My server provides on a root url, in https:
files, rest resources
websocket
I would like my configuration to support websocket but it does not work.
I use nginx 1.3.16 which supports websocket proxy.
Here is part of my nginx configuration:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 default ssl;
server_name localhost;
ssl on;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 60;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
### We want full access to SSL via backend ###
location / {
proxy_pass http://localhost:8080;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
### Set headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
### Most PHP, Python, Rails, Java App can use this header ###
#proxy_set_header X-Forwarded-Proto https;##
#This is better##
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
### By default we don't want to redirect it ####
proxy_redirect off;
}
location /writever/chat {
proxy_pass http://localhost:8080/writever/chat;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Here is the error I see in nginx:
2013/04/23 22:41:52 [error] 17011#0: *2093 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 127.0.0.1, server: localhost, request: "GET /writever/chat?X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=1.0.12&X-Atmosphere-Transport=websocket&X-Cache-Date=0&Content-Type=application/json&X-atmo-protocol=true HTTP/1.1", upstream: "http://127.0.0.1:8080/writever/chat?X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=1.0.12&X-Atmosphere-Transport=websocket&X-Cache-Date=0&Content-Type=application/json&X-atmo-protocol=true", host: "localhost"
I am not sure if the two locations can work together, if the order is important, as '/' contains /writever/chat.
Any help would be greatly appreciated.
update: I had remains of a previous nginx version. After cleanning, everything seems to work fine. So I'll keep this config until I find an issue or something better. I will let you know.
As indicated above, my problem was with an incorrect installation of nginx.
Uninstall toroughly any version < 1.3.13- (do a sudo updatedb;locate nginx to make sure) and then install the new version.
For the moment you have to do it manually (no apt-get yet):
sudo apt-get install build-essential libssl-dev zlib1g-dev
pcre
cd ~/src #make this if it doesn't exist
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
tar -xzvf pcre-8.30.tar.gz
cd pcre-8.3X/
./configure # /usr/local is the default so no need to prefix
make
sudo make install
sudo ldconfig # this is important otherwise nginx will compile but fail to load
nginx
wget http://nginx.org/download/nginx-1.4.0.tar.gz -> check for latest version on nginx website
tar -xvzf nginx-1.4.0.tar.gz
cd nginx-1.4.0
./configure --with-http_flv_module \
--with-http_ssl_module \
--with-http_gzip_static_module
make
sudo make install (uninstall previous version if nginx before)
source
Related
I am trying to run odoo in https mode using nginx but its not working. This is how I tried,
sudo apt-get install nginx
cd /etc/nginx/sites-available
sudo openssl genrsa -des3 -passout pass:odoo -out server.temp.key 2048
sudo openssl req -new -passin pass:odoo -key server.temp.key -out server.csr
sudo openssl rsa -in server.temp.key -out server.key
sudo rm server.temp.key
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
my certificate file,
upstream odoo {
server localhost:8069 weight=1 fail_timeout=3000s;
}
server {
listen 443;
listen [::]:443 ipv6only=on;
server_name odoo.example.com;
ssl on;
ssl_ciphers ALL:!ADH:!MD5:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# add ssl specific settings
keepalive_timeout 60;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location / {
proxy_pass http://odoo;
# Force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Let the Odoo web service know that we're using HTTPS, otherwise
# it will generate URL using http:// and not https://
proxy_set_header X-Forwarded-Proto https;
# Set timeouts
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
# By default, do not forward anything
proxy_redirect off;
}
# Cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the Odoo web interface a bit.
location ~* /[0-9a-zA-Z_]*/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo;
}
access_log /var/log/nginx/odoo-ssl.access.log;
error_log /var/log/nginx/odoo-ssl.error.log;
}
After this I restarted nginx,enabled proxy mode in odoo config and restarted odoo server, but still my site runs in http mode. I have not given any domain name to my site. Is that compulsory before setting up nginx?
Ok, let's start from the beginning. In order to have set Odoo with ssl you need:
1) domain name
2) proper config for reverse proxy(you are using nginx so it will be easy fix)
3) ssl certificate
4) updated Odoo config
I have wrote down some hints to the above points
1) I assume that you have a domain pointing to your server. If not then you need to visit your domain control panel and set dns(simply put your server IP in "A" value). Sample tutorial on this(see point 5):
https://www.cier.tech/blog/blog-1/post/how-to-publish-your-website-on-amazon-ec2-linux-ubuntu-server-13
2) Sample Odoo config:
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name odoo.mycompany.com; #replace with your domain
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443;
server_name odoo.mycompany.com; #replace with your domain
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters - update with your cert details
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
location /longpolling {
proxy_pass http://odoochat;
}
# common gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
As you can see there is also upstream for the chat as it works on the other port.
Remember to create a shortcut in the sites-enabled:
ln -s /etc/nginx/sites-available/yoursite.com /etc/nginx/sites-enabled/yoursite.com
Later on test nginx config and restart it:
nginx -t
service nginx restart
Mentioned config comes from:
https://www.odoo.com/documentation/10.0/setup/deploy.html
4) Update your Odoo config with:
- proxy_mode = True
- workers = you need to have more than one worker if you want the "chat" and "discuss" modules to work properly.
I am currently trying to set up nexus as a private registry for docker images and have been able to login,push,pull,search through the nexus repository .
Currently we are stuck with pulling images from docker if not available within the nexus hosted repository . We are facing errors ranging from blob unknown to manifest unknown.
[root#server1446 ~]$ docker pull server908.int.org.com:6666/centos
Using default tag: latest
Trying to pull repository server908.int.org.com:6666/centos ...
manifest unknown: manifest unknown
Tried following reference [Setup-Docker-Private-Registry-in-Nexus-Repository-OSS-3.0.0][1]
[1]: https://github.com/TerrenceMiao/nexus/wiki/Setup-Docker-Private-Registry-in-Nexus-Repository-OSS-3.0.0 to set up the docker(proxy) and docker(hosted) repo with docker(group) but it throws blob unknown to registry error.
docker(hosted) is configured with http port 4444 & docker(group) with http port 5555 and we have used the same within nginx configuration as below but neither seems to be working .
server {
listen 6666;
server_name server908.int.org.com;
keepalive_timeout 60;
ssl on;
ssl_certificate /etc/ssl/certs/orgnexus.crt;
ssl_certificate_key /etc/ssl/certs/orgnexus.key;
ssl_ciphers HIGH:!kEDH:!ADH:!MD5:#STRENGTH;
ssl_session_cache shared:TLSSSL:16m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
client_max_body_size 1G;
chunked_transfer_encoding on;
location / {
access_log /var/log/nginx/docker.log;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://server908.int.org.com:5555;
proxy_read_timeout 90;
}
We have commented below entries in "/etc/sysconfig/docker" file .
http_proxy=http://x.x.x.x:3128
https_proxy=http://x.x.x.x:3128
Below are my configurations that got it working .
server {
proxy_send_timeout 120;
proxy_read_timeout 300;
proxy_buffering off;
tcp_nodelay on;
server_tokens off;
client_max_body_size 1G;
listen 80;
server_name box.company.net;
location / {
rewrite ^(.*) https://box.company.net$1 301;
}
}
server {
listen 443;
server_name box.company.net;
keepalive_timeout 60;
ssl on;
ssl_certificate /etc/ssl/certs/ssl.crt;
ssl_certificate_key /etc/ssl/certs/ssl.key;
ssl_ciphers HIGH:!kEDH:!ADH:!MD5:#STRENGTH;
ssl_session_cache shared:TLSSSL:16m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://box.company.net:8081;
proxy_read_timeout 90;
}
}
# correlates to your nexus http connector
server {
listen 6666;
server_name box.company.net;
keepalive_timeout 60;
ssl on;
ssl_certificate /etc/ssl/certs/ssl.crt;
ssl_certificate_key /etc/ssl/certs/ssl.key;
ssl_ciphers HIGH:!kEDH:!ADH:!MD5:#STRENGTH;
ssl_session_cache shared:TLSSSL:16m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
client_max_body_size 1G;
chunked_transfer_encoding on;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
if ($request_method !~* GET) {
proxy_pass http://box.company.net:4444;
}
if ($request_method = GET) {
proxy_pass http://box.company.net:5555;
}
proxy_read_timeout 90;
}
}
Commented below entries with "/etc/default/docker" file .
http_proxy=http://x.x.x.x:3128
https_proxy=http://x.x.x.x:3128
Restart Nginx.
Perform Login
[test#server ~]$ docker login -u admin -p admin123 box.company.net:6666
Login Succeeded
Post login a file name "config.json" will be created under ".docker" directory
[test#server ~]$ cat ~/.docker/config.json
{
"auths": {
"box.company.net:6666": {
"auth": "YWRtaW46YWRtaW4xMjM="
}
}
}
Search for Images available in docker hub.
[test#server ~]$ docker search box.company.net:6666/ubuntu
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
company.net box.company.net:6666/ubuntu Ubuntu is a Debian-based Linux operating s... 6186 [OK]
Pull the images from docker hub via nexus proxy.
[test#server ~]$ docker pull box.company.net:6666/ubuntu
Using default tag: latest
Trying to pull repository box.company.net:6666/ubuntu ...
sha256:a0ee7647e24c8494f1cf6b94f1a3cd127f423268293c25d924fbe18fd82db5a4: Pulling from box.company.net:6666/ubuntu
75c416ea735c: Pull complete
c6ff40b6d658: Pull complete
a7050fc1f338: Pull complete
f0ffb5cf6ba9: Pull complete
be232718519c: Pull complete
Digest: sha256:a0ee7647e24c8494f1cf6b94f1a3cd127f423268293c25d924fbe18fd82db5a4
Status: Downloaded newer image for box.company.net:6666/ubuntu:latest
Tag The pulled images
docker tag box.company.net:6666/ubuntu:latest box.company.net:6666/ubuntu:1
Push to NexusHostedRepo (Port : 4444)
[test#server ~]$ docker push box.company.net:6666/ubuntu:1
The push refers to a repository [box.company.net:6666/ubuntu]
0566c118947e: Pushed
6f9cf951edf5: Pushed
182d2a55830d: Pushed
latest: digest: sha256:a0ee7647e24c8494f1cf6b94f1a3cd127f423268293c25d924fbe18fd82db5a4 size: 1357
Pull from Nexus Repo (This should be quick than the pull from docker hub )
[test#server ~]$ docker pull box.company.net:6666/ubuntu:1
Trying to pull repository box.company.net:6666/ubuntu ...
sha256:a0ee7647e24c8494f1cf6b94f1a3cd127f423268293c25d924fbe18fd82db5a4: Pulling from server908.int.org.com:6666/ubuntu
75c416ea735c: Pull complete
c6ff40b6d658: Pull complete
a7050fc1f338: Pull complete
Digest: sha256:a0ee7647e24c8494f1cf6b94f1a3cd127f423268293c25d924fbe18fd82db5a4
Status: Downloaded newer image for box.company.net:6666/ubuntu:1
--------------------------------------------------------------------------------
Also make sure you add you proxy server certificate within Nexus SSL Certificate Section .
keytool -J-Dhttps.proxyHost=<proxy_hostname> -J-Dhttps.proxyPort=<proxy_port> -printcert -rfc -sslserver <remote_host_name:remote_ssl_port>
Replace proxy_hostname and proxy_port with the HTTP proxy server that Nexus is configured with under Administration -> Server. Replace remote_host_name:remote_ssl_port with one of the remote host and port having the certification problem. You can omit the port if it is the default 443. For docker it will be registry-1.docker.io:443
You should see at least two entries printed by the above command. Take the last certificate content printed and copy it entirely to your clipboard. This should be your proxy server's certificate, added to the end of the certificate chain.
The copied certificate content should start with -----BEGIN CERTIFICATE----- and end with-----END CERTIFICATE-----.
Then in the Nexus UI, go to Administration -> SSL Certificates and click Add... and choose Paste PEM. Paste the certificate contents to the dialog that opens.
Click Load Certificate. Verify the certificate contents in the next window. Verify the Issuer details listed are from your proxy server certificate. When you are satisfied click Add Certificate.
Hope this helps.
I wanted to implement https for the administrative console of Kaa.Is there a way of doing this so that the login information passed through the administrative console can be encrypted
Yes, you can do it. For this you can configure another server with SSL as a reverse proxy for Kaa. You can use a web server like Nginx.
For more details about installation and configuration instruction described above, use How To Create an SSL Certificate on Nginx for Ubuntu 14.04 and How To Configure Nginx with SSL as a Reverse Proxy for Jenkins guides.
Update your package lists and install Nginx:
sudo apt-get update
sudo apt-get install nginx
Install openssl to create an SSL certificate:
sudo apt-get install openssl
Create a a self-signed SSL certificate in the /etc/nginx/ directory:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
Edit the default Nginx configuration file.
sudo nano /etc/nginx/sites-enabled/default
You can replace the existing configuration file.
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 8085;
server_name 192.168.x.x;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the "It appears that your reverse proxy set up is broken" error.
proxy_pass http://192.168.x.x:8080;
proxy_read_timeout 90;
proxy_redirect http://192.168.x.x:8080 https://192.168.x.x;
}
}
Where,
listen 8085; - new port instead of 8080 to access administrative console (you can use default 443 port).
Instead of 192.168.x.x enter your IP address.
Restart Nginx:
sudo service nginx restart
Log in to the Kaa administrative console:
https://192.168.x.x:8085/
I wanted to setup https reverse proxy with nginx on docker container either ubuntu/centos. On Browser side, I am getting connection refused error. And also, I cannot see anything under /var/log/nginx/access.log or /var/log/nginx/error.log.
I am able to setup http reverse proxy with nginx on docker container again. And, also https reverse proxy with nginx on normal ubuntu and centos virtual machines.
Can understand the reason why https reverse proxy with nginx on docker containers is failing to connect from browser.?
If any additional information needed, I can provide you. Thanks in advance.
For reference, Please check this sites-available/default file.
server {
listen 80;
server_name localhost;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location ~* /rabbitmq/(.*) {
rewrite ^\/rabbitmq\/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:15672;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_redirect http:// https://;
}
location ~* /api/(.*) {
rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_redirect http:// https://;
}
}
Thanks,
Ganesh
Looks, I need to expose both HTTP and HTTPS ports, since nginx reverse proxy configured to server only HTTPS traffic.
docker run -d -p 80:80 -p 443:443 nginx-container
When I started exposing HTTPS port, then it worked.
You're probably running your container in "bridge" network mode (it's default), which means that your 127.0.0.1 is not what you think it is. It would use virtualised network adapter for your container running nginx. To quickly fix it you can add
--net=host
parameter to your docker run command. There are other options, but I need to know more about your setup and requirements to suggest them.
I am trying to set up ssl for our artifactory server. For this I wish to configure nginx as the reverse proxy. So far I have done the following
-- Installed artifactory pro using its docker image
docker run --name artifactory-registry -p 8081:8081 -v $ARTIFACTORY_HOME/data -v $ARTIFACTORY_HOME/logs -v $ARTIFACTORY_HOME/backup -v $ARTIFACTORY_HOME/etc jfrog-docker-reg2.bintray.io/jfrog/artifactory-pro:latest
-- Insatlled nginx using sudo apt-get install nginx
I have the webapp accessible at http://localhost:8081/artifactory/webapp/#/home
and teh following config file under $ARTIFACTORY_HOME/tomcat/conf/server.xml
<Service name="Catalina">
<Connector port="8081"/>
<!-- This is the optional AJP connector -->
<Connector port="8019" protocol="AJP/1.3"/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"/>
</Engine>
</Service>
From sources found online, the following configuration is needed for the nginx to act as a reverse proxy
server {
listen 80;
server_name yourdomain.com;
root /etc/tomcat7/webapps/apple;
proxy_cache one;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/;
}
}
What should be the 'server_name' and 'root' in this path? Also how do I test the reverse proxiness of this setup?
Usually you will configure SSL on it's default HTTPs port (443).
Take a look at this page for configuring nginx with SSL.
The server_name is the host from which you will connect to your nginx (from the browser for example). Usually you will have a DNS address from your company (like artifactory.mycompany.com) and you will use that, but if everything is local you can just put localhost instead.
Here is a working SSL configuration on port 443:
server {
listen 443;
server_name artifactory.mycompany.com;
access_log /var/log/nginx/artifactory.access.log;
error_log /var/log/nginx/artifactory.error.log;
ssl on;
ssl_certificate /etc/nginx/ssl/artifactory.crt;
ssl_certificate_key /etc/nginx/ssl/artifactory.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location /artifactory {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8081;
proxy_pass_header Server;
proxy_read_timeout 90;
}
}
Simply put your SSL certificates at the configured locations and you are good to go.
Connecting to https://artifactory.mycompany.com from your browser should now work (or https://localhost if you used that for server_name).