I have a problem with http requests with my Nginx configuration.
server {
listen 80;
listen [::]:80;
server_name www.queroemprego.pt queroemprego.pt;
return 301 https://www.queroemprego.pt$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name queroemprego.pt;
return 301 https://www.queroemprego.pt$request_uri;
ssl on;
{...}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.queroemprego.pt;
{...}
}
Nginx is listening to both ports and my iptables looks okay
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 4204048 12064/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 4204050 12064/nginx: master
https requests are working and accessing it via https://www.queroemprego.pt should work and has been working for the past month.
But I noticed that http requests are failing for some people and I have no idea why.
The following page tries to get the http version and the requests fails.
http://downforeveryoneorjustme.com/queroemprego.pt
I have 2 more subdomains with similar configurations, redirecting http to https.
Any ideas?
Edit:
Here are my iptables
iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- localhost anywhere tcp dpt:smtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
So, the problem was with my iptables.
I though it was accepting requests to port 80, but nope.
Here's the solution:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Related
Below is what I want to achieve;
Forward traffic from http://myip.com to http://localhost:8081
Forward traffic from http://gitlab.myip.com to http://localhost:8443
The following snippet is the content of my Nginx configuration file;
# /etc/nginx/sites-available/two-applications.conf
server {
listen 80;
server_name myip.com;
location / {
# Proxy pass to Apache server
proxy_pass http://localhost:8081;
}
}
server {
listen 80;
server_name gitlab.myip.com;
location / {
# Proxy pass to GitLab server
proxy_pass http://localhost:8443;
}
}
It works as expected within my network but hangs when accessed from outside my network except when port 8081 and 8443 are appended to http://myip.com and http://gitlab.myip.com respectively.
My router is forwarding traffic from ports 80, 8443, 8081 to the computer hosting these applications and my firewall was disabled by running ufw disable.
This is my (abbreviated) output from running sudo netstat -tulpn:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20603/nginx: master
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 13513/nginx: master
tcp6 0 0 :::8081 :::* LISTEN 685/apache2
What am I doing wrong and how can I fix it?
EDIT
The problem here was with the ISP blocking port 80
I'm using a combination of ip6tables and nginx to process http requests from clients. The nginx server listens on port 8081 and must forward a request after examining the header.
Clients can send two types of requests:
GET/POST with no headers. These should be re-directed to https://jaguar.mydomain.com
GET/POST with specific header elb-jaguar.mydomain.com. These should be redirected to https://elb-jaguar.mydomain.com
When run as nginx -c /home/build/v6-only.conf, nginx fails because one server{} directive already has listen on port 8081
nginx: [emerg] duplicate listen options for [::]:8081 in /etc/nginx/v6/v6-only.conf:13
My config is as below:
server {
listen [::]:8081 ssl ipv6only=on;
server_name elb-jaguar.mydomain.com;
ssl_certificate /etc/ssl/elb.crt;
ssl_certificate_key /etc/ssl/elb.key;
location / {
proxy_pass https://elb-jaguar.mydomain.com:443;
}
}
server {
listen [::]:8081 ssl ipv6only=on;
ssl_certificate /etc/ssl/regular.crt;
ssl_certificate_key /etc/ssl/regular.key;
server_name jaguar.mydomain.com;
location / {
proxy_pass https://jaguar.mydomain.com:443;
}
}
How can I fix the above config to get the desired forwarding with proxy_pass?
Difficult to see because that setup should work.
But looking closer at the NGINX docs and your need for IPv6 only, it says (my emphasis):
ipv6only=on|off
this parameter (0.7.42) determines (via the IPV6_V6ONLY socket option) whether an IPv6 socket listening on a wildcard address [::] will accept only IPv6 connections or both IPv6 and IPv4 connections. This parameter is turned on by default. It can only be set once on start.
Because the error message complains of 'duplicate listen options', not 'already listening on that port' or similar, it suggests it is complaining about trying to set ipv6only a second time (even to the same value).
Also, it does say This parameter is turned on by default, so you could easily just remove it altogether, if only to try it.
I recently hosted a react app on EC2 with nginx. The react app is running on port 3000.
So I redirected HTTP & HTTPS requests to port 3000 using -
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3000
sudo service netfilter-persistent save
I have added the domain name and certificate details in the conf file in /etc/nginx/sites-available. The conf file is -
server {
listen 443 ssl;
root /var/www/myapp/client/build;
server_name example.com;
index index.html index.htm;
ssl_certificate /etc/ssl/bundle.crt;
ssl_certificate_key /etc/ssl/mykey.key;
location / {
}
}
server {
listen 80;
server_name example.com ip_address;
return 301 https://example.com$request_uri;
}
When I run this -
sudo lsof -i -P -n
I get this-
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-n 630 systemd-network 19u IPv4 25765 0t0 UDP 172.11.25.109:68
systemd-r 641 systemd-resolve 12u IPv4 15768 0t0 UDP 127.0.0.53:53
systemd-r 641 systemd-resolve 13u IPv4 15769 0t0 TCP 127.0.0.53:53 (LISTEN)
sshd 973 root 3u IPv4 19516 0t0 TCP *:22 (LISTEN)
sshd 973 root 4u IPv6 19533 0t0 TCP *:22 (LISTEN)
sshd 1388 root 3u IPv4 21610 0t0 TCP 172.11.25.109:22->95.91.208.58:60491 (ESTABLISHED)
sshd 1523 ubuntu 3u IPv4 21610 0t0 TCP 172.11.25.109:22->95.91.208.58:60491 (ESTABLISHED)
node 1743 root 24u IPv4 23414 0t0 TCP *:3000 (LISTEN)
nginx 1924 root 8u IPv4 25687 0t0 TCP *:443 (LISTEN)
nginx 1924 root 9u IPv4 25688 0t0 TCP *:80 (LISTEN)
nginx 1928 www-data 8u IPv4 25687 0t0 TCP *:443 (LISTEN)
nginx 1928 www-data 9u IPv4 25688 0t0 TCP *:80 (LISTEN)
I am able to see the website on http://example.com but I get an error when I try to go to https://example.com. I get the error -
SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
How can I correctly host the web app on HTTPS?
So I redirected HTTP & HTTPS requests to port 3000 using ...
This is directing IP packets to port 80 and 443 directly to port 3000, which means that nginx will completely be bypassed. Any configuration for nginx is thus irrelevant.
The access to https://example.com will try a TLS handshake on port 443 which is essentially port 3000 (because of the redirect of the IP packets) - but port 3000 does not understand TLS. The server on port 3000 will instead expect plain HTTP and return an HTTP error since the start of the TLS handshake obviously is no valid HTTP request. This error message then will be interpreted as the TLS response which causes this strange error message.
What you need to do instead of the iptables rules is to configure nginx as reverse proxy, see for example here how to do this.
I am trying to configure nginx i m trying to find how listen directive in server block works.
suppose i have this config:
server {
listen 192.168.11.12:80;
}
Does it mean nginx will listen for requests on port 80 which is coming from ip: 192.168.11.22 . or does it mean it will listen on ip 192.168.11.12 and on port 80. I searched for docs but they simply mention how server block works.
The second one, it will listen on that ip and port.
I've installed Redmine on an Ubuntu 13.04 server.
This installation worked fine and I confirmed Redmine was working through the WEBrick server (as per redmine documentation).
To make things more stable I want to run Redmine behind Nginx & Thin.
With this part I run into problems as Nginx reports getting timeouts:
2013/07/19 07:47:32 [error] 1051#0: *10 upstream timed out (110: Connection timed out) while connecting to upstream, .......
Thin Configuration:
---
chdir: /home/redmine/app/redmine
environment: production
address: 127.0.0.1
port: 3000
timeout: 5
log: log/thin.log
pid: tmp/pids/thin.pid
max_conns: 128
max_persistent_conns: 64
require: []
wait: 10
servers: 1
daemonize: true
I can see Thin is running, the pid file is created and a logfile is started.
I see no further additions to the logfile when doing requests.
Nginx configuration:
upstream redmine {
server 127.0.0.1:3000;
}
server {
server_name redmine.my.domain;
listen 443;
ssl on;
ssl_certificate /home/redmine/sites/redmine/certificates/server.crt;
ssl_certificate_key /home/redmine/sites/redmine/certificates/server.key;
access_log /home/redmine/sites/redmine/logs/server.access.nginx.log;
error_log /home/redmine/sites/redmine/logs/server.error.nginx.log;
root /home/redmine/app/redmine;
location / {
try_files $uri #ruby;
}
location #ruby {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_read_timeout 5;
proxy_pass http://redmine;
}
}
I can see additions to the Nginx log.
Can anyone give me a hint on where to find the problem in this?
Current result of iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:3000
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The error is because your firewall "iptables" blocked the port.
Rollback your iptables config, then issue the follow command:
iptables -I INPUT -i lo -p tcp --dport 3123 -j ACCEPT
Remember to save the setting by:
service iptables save
More information about iptables: https://help.ubuntu.com/community/IptablesHowTo
p.s. sudo may be needed for the above commands.