I am jumping in on a project with some socket issues over SSL and Cloudflare... I know.. I have read about 50 different stack overflow posts and 200 blog posts to try to figure this out. The project works on my local dev server/computer just fine...
I think I am on the right track - But could use some help/pointers if ya'll can.
First, I thought it was weird that the /socket-io/ proxy_pass was at port 6379, the same as redis... Maybe it should be? When this was set at 6379, the socket connection will not connect - With or Without Cloudflare enabled ( I paused cloudflare to test this out).
I read through the express server and saw that the socket server seems like it's linked to the express server at port 4000... so I changed the proxy_pass for /socket-io/ to port 4000 and it reconnects. This works with Cloudflare paused/running... so maybe it's not cloudflare after all. Still, even though it says the socket has reconnected in the browser, nothing is working.
I'll start by sharing my NGINX config - Let me know what else ya'll need to see, please. Thanks for taking your time to help me out/pointing me in the right direction! I really appreciate learning about this stuff.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name dev-app.myapp.com;
location / {
root /var/www/myapp_frontend/build/;
try_files $uri $uri/ /index.html;
#proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
location /api/ {
proxy_pass http://localhost:4000/;
include /etc/nginx/proxy_params;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /socket.io/ {
proxy_pass http://localhost:6379;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_read_timeout 86400;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
ssl_certificate /etc/letsencrypt/live/dev-app.myapp.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dev-app.myapp.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = dev-app.myapp.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name dev-app.myapp.com;
listen 80 default_server;
listen [::]:80 default_server;
return 404; # managed by Certbot
}
Edit-1
I did see that cloudflare requires certain ports... Am I wrong to think that these ports only refer to the initial listening port, for example 443 above, since the proxy_pass ports are all using localhost?
Related
const https = require(`https`);
const fs = require(`fs`);
const options = {
key: fs.readFileSync(...),
cert: fs.readFileSync(...)
};
https.createServer(options, app).listen(8000);
My node js server looks like this.
does it mean I have to configure nginx like this?
location / {
proxy_pass https://localhost:8000/;
}
Not, proxy_pass to http://localhost:8000/
what makes me confused is that I think network inside the server does'n need ssl.
https server on application server also needs ssl configuration on nginx, right?
I also tried app.listen instead of https.createServer.
My node js app and nginx configuration looks like this.
app.listen(4416);
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
root /root/app;
index template.html;
ssl_certificate ...;
ssl_certificate_key ...;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:4416/;
proxy_buffering off;
proxy_read_timeout 90;
#websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server{
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
return 404;
}
In this case, redirection keeps incurred, and I don't know the reason why. What did I miss?
If I did https.createServer(SSL_OPTION, app).listen(4416) instead of app.listen(4416), it doesn't have a connection at all. And if I fix nginx configuration proxy_pass to https://localhost:4416;, then it works well. Things are done well but, I wonder why this is happening.
I've seen similar questions around and tried different solutions but none seems to work for me, so I guess I have something wrong in my nginx configurations file.
I have configured nginx to redirect all request to port 8080 except for some locations as I have a nodejs app running on 8080 besides a php application running on port 80 (and another nodejs app service running on 8090) all on the same server (I know it's a weird configuration but I have to live with it for the moment). In my nodejs application I'm tryin to detect if the connection is over http or https but it doesn't work.
I alway get the following regardless I connect over http or https:
console.log(req.headers["x-forwarded-proto"]); // => undefined
console.log(req.secure); // => false
here is my nginx config file:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/server.chained.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1.2;
root /var/www/html;
index index.html index.htm index.php index.cgi;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
client_max_body_size 100M;
client_body_buffer_size 128k;
server_name factory.quiddis.com;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
}
location /bugzilla {
try_files $uri $uri/ /index.cgi$is_args$args;
}
location /bugzilla/rest {
rewrite ^/bugzilla/rest/(.*)$ /bugzilla/rest.cgi/$1 last;
}
...
Note:
Although I know I could redirect http to https via nginx, I cannot do it here as the second nodejs app has to stay over http for the moment.
I have a server running with pm2 that is being served up by nginx. I would like to point my react app to the domain, and have the server only respond to requests that the client sends.
currently if you go to jwcuisine.io it gives you a "CANNOT GET /" message, I tried something like this:
location / {
# This would be the directory where your React app's static files are stored at
root /var/www/html/;
try_files $uri /index.html;
}
location /graphql {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:5000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
However, the above ^^^ led to a 500 error from nginx.
Below is the code I currently have, that is giving the /GET response. Any direction would be appreciated, I can't find a ton of relevant information pertaining to this.
server {
server_name jwcuisine.io www.jwcuisine.io;
location / {
proxy_pass http://localhost:4000; #whatever port your app runs on
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/jwcuisine.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/jwcuisine.io/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.jwcuisine.io) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = jwcuisine.io) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name jwcuisine.io www.jwcuisine.io;
return 404; # managed by Certbot
}
I am also using similar architecture to host my website front-end and back-end via nginx reverse proxy server. There is an update in your nginx conf after which it will work as expected. That is you need to add first all subroutes(Ex. /api, graphql) and then you need to add the location for index route /. In your current conf website will never be able to go to server as /server route gets matched to index route / first and it will try to find it in the static folder and never reach the proxy_pass you have provided in below location.
Update nginx.conf:
server{
listen 80 default_server;
listen [::]:80 default_server;
server_name jwcuisine.io www.jwcuisine.io;
location /graphql {
proxy_pass "http://127.0.0.1:5000";
proxy_read_timeout 5400s;
proxy_send_timeout 5400s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_cache_bypass $http_upgrade;
}
location / {
root /var/www/html;
try_files $uri $uri/ /index.html;
}
}
I've deployed an application on Digital Ocean with nginx. I've reverse proxyed my frontend port 8081 and made it ssl secure with Let's Encrypt. Now I need to secure my websocket server on port 8080 to prevent it from giving me this error "ERR_SSL_PROTOCOL_ERROR".
This is my current nginx config
server {
listen 80;
listen 443 ssl;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name mywebsite.com www.mywebsite.com; #managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite/fullchain.pem; #managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite/privkey.pem; #managed by Certbot
location / {
proxy_pass http://localhost:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /websocket/ {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
include /etc/letsencrypt/options-ssl-nginx.conf; #managed by Certbot
include /etc/letsencrypt/ssl-dhparams.pem; #managed by Certbot
}
Am I missing something? I've looked everywhere and what I can tell this setup should be correct?
I have a node js application running on AWS linux server with ssl. I wanted to implement nginx to the same. I googled it and read that if I implement ssl in nginx then the node application runs on http. So I configured the nginx conf as follows and ran the node js application with normal http server:
listen 443 ssl;
server_name myserver.com;
ssl_certificate myserver.chained.crt;
ssl_certificate_key myserver.key;
ssl_client_certificate myserver.crt;
ssl_verify_client optional;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header VERIFIED $ssl_client_verify;
proxy_set_header DN $ssl_client_s_dn;
proxy_pass http://127.0.0.1:3000;
}
Now the application is running on http as well as https. I want the nginx to be implemented and through ssl and the application to run only on https.
Is my approach right and what am I missing?
I see you have the application running on port 3000, what you will want to do so that it only runs on https is to block all requests on port 3000 to the server (using a firewall or security group rules in aws), and for every request on port 80 you will want to redirect them to the https version (port 443). Something like this:
server {
listen 80;
server_name my.domain.com;
return 301 https://$server_name$request_uri;
}
I found the above rule in this answer on serverfault.
upstream app
{
server 127.0.0.1:3000;
}
server
{
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
client_header_buffer_size 64k;
large_client_header_buffers 4 64k;
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
location ~ ^/(assets/|images/|img/|javascript/|js/|css/|stylesheets/|flash/|media/|static/|robots.txt|humans.txt|favicon.ico) {
root /var/www/example.com/public/;
access_log off;
expires 24h;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://app$uri$is_args$args;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}