I am trying to create my private webdav server using nginx.
I set up the server to require a client certificate.
When visiting the site with the browser, the client certificate is requested.
However when I added a windows network location pointing to my server, it worked out of the box. It did not forward me to do anything, it just connected.
Obviously I do not want unverified access to my webdav.
What went wrong and how do I set this up correctly?
My config:
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
server_name XXX;
ssl_certificate /etc/letsencrypt/live/XXX/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem;
ssl_client_certificate /etc/nginx/ca/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
access_log /var/log/nginx/XXX.access;
error_log /var/log/nginx/XXX.error;
location /data {
#Webdav
alias /media/webdav;
autoindex on;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
dav_access user:rw group:r all:r;
client_body_temp_path /tmp/nginx/client-bodies;
client_max_body_size 0;
create_full_put_path on;
}
location / {
return 404;
}
}
Related
I'm trying to establish SSL connection, and I'm getting 400 No required SSL certificate was sent response from the server.
I used this tutorial for it
I tried everything to solve this issue, but it seems that there is something wrong with the Cloudflare certificate because when I disable ssl_verify_client it is working (with security alert).
Here is my nginx configuration:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
ssl_client_certificate /etc/ssl/cloudflare.crt;
ssl_verify_client on;
server_name example.com www.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/username/www/exampleproject;
}
location /media/ {
root /home/username/www/exampleproject;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/username/www/exampleproject/exampleproject.sock;
}
}
http {
server {
listen 4443 ssl;
server_name {{hostname}};
port_in_redirect off;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location / {
# https://stackoverflow.com/questions/32845674/setup-nginx-not-to-crash-if-host-in-upstream-is-not-found/32846603#32846603
resolver 127.0.0.1 valid=30s;
proxy_pass http://app1:8080;
}
}
server {
listen 4444 ssl;
server_name X.{{hostname}};
port_in_redirect off;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location / {
resolver 127.0.0.1 valid=30s;
proxy_pass http://app1:8080/my/path/;
}
}
}
# http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
# https://stackoverflow.com/questions/34741571/nginx-tcp-forwarding-based-on-hostname/40135151#40135151
stream {
upstream app1 {
server 127.0.0.1:4443;
}
server {
listen 0.0.0.0:443;
proxy_connect_timeout 10s;
proxy_timeout 5m;
proxy_pass $target;
ssl_preread on;
}
access_log /var/log/nginx/access.log basic;
error_log /var/log/nginx/error.log error;
}
This is my nginx configuration.
This is part of a docker-compose setup. I proxy requests sent to https://hostname to the app1 container successfully.
Now my goal is to send requests sent to https://X.hostname to the app1 container, however to a different path.
For example:
Client sends request to https://A.hostname
Nginx forwards it to https://app1/my/path/
However the path is not being preserved, it's just forwarding it to https://app1
Tried many different solutions available online, and none worked.
I have the Nginx config as below, I'm trying to redirect
https://example.com
to
https://www.example.com
But when I enter
https://example.com
in the browser, I don't see the redirect. Anything idea?
server {
listen 443;
server_name example.com;
ssl on;
ssl_certificate /etc/nginx/conf.d/mynginx.crt;
ssl_certificate_key /etc/nginx/conf.d/mynginx.key;
return 301 https://www.example.com$request_uri;
}
server {
listen 443;
server_name www.example.com;
ssl on;
ssl_certificate /etc/nginx/conf.d/mynginx.crt;
ssl_certificate_key /etc/nginx/conf.d/mynginx.key;
location /media {
alias /media; # your Django project media files - amend as required
}
location /static {
alias /static; # your Django project static files - amend as required
}
location / {
proxy_pass http://web/;
}
}
I'm trying to implement this suggestion to make my nginx service start even if the upstream service isn't there https://sandro-keil.de/blog/let-nginx-start-if-upstream-host-is-unavailable-or-down/
I've removed other locations for simplicity
gitea is the name of the service on the stack i am proxying to
So with this configuration everything works ok
server {
# resolver 127.0.0.11 valid=30s; ## internal docker dns
#listen [::]:3011 default ipv6only=on; ## listen for ipv6
listen 80;
client_header_timeout 120s;
client_body_timeout 120s;
client_max_body_size 200m;
# save logs here
server_name sigyl.com;
location / {
return 301 https://$host$request_uri;
}
}
server {
resolver 127.0.0.11 ipv6=off valid=30s; ## internal docker dns
#listen [::]:3011 default ipv6only=on; ## listen for ipv6
# listen 444
listen 443 ssl;
# this should allow large docs
client_header_timeout 120s;
client_body_timeout 120s;
client_max_body_size 0;
ssl_certificate /etc/letsencrypt/live/sigyl.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sigyl.com/privkey.pem;
# save logs here
#access_log /var/log/nginx/access.log compression;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
server_name sigyl.com;
location /git/ {
proxy_pass http://gitea:3000/;
}
}
however if I set a variable like this:
.....
location /git/ {
set $upstream http://gitea:3000/;
proxy_pass $upstream;
}
}
all the requests just return the root url
ie
https://example.com/git/vendor/plugins/jquery.areyousure/jquery.are-you-sure.js
just returns what's at https://example.com/git/
how can I fix this?
Sam's comment here explains the problem
https://serverfault.com/questions/240476/how-to-force-nginx-to-resolve-dns-of-a-dynamic-hostname-everytime-when-doing-p/973311#comment1306507_593003
so I ended up with:
location ~ /git/(.*) {
resolver 127.0.0.11 ipv6=off valid=30s; ## internal docker dns set
$upstream http://gitea:3000/$1$is_args$args;
proxy_pass $upstream;
}
There is lots of material about using ngix as a reverse proxy and it is working well for me as a basic proxy for a strange web server app I need to use. I even have redirect on so http gets redirected to https.
server {
listen 80;
server_name <my server>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name <my server>;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
ssl on;
ssl_certificate cert1.crt.pem;
ssl_certificate_key cert1.key.pem;
ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://localhost:81; # my existing apache instance
proxy_set_header Host $host;
}
Now I have one new wrinkle. I'd like to pick off one particular path and NOT have it get forwarded to the main server app. I need to do this to add in some Let's Encrypt challenge responses. Whenever the incoming url is http:///.well-known/acme-challenge/ then I want to use a static nginx path and NOT fwd to the main server.
Any ideas? I tried adding in a location directory but that wasn't working.
server {
listen 80;
server_name video.maritimeopscorp.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name video.maritimeopscorp.com;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
ssl on;
ssl_certificate cert1.crt.pem;
ssl_certificate_key cert1.key.pem;
ssl_session_cache shared:SSL:10m;
location ~ /.well-known {
<I've tried lots of combinations here.>
}
location / {
proxy_pass http://localhost:81; # my existing apache instance
proxy_set_header Host $host;
}
I'd also prefer to get this up into the 80 block rather than the 443 block but little steps first.
Any ideas?
You will need to use a root directive, to inform nginx where the .well-known directory can be found:
server {
listen 80;
server_name video.maritimeopscorp.com;
location / {
return 301 https://$server_name$request_uri;
}
location /.well-known {
root /path/to/enclosing/directory;
}
}
Enclose the return statement inside the default location block, otherwise it will always take precedence.