I am trying to serve a static index html and would upgrade http request to https. Let's say that the file below is bursan. Weirdly so when I have another file, pointing to another domain name, siosan but I managed to get it working. For bursan, I keep getting 301s.
server {
listen 80;
server_name bursan.co.uk;
return 301 https://bursan.co.uk$request_uri;
}
server {
listen 443 ssl;
root /var/www/html/bursan;
index index.html;
server_name bursan.co.uk;
ssl_certificate /etc/nginx/ssl/bursan.crt;
ssl_certificate_key /etc/nginx/ssl/bursan.key;
add_header Strict-Transport-Security "max-age=31536000";
# Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# This is a cache for SSL connections
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 60m;
location / {
try_files $uri $uri/ /index.html;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
What if you try
listen 443 ssl default_server;
instead of
listen 443 ssl;
(don't forget to reload the conf and to test it with incognito window to avoid cache issues)
Related
I have my below nginx config, I'm trying to redirect everything to https://www regardless of what comes in for example http://example.com, http://www.example.com or https://example.com.
I've looked at numerous topics on SO and tried a couple of things but still stumped, I can't ever get https://example.com to redirect to the https://www pattern!?
server {
listen 80;
listen 443 ssl;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_timeout 30m;
ssl_session_cache shared:SSL:10m;
ssl_buffer_size 8k;
add_header Strict-Transport-Security max-age=31536000;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Make one server block a default server and give the other server block the one true server_name.
server {
listen 80 default_server;
listen 443 ssl default_server;
ssl_certificate ...;
ssl_certificate_key ...;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate ...;
ssl_certificate_key ...;
...
}
The default server for https requires a valid certificate. Assuming you have a wildcard certificate - most of the ssl_ statements could be moved into the outer block and be inherited by both server blocks. For example:
ssl_certificate ...;
ssl_certificate_key ...;
ssl_...;
server {
listen 80 default_server;
listen 443 ssl default_server;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl;
server_name www.example.com;
...
}
See this document for more.
I am configuring Nginx to serve two different locations. Idea is to serve the localhost:3000 as default and if the page not found in that location then try to use the other location as a fallback. But is not working. Any help will be appreciated. Thanks
server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name server.in;
ssl_certificate /junk/server.crt;
ssl_certificate_key /junk/server.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
index index.html;
recursive_error_pages on;
proxy_intercept_errors on;
location / {
proxy_pass http://localhost:3000;
error_page 404 = #fallback;
}
location #fallback {
proxy_pass http://localhost:9000;
}
}
It works from outside (ipv4).
My nginx configuration has to be messed up, since when I browse for 192.168.xxx.xxx (address of my webserver), I get forwarded to my homepage's DNS. Even if I use "localhost" or "0.0.0.0" in my browser bar on the webserver itself, it doesn't work.
Can anyone tell me how to properly solve this? If I insert anything else than "cooldomain.com", it won't be reachable from the outside, right? But there has to be a solution.
The nginx server is running in a docker container, which is based on the official nginx image.
This is my nginx config file:
server {
listen 80;
listen 443 ssl http2;
server_name cooldomain.com;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers On;
ssl_certificate /usr/share/nginx/fullchain.pem;
ssl_certificate_key /usr/share/nginx/privkey.pem;
ssl_trusted_certificate /usr/share/nginx/chain.pem;
ssl_session_cache shared:SSL:128m;
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
ssl_stapling on;
ssl_stapling_verify on;
# Your favorite resolver may be used instead of the Google one below
# resolver 8.8.8.8;
# /usr/share/nginx/html;
# index index.html;
# charset koi8-r;
# access_log /var/log/nginx/host.access.log main;
location / {
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
root /usr/share/nginx/html;
# index index.html index.htm;
try_files $uri$args $uri$args/ /index.html;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
Edit:
Output of docker ps:
faXXXXX nginx "nginx -g 'daemon off" 14 minutes ago, up 14 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp webserver
(this is sadly not a copy paste)
Output of curl -v http://127.0.0.1:
$ curl -v http://127.0.0.1
Rebuilt URL to: http://127.0.0.1/
Trying 127.0.0.1...
Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
GET / HTTP/1.1
Host: 127.0.0.1
User-Agent: curl/7.47.0
Accept:
HTTP/1.1 301 Moved Permanently
Server: nginx/1.13.3
Date: Wed, 20 Sep 2017 15:46:55 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://cooldomain.com/
Strict-Transport-Security: max-age=31557600; includeSubDomains
Connection #0 to host 127.0.0.1 left intact
I managed to workaround it. I don't know if this is the right way to do it, but it does the job.
I added another server-block before my server block, which has the default_server prefix.
If you have a better idea, feel free to write an answer. :)
This is how my config file looks now. Pay attention to the first block:
server {
listen 80;
server_name 127.0.0.1 default_server;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 80;
listen 443 ssl http2;
server_name cooldomain.com;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers On;
ssl_certificate /usr/share/nginx/fullchain.pem;
ssl_certificate_key /usr/share/nginx/privkey.pem;
ssl_trusted_certificate /usr/share/nginx/chain.pem;
ssl_session_cache shared:SSL:128m;
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
ssl_stapling on;
ssl_stapling_verify on;
# Your favorite resolver may be used instead of the Google one below
# resolver 8.8.8.8;
# /usr/share/nginx/html;
# index index.html;
# charset koi8-r;
# access_log /var/log/nginx/host.access.log main;
location / {
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
root /usr/share/nginx/html;
# index index.html index.htm;
try_files $uri$args $uri$args/ /index.html;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
So I am trying to achieve 4 things:
support both ip-v4 and ip-v6
support letsencrypt ssl certificates (the acme-challenge location in http)
redirect www to non www
redirect http to https
I have come up with a config, but it seems not to work. I get a "page does not exist" when trying to access http://www.MY_DOMAIN.COM.
Due to the hsts setting, this does work after having visited the https non-www version once.
Note that I have ssl certificates for both the with and without www domain.
How can I achieve this / what am I doing wrong in my config:
# HTTP server
#
server {
listen [::]:80;
server_name MY_DOMAIN.COM www.MY_DOMAIN.COM;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
return 301 https://MY_DOMAIN.COM$request_uri;
}
}
# HTTPS server
#
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.MY_DOMAIN.COM;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.MY_DOMAIN.COM/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.MY_DOMAIN.COM/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.MY_DOMAIN.COM/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=86400; includeSubDomains";
return 301 https://MY_DOMAIN.COM$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server ipv6only=on;
server_name MY_DOMAIN.COM;
ssl on;
ssl_certificate /etc/letsencrypt/live/MY_DOMAIN.COM/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/MY_DOMAIN.COM/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/MY_DOMAIN.COM/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=86400; includeSubDomains";
root /var/www/MY_DOMAIN.COM;
index index.html;
}
Also, I do not find the copy-paste nature of the two server blocks very nice.
As #RichardSmith notes; I was not listening to the ipv4 version of the http://www variant. Hence, the redict was not triggered at all.
After fixing this, the setup is working.
I'm deploying a Rails application on personal server using Nginx, phusion_passenger. I've site configuration file with following server blocks. With this configuration my https://192.168.1.121 service works but my connection doesn't redirect from http://192.168.1.121. What am I doing wrong? I really appreciate any help, please.
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
# Make site accessible from http://localhost/
#server_name 192.168.1.121;
server_name mydomain.com www.mydomain.com
return 301 https://$server_name$request_uri;
}
server {
# Make site accessible from http://localhost/
listen 443 ssl default;
#server_name 192.168.1.121;
server_name mydomain.com www.mydomain.com
# Certificate details
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
passenger_enabled on;
rails_env production;
root /home/deploy/www/myapplication/current/public;
index index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
semi-colon is missing at end of server_name variable for http as well as https:
server_name mydomain.com www.mydomain.com;