I have 2 SSL webservers that I have to handle with nginx.
I also have a http server (the redirection works fine).
The redirections works well when i handle just http and https (only one ssl webserver).
The problem is, when i want to handle 2 ssl webserver:
na.test.lan for https
nnm.toast.lan for https
The request for https is handled by the first server block file that redirect me on the wrong ssl webserver (maybe the first server block that listen on port 443).
Here is my ssl.conf :
server {
listen 443;
server_name na.test.lan ;
ssl on;
ssl_certificate /etc/pki/nginx/server.crt;
ssl_certificate_key /etc/pki/nginx/server.key;
ssl_session_timeout 1m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://172.17.100.200/; }
}
server {
listen 443;
server_name nnm.toast.lan ;
ssl on;
ssl_certificate /etc/pki/nginx/server.crt;
ssl_certificate_key /etc/pki/nginx/server.key;
ssl_session_timeout 1m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://179.60.192.3/; }
}
Here is my solution, it finaly works :
ssl_certificate /etc/pki/nginx/server.crt;
ssl_certificate_key /etc/pki/nginx/server.key;
HTTPS server configuration
server {
listen 443;
server_name na.test.lan ;
ssl on;
ssl_session_timeout 1m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://172.17.100.200/;
}
}
server {
listen 443;
server_name na.toast.lan ;
ssl on;
ssl_session_timeout 1m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://172.17.201.2/;
}
}
server {
listen 443;
server_name na.tist.lan ;
ssl on;
ssl_session_timeout 1m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://172.17.202.2/;
}
}
You should use different IP addresses for each SSL server. That's in the nature of SSL protocol, SSL handshake must be completed in the process of establishing connection, so server has to pick SSL cert to send to client. But at this moment it doesn't know anything about Host: header, so it simply picks the first one.
UPDATE: or use SNI
http://nginx.org/en/docs/http/configuring_https_servers.html#sni
Related
If I have an NGINX with reverse proxy setting such as:
upstream {{ server_name }} {
server 127.0.0.1:1111;
}
server {
listen 443 ssl default deferred;
server_name {{ domain_name }};
ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "....";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/reverse-access.log;
error_log /var/log/nginx/reverse-error.log;
root /var/www/html/;
location / {
proxy_pass http://{{ server_name }};
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
}
How can I make that port number appear in the browser when requesting that resource as well? Currently it only appear the domain name which I normally prefer, but now I need to have the possibility to have the port in the URL. Any idea how to achieve this?
I'm currently trying to redirect all access from http to https on a nginx serv in VirtualBox.
When using a test machine in VirtualBox, everything is working perfectly.
My issue is with port redirection on VirtualBox.
I want to be redirect directly from my host machine.
For the moment when I access https it's fine, but when I try to access the http, I'm redirected to the nginx serv address in Virtualbox.
My ssl conf is :
server {
listen 443 http2 ssl;
server_name _;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
root /var/www/html;
location {
proxy_pass http://loadbalancing;
try_files $uri $uri/ =404
}
server {
listen 80;
server_name _;
return 301 https://srv.dmz.lan
}
upstream loadbalancing {
server srv1;
server srv2;
}
}
Dmz is a NAT network under VirtualBox with those redirections:
I'm doing a proxy server with NGINX to redirect all traffic from port 80 to port 443 and then all traffic from port 443 to an app in one of my servers. I managed to make it work but only redirecting to my main IP 192.168.1.201:8006. When I try to point to my app (192.168.1.201:8006/customerSite/)the page gives me the error TOO MANY REDIRECTS.
Here is my .conf:
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
This is my ssl.conf:
server {
listen 443;
listen [::]:443;
server_name mydomain.com;
ssl on;
ssl_certificate /.../certificate.crt;
ssl_certificate_key /.../clientsmydomain.key;
large_client_header_buffers 4 10k;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /.../certificate.crt;
location / {
proxy_set_header Host $host;
proxy_pass http://192.168.1.201:8060;
}
location /weights {
root /var/www/virtual/server;
try_files $URI $uri/ = 404;
}
}
Thank you all for your time.
So I am trying to achieve 4 things:
support both ip-v4 and ip-v6
support letsencrypt ssl certificates (the acme-challenge location in http)
redirect www to non www
redirect http to https
I have come up with a config, but it seems not to work. I get a "page does not exist" when trying to access http://www.MY_DOMAIN.COM.
Due to the hsts setting, this does work after having visited the https non-www version once.
Note that I have ssl certificates for both the with and without www domain.
How can I achieve this / what am I doing wrong in my config:
# HTTP server
#
server {
listen [::]:80;
server_name MY_DOMAIN.COM www.MY_DOMAIN.COM;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
return 301 https://MY_DOMAIN.COM$request_uri;
}
}
# HTTPS server
#
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.MY_DOMAIN.COM;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.MY_DOMAIN.COM/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.MY_DOMAIN.COM/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.MY_DOMAIN.COM/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=86400; includeSubDomains";
return 301 https://MY_DOMAIN.COM$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server ipv6only=on;
server_name MY_DOMAIN.COM;
ssl on;
ssl_certificate /etc/letsencrypt/live/MY_DOMAIN.COM/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/MY_DOMAIN.COM/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/MY_DOMAIN.COM/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=86400; includeSubDomains";
root /var/www/MY_DOMAIN.COM;
index index.html;
}
Also, I do not find the copy-paste nature of the two server blocks very nice.
As #RichardSmith notes; I was not listening to the ipv4 version of the http://www variant. Hence, the redict was not triggered at all.
After fixing this, the setup is working.
I deployed a website on digitalocean with nginx as a proxypass. The Site works but sometimes I have to refresh to reach the site. I am afraid that my nginx or my dns configuration is wrong, since I'm doing this the first time.
Here is my nginx config: (the server should run only on https)
server {
listen 80;
server_name <site_name>.com;
return 301 https://www.<site_name>.com$request_uri;
}
server {
listen 80;
server_name www.<site_name>.com;
return 301 https://www.<site_name>.com$request_uri;
}
server {
listen 443 ssl;
server_name <site_name>.com;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/certs/private.key;
return 301 $scheme://www.<site_name>.com$request_uri;
}
server {
listen 443;
server_name www.<site_name>f.com;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
ssl on;
ssl_certificate /etc/nginx/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/certs/private.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_pass http://localhost:8000;
}
}
Here are my dns settings:
A Record host:# value: TTL: automatic
A Record host:www value: TTL: 1 min
Any idea what is going wrong?
Thx!
When the site fails to load what is the error message, if any? I doubt this is a DNS issue, since it works sometimes.