route 53 CNAME with Nginx - nginx

I have a domain and its DNS entries are managing using AWS Route53.
I have 30 servers on a datacenter which only have private IPs, and the sites hosted on these servers are loading using a nginx proxy server which have public IP.
For this, I have created an A record (say *.abc.com A IPofproxy), then I added some redirection rules on proxy server to load the corresponding sites.
redirection rule on proxy server are as follows :
1.abc.com redirects to 1.1.1.1
2.abc.com redirects to 2.2.2.2
3.abc.com redirects to 3.3.3.3 , etc.
But now am facing an issue with the CNAMEs,
The issue is,
I created some CNAME records like :
abc.abc.com CNAME 1.abc.com
def.abc.com CNAME 2.abc.com
fgh.abc.com CNAME 3.abc.com , etc
Then I tried to access all of the above domains (abc.abc.com , def.abc.com, etc), but all the sites are pointing to only one server which is the first one on redirection rules.
I am new to nginx, it would be great if anyone help me to fix this.

If I'm understanding your configuration correctly, the issue you're experiencing is not specifically related to either Route 53 or Nginx.
Instead, it's related to how web browsers interact with DNS entries. You'd have this issue with any reverse proxy server.
You have to configure each CNAME entry in your proxy, individually, because the browser doesn't care about the CNAME entry -- the Host: header sent with each request is the hostname the browser started with, not the hostname the browser ended up with after any CNAMEs were traversed.
a.example.com IN A 203.0.113.1
b.example.com IN CNAME a.example.com.
A request for b.example.com will be routed by the proxy according to its rules for b.example.com and not by its rules for a.example.com, because the CNAME does not change the browser's Host: header, which is what the proxy is almost certainly using for its routing decision.
If you want requests for b.example.com, it must be configured in the proxy, and not only in the DNS.

Related

Reverse Proxy - SSL Certificate for an infinite number of domain

Currently I have a NGINX Reverse proxy (server A) setup that redirect all request to another server (server B).
I have an infinite number of domain name that have DNS A Record pointing to server A. Basically the Server A is a server with a static ip. So customer using my app can set up their domain name to point to server A and then the server redirect to server B is dynamic ip so that's why I have the server A.
Now what I want to achieve is that all domain pointing to server A should use HTTPS.
As my reverse proxy is not setup to accept ssl certificate, the request are blocked. I got this error while attempting to access from a domain ERR_CONNECTION_REFUSED.
The issue is, as I can have an infinite number of domain what is the best solution to make sure that all the domain can use HTTPS.
Is there a way in NGINX + Let's Encrypt to do something that would accept all domain?
Otherwise should I update and create a SSL certificate manually for each new domain and update the NGINX config?
Thank you! :)
EDIT: While manually creating the certificate on the server A it's working but I would need to figure out a way to automatically create the file ... Or find another solution.

How can different subdomains point to the same IP and reach different webpages?

I have a firebase project with 2 web applications:
name: url
PC pc-my-app.web.app
Mobile m-my-app.web.app
firebase gives me the IP X.X.X.X for both applications.
I have a domain, example.com with the following records:
A example.com X.X.X.X
A m.example.com X.X.X.X
I thought that having these records pointing to the same IP would mean I see the same webpage, but that is clearly not the case.
Since ports are (apparently) never specified, how can the server on X.X.X.X tell which application I am trying to connect to?
My guess is that the server on X.X.X.X also recieves the original URL as a parameter somehow...
Firebase Hosting (and most other hosting providers) check the Host header in the incoming request to determine what content to serve. And this Host header value allows a single server to map different requests to the correct web site content (often referred to as a "virtual host").
Also see:
The MDN documentation for Host header
What is HTTP "Host" header?

Allow http and https to point to my static website hosted on GCP bucket

Objective:
I want to allow https://example.com, http://example.com and www.example.com to point to my static website hosted on Google Cloud Storage bucket.
My Setup:
I am hosting a static website on Google Cloud Storage bucket.
The bucket called www.example.com
I have load balancer with https frontend and the bucket as backend.
In the Cloud DNS, I have CNAME record that point to the bucket.
I have A record that points my domain "example.com" to the https IP address of the load balancer front end.
With the above setup, https://example.com and www.example.com work fine.
I want to allow http too. So, I added another frontend to the load balancer "http". Then, I added the IP address of that frontend to the existing A record. So, now my A record has both IP addresses for http and https.
After doing that, http://example.com started working. However, https://example.com stopped working. Am I missing something?
Delete the HTTP frontend and recreate it.
Use the same IP address for the HTTP frontend that you are using for the HTTPS frontend.
Delete the extra IP address from your DNS server.
You will then have to wait for DNS to update which can take hours to a day. Your current (old) entries will need to expire (TTL).
To verify that everything is set up correctly use an Internet service like MxToolbox to verify your DNS records.
Why is your current setup not working? You have defined two IP addresses for the same website. Most DNS servers will round-robin those addresses, which means sometimes your website will resolve to one IP address (Load Balancer Frontend) and then to the other IP address (the other Frontend). However your frontends are configured per-protocol (HTTP/HTTPS), so you have a 50% chance of hitting the wrong frontend for the wrong protocol.

Godaddy URL redirect from HTTP to HTTPS

I host my website on heroku and bought the domain from godaddy, here's how I set my DNS records
Records
A - # - Forwaded - 600 secs
CNAME - www - example.com.herokudns.com - 1 Hour
Forwarding
-- Domain --
Redirect to https://www.example.com
-- Subdomain --
example.com Redirect to https://www.example.com
www.example.com Redirect to https://www.example.com
Expected Behaviour
When I enter example.com or www.example.com, it should redirect to https://www.example.com
Result
Only example.com got redirected to https://www.example.com, www.example.com does not
What went wrong with my configuration ?
You can't have www as a CNAME and also www as a redirect. If you have the www CNAME aliased to example.com.herokudns.com it's going to go directly to your app on Heroku and make a connection. Your app must be the one to force the redirect to https at that point. I don't know what language you are using, but if it's Rails then set config.force_ssl = true in production.rb.
If your domain is pointing at Heroku with an A and a CNAME record, then the "forwarding" settings on GoDaddy will have no effect. To implement forwarding, GoDaddy points the domain to their own servers.
Once you point the domain at Heroku, all HTTP to HTTPS redirects have to be implemented at Heroku. You can no longer use Godaddy's forwarding. In any case, GoDaddy's URL forwarding is badly implemented and unreliable. You should never use it. See GoDaddy's 301 redirect/forwarding has some weird random middleman URL, kills link juice?
How to redirect HTTP to HTTPS at Herouku depends on what programming language you use. Basically, the redirect rule has to be programmed into your application. See their documentation for specific instructions for a variety of cases: Can Heroku force an application to use SSL/TLS? - Heroku Help
To actually use the Domain as the Web Address:
The A Record should be the IP Address
The CNAME only needs to be name: www value: #
Also I like to keep the TTL the same for the A and CNAME records.
Wait about an hour before testing to ensure the servers have propagated.
For Domain forwarding you only need to scroll down to Forwarding and select https or http (make sure that is correct). Then the web address/url to the home page.
Use a permanent redirect for SEO.

IIS bindings - example.com and www.example.com

I simply want both example.com and www.example.com to go to the same website. Currently we have just added a binding to each. This creates a problem for WCF which then breaks because it says it can only accept one http address.
Is there a better way to configure a site to accept addresses with or without 'www'?
this has to be changed in the dns using a host or a record.
You shouldn't be hosting a site on the root domain. Better approach here is to redirect traffic to the root (.example.com) to the correct site (www.example.com) using an HTTP 302.
The WCF service should only receive traffic on its single binding. Use DNS, HTTP redirection, or some Traffic management application/appliance to get traffic from multiple points to the correct one.

Resources