the following setup:
I have two http servers running on my localhost.
One listening on port 8080, the other on port 8081.
Both should be served through https and
the production server listening on 8080 should be accessible
to www.awesomesite.io.
the test server listening on port 8081 should be accessible through
test.awesomesite.io.
Somehow, when navigating to the test.awesomesite.io the nginx server directs me to my production server.
I use the following configuration to direct www-requests to localhost:8080 and test-request to 8081.
server {
listen 80;
server_name www.awesomesite.io;
rewrite ^ https://$host$request_uri? permanent; # force redirect http to https
server_tokens off;
}
# SSL port production server
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/www.awesomesite.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.awesomesite.io/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl on;
server_name www.awesomesite.io;
server_tokens off;
# ......
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 1200s;
}
}
# SSL test server
server {
listen 80;
server_name test.awesomesite.io;
rewrite ^ https://$host:8443$request_uri? permanent; # force redirect http to https
server_tokens off;
}
server {
listen [::]:8443 ssl ipv6only=on;
listen 8443 ssl;
ssl_certificate /etc/letsencrypt/live/test.awesomesite.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.awesomesite.io/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl on;
server_name test.awesomesite.io;
server_tokens off;
# ......
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host:8443;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 1200s;
}
}
To answer my own question in case someone had the same problem:
I used the answer of https://serverfault.com/questions/538803/nginx-reverse-ssl-proxy-with-multiple-subdomains to change my configuration.
I defined multiple server blocks with www.awesomesite.io and test.awesomesite.io name for the port 443, instead of rewriting the test subdomain to use port 8443.
After these changes, the host from the test request header did match the specific server block and was routed to localhost 8081.
I still did not figure out why original configuration did not work. All requests match the production server block (or at least were handle by the first server block).