I have bought a domain (http://qify.app) on google Domains
When opening Chromium / Firefox I don't have any thing coming out of it (ERR_CONNECTION_REFUSED).
My current setup:
An EC2 AWS machine running my nodeJS backend on port 3000 (localhost)
A nGinx reverse proxy to redirect all inbound port 80 to 3000 (the backend) current nginx config: at /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name localhost;
root /usr/share/nginx/html;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Also I can curl 15.237.134.217 just as much as curl qify.app (and get the correct html)
<!DOCTYPE html><html>
...
</html>
Final nginx version (working for me, I needed two server blocks)
server {
listen 443 ssl http2 ipv6only=off;
server_name qify.app;
ssl_certificate /etc/letsencrypt/archive/qify.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/archive/qify.app/privkey.pem;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
keepalive_timeout 70;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server { # Redirects all port 80 to 443 (with a 301 redirect)
listen [::]:80 http2 ipv6only=off;
server_name qify.app www.qify.app;
return 301 https://qify.app$request_uri;
}
The .app TLD has a baked-in HSTS policy to always use HTTPS on any .app domain. Both Chrome and Firefox, along with several other browsers, include .app in their preloaded HSTS policy list. This means that these browsers will always lead with https on port 443. See https://blog.google/technology/developers/introducing-app-more-secure-home-apps-web/ as a reference to this https requirement.
The nginx config file you showed indicates that it is only listening on port 80. This is why the curl http://qify.app works, since it uses port 80, and doesn't have the preloaded HSTS list that those web browsers do.
Generate a certificate for your domain, and configure nginx to listen on port 443, and your browsers will be able to access it that way.
Related
I've seen similar questions around and tried different solutions but none seems to work for me, so I guess I have something wrong in my nginx configurations file.
I have configured nginx to redirect all request to port 8080 except for some locations as I have a nodejs app running on 8080 besides a php application running on port 80 (and another nodejs app service running on 8090) all on the same server (I know it's a weird configuration but I have to live with it for the moment). In my nodejs application I'm tryin to detect if the connection is over http or https but it doesn't work.
I alway get the following regardless I connect over http or https:
console.log(req.headers["x-forwarded-proto"]); // => undefined
console.log(req.secure); // => false
here is my nginx config file:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/server.chained.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1.2;
root /var/www/html;
index index.html index.htm index.php index.cgi;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
client_max_body_size 100M;
client_body_buffer_size 128k;
server_name factory.quiddis.com;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
}
location /bugzilla {
try_files $uri $uri/ /index.cgi$is_args$args;
}
location /bugzilla/rest {
rewrite ^/bugzilla/rest/(.*)$ /bugzilla/rest.cgi/$1 last;
}
...
Note:
Although I know I could redirect http to https via nginx, I cannot do it here as the second nodejs app has to stay over http for the moment.
I'm trying to setup a Node.js Express server with https and to do that I am using a NGINX reverse proxy. My VPS is running Ubuntu 18.04. I updated the default server configuration in /etc/nginx/sites-enabled/default to this so it works with SSL (if it works):
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 433 ssl default_server;
listen [::]:433 ssl default_server;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name mediaserver;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
I ran sudo systemctl restart nginx to restart NGINX.
But the issue is that when I go to the IP Address of my server without https, it opens up fine, but when I go to the IP Address of my server with https, it says the site can't be reached. Any suggested fixes? Thanks.
You need to route the traffic to https instead of http. I also added the proxy_redirect directive which will route any insecure requests to https.
EDIT: Also one problem that I see, is that you are listening on the wrong port. It should be 443, not 433. Notice that I changed proxy_redirect to use port 80.
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name mediaserver;
location / {
proxy_pass https://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect http://localhost:80 https://localhost:3000;
}
}
Here is a link to the associated NGINX documentation.
I have setup my express & node app to use my letsencrypt ssl certs as so
var options = {
key: fs.readFileSync('/etc/letsencrypt/live/example.com/privkey.pem'),
cert: fs.readFileSync('/etc/letsencrypt/live/example.com/cert.pem')
};
// Create an HTTP service.
http.createServer(app).listen(3060);
// Create an HTTPS service identical to the HTTP service.
https.createServer(options, app).listen(3061);
I can reach my API at domain.com (hitting port 80 in nginx)
But I can't reach it if I hit https://example.com (port 443)
However I can reach it if I open up port 3061 and request https://example.com:3061 and it works correctly with SSL
My question is, how do I setup nginx to correctly forward requests on port 443 to my server on port 3061 for SSL.
Do I need to include the cert information as suggested elsewhere, if my app is dealing with it?
My nginx config is like this:
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://localhost:3060;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 443 ssl;
server_name example.com;
location / {
proxy_pass https://localhost:3061;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Thanks
I had a Ubuntu Node.js server working with my http://www.example.com website.
I used httpx://localhost:3000 to do my testing, then when I deployed it to Ubuntu,
I still had to enter the port (www.example.com:3000). I was told to implement a
reverse proxy to remove the port 3000 requirement. I installed nginx and added the
following:
sudo nano /etc/nginx/sites-available/default
----------Delete all then Copy / Paste--------------------------
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://67.205.128.21:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
This worked, and removed the requirement to enter port 3000.
Then I found out I needed to run my app with a SSL/Certificate.
I was able to make the nginx changes to get it working as https://www.example.com:3000.
But now I need to get rid of the port 3000 requirement.
I tried the same reverse proxy setting that I used for http:, but that did not work.
How do I configure nginx to remove the port 3000 requirement.
Below is what is currently happening when I enter it in my browser:
http://67.205.128.21 - Works
http://example.com - Redirects to https://example ; Error: Redirects too many times
http://www.example.com - Redirects to https://example ; Error: Redirects too many times
http://example.com:3000 - Works
http://www.example.com:3000 - Works
Current nginx configureation:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
location ~ /.well-known {
allow all;
}
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
server_name example.com;
location / {
proxy_pass http://67.205.128.21:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
This should work:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
location ~ /.well-known {
allow all;
}
}
Then, either in the same file or a different file, add an additional server block.
# SSL configuration
#
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
server_name example.com;
location / {
proxy_pass http://67.205.128.21:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
I think the problem was that you only had one server block, and so when the redirect is executed, it falls in that same server block and then redirects again.
I want to use nginx on different port. If i am running nginx on default port(80) and trying to use by the url (100.100.7.60) this is working fine.
server {
listen 80;
server_name 100.100.7.60;
location / {
proxy_pass http://100.100.7.60:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
But when i am changing nginx port 80 to 8080 or to any port. If now i am trying by (100.100.7.60). I am unable to run node.js application. Now if i want to run application my url should be like (100.100.7.60:8080).
server {
listen 8080;
server_name 100.100.7.60;
location / {
proxy_pass http://100.100.7.60:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Can anyone explain me what is problem? I want to change port number. But i do not want to add (:8080) in url. I want to make same url after changing port number
If you want to listen on a different port, you cannot exclude the port number from the URL. When you enter 100.100.7.60 into a browser, the protocol is HTTP and the port is 80 by default.
There is a (very bad) workaround to this:
server {
listen 80;
server_name 100.100.7.60;
return 301 http://100.100.7.60:8080;
}
This will redirect ALL traffic on port 80 to port 8080, which is (I assume) not what you want.
Instead, you should configure your DNS to point to this server using a subdomain eg myapp.example.com and then listen on 80 port with that server name to serve your app.