I have a website running on EC2 machine behind an Amazon ELB.
I have configured SSL on ELB hence its handling http as well as https for me.
All requests on https works perfectly. But I want to force(redirect) http requests to https. For some reason, it does not work
I have added redirect rule in nginx but whenever I enable that rule, the nginx server stops responding.
server {
listen 80;
server_name domain1.com;
gzip on;
gzip_proxied any;
gzip_types text/plain text/xml text/css application/x-javascript;
gzip_vary on;
access_log /var/log/nginx/domain1.access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:4000/;
### Redirect http to https ####
if ($http_x_forwarded_proto != "https") {
rewrite ^(.*)$ https://$server_name$1 permanent;
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
}
}
Here is the configuration of Load Balancer:
Please help me where I am going wrong with the configuration.
TIA.
Try the following:
server {
listen 80;
listen [::]:80;
server_name domain1.com;
return 301 https://$host$request_uri;
}
I propose this code. Teste on my VPS, but not Amazon ELB
server {
server_name example.com www.example.com;
listen 80;
return 301 https://example.com$request_uri;
}
server {
server_name example.com;
root /home/user/www/example/;
include global.conf;
include php.conf;
include ssl.conf;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}
server{
server_name www.example.com;
include ssl.conf;
return 301 https://example.com$request_uri;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
}
File ssl.conf containt:
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AES$
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
Related
I'm doing a proxy server with NGINX to redirect all traffic from port 80 to port 443 and then all traffic from port 443 to an app in one of my servers. I managed to make it work but only redirecting to my main IP 192.168.1.201:8006. When I try to point to my app (192.168.1.201:8006/customerSite/)the page gives me the error TOO MANY REDIRECTS.
Here is my .conf:
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
This is my ssl.conf:
server {
listen 443;
listen [::]:443;
server_name mydomain.com;
ssl on;
ssl_certificate /.../certificate.crt;
ssl_certificate_key /.../clientsmydomain.key;
large_client_header_buffers 4 10k;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /.../certificate.crt;
location / {
proxy_set_header Host $host;
proxy_pass http://192.168.1.201:8060;
}
location /weights {
root /var/www/virtual/server;
try_files $URI $uri/ = 404;
}
}
Thank you all for your time.
I've a webserver nginx on the host of my vps with a simple html site on main root (example: domain.com).
I want to redirect an endpoint of this webserver to a docker container with wordpress at port 8080.
The endpoint must be /blog.
I've this configuration on nginx's virtual host (including redirect to 443 port):
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/http/domain.com/public;
index index.html index.htm index.nginx-debian.html;
server_name domain.com www.domain.com;
#headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256";
ssl_prefer_server_ciphers on;
ssl_certificate /etc/ssl/private/domain.com.crt;
ssl_certificate_key /etc/ssl/private/domain.com.key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
location /blog {
include /etc/nginx/mime.types;
#proxy
proxy_pass http://localhost:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.com www.domain.com;
return 301 $scheme://$server_name$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name domain.com www.domain.com;
location /blog {
include /etc/nginx/mime.types;
proxy_pass http://localhost:8080;
}
return 301 https://$server_name$request_uri;
}
It doesn't work.
I tried to set another virtual host with name blog.domain.com, but some features how wp-login and wp-admin don't works (neither css, javascript, ssl certificate).
Thank you.
Using command: docker inspect container_id of Wordpress container get IP address of container ID, then:
proxy_pass http://ipaddress_of_container_ID:8080;
I've seen many ways of dealing with redirecting http://example.com or example.com (with or without www.) or https://example.com to https://www.example.com.
The way I use is in this nginx configuration:
error_log /dev/stdout info;
upstream django_server {
server app:8001 fail_timeout=0;
}
server {
listen 80;
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/certificate.chained.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
return 301 https://www.example.com$request_uri;
}
server {
listen 80;
server_name www.example.com;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
return 301 https://www.example.com$request_uri;
}
server {
listen 443 default_server ssl;
server_name www.example.com;
client_max_body_size 4G;
charset utf-8;
keepalive_timeout 70;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
gzip on;
gzip_http_version 1.1;
gzip_disable "MSIE [1-6]\.";
gzip_min_length 256;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/javascript application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss;
gzip_comp_level 9;
ssl_certificate /etc/nginx/ssl/certificate.chained.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location /static/ {
root /usr/share/nginx/sasite/;
expires 30d;
autoindex off;
location /static/download/ {
location ~* \.(pdf|docx|zip|rar)$ {
add_header Content-Disposition 'attachment; filename="$request_filename"';
}
}
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://django_server;
break;
}
}
}
But I have also seen versions where multiple server_name values are set like so:
server {
listen 80;
server_name example.com www.example.com;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
return 301 https://www.example.com$request_uri;
}
server {
listen 443 default_server ssl;
server_name example.com www.example.com;
client_max_body_size 4G;
charset utf-8;
keepalive_timeout 70;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_certificate /etc/nginx/ssl/certificate.chained.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
I've seen other ways to do it as well, that did not seem as effective. What is the actual ideal approach to handling this scenario? My current configuration works, but I'd like to learn the best practices.
It comes down to preference. Do you want your users to always see (or always not see) the "www." portion? If so, use the redirect method. If you don't care whether they see it or not, use multiple server_name/server_alias entries.
I am using centos6 linux vps and i have installed nginx on my server. I have installed letsencrypt SSL certificate . But the thing is that when i go to my website www.mywebsite.com ,it shows SECURE but when i go to www.mywebsite.com/otherpages ,it shows Insecure and letsencrypt certificate invalid.
The configuration of "/etc/nginx/conf.d/default.conf"
server {
listen 80 default_server;
# listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
the configuration of /etc/nginx/sites-available/quiznou.com.conf
server {
listen 80 ;
server_name quiznou.com www.quiznou.com;
return 301 https://$server_name$request_uri;
}
server{
listen 443 ssl http2;
server_name quiznou.com www.quiznou.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/quiznou.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/quiznou.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location ~ /.well-known {
allow all;
}
location /.well-known/acme-challenge/ {
root /var/www/quiznou.com;
}
}
this my own configuration files of NGINX as a revers_proxy: but I'm using configuration to proxy some docker. I modified directly the /etc/nginx/default.conf ,to proxy an apache web page I've created a VHost in nginx.
If it could help you.
server {
listen 80;
listen 443 ssl;
server_name some.name.com;
server_tokens off;
## Certificates
ssl_certificate /etc/letsencrypt/live/some.name.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/some.name.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/some.name.com/chain.pem;
if ($scheme = http){
return 301 https://$server_name$request_uri;
}
location / {
proxy_pass http://IP_du_serveur:port;
}
## Protocol
ssl_protocols TLSv1.2;
## Diffie-Hellman
ssl_ecdh_curve secp384r1;
## Ciphers
ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;
ssl_prefer_server_ciphers on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
## TLS parameters
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_session_tickets off;
## HSTS
add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload";
}
I am trying to server secure site using nginx ssl connection.I am not able to load third party http css and js file. It is giving error.
This request has been blocked; the content must be served over HTTPS.
here is the my nginx conf
server {
listen 443 ssl;
server_name api-test.vendorver.com;
ssl_certificate /etc/nginx/ssl/vv_key/cert_chain.crt;
ssl_certificate_key /etc/nginx/ssl/vv_key/vendorver.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_pass http://0.0.0.0:8000;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect off;
}
#if ($host !~* ^(vendorver.com|www.vendorver.com)$ ) {
# return 444;
#}
location /static/ {
autoindex on;
alias /home/ec2-user/vendorver.backend/static/;
}
}
That file is not available on https request. How can i include that file in page?
You have to configure your static directory and your media (images) directory
To run all this over ssl the config should be something like:
server {
listen 80;
charset utf-8;
client_max_body_size 100M;
ssl on;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/yoursite_com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/yoursite_com/cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
access_log /var/www/vhosts/yoursite.com/logs/access_log;
error_log /var/www/vhosts/yoursite.com/logs/error_log;
server_name yousite.com www.yoursite.com;
root /var/www/vhosts/yoursite.com/yourapp/;
add_header Strict-Transport-Security max-age=31536000;
location / {
.... your settings here
}
location /media {
alias /var/www/vhosts/yoursite.com/yourapp/media;
}
location /static {
alias /var/www/vhosts/yoursite.com/yourapp/static;
}
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
}
Rather than listening to both ports 80 and 443 in the same config. I suggest setting up server redirects, e.g.
server {
listen 80;
server_name endyourif.com www.endyourif.com;
return 301 https://www.endyourif.com$request_uri;
}
Setting up SSL with nginx including redirects from non HTTPS traffic