Setup NGINX reverse proxy with SSL? - node.js

I'm trying to setup a Node.js Express server with https and to do that I am using a NGINX reverse proxy. My VPS is running Ubuntu 18.04. I updated the default server configuration in /etc/nginx/sites-enabled/default to this so it works with SSL (if it works):
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 433 ssl default_server;
listen [::]:433 ssl default_server;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name mediaserver;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
I ran sudo systemctl restart nginx to restart NGINX.
But the issue is that when I go to the IP Address of my server without https, it opens up fine, but when I go to the IP Address of my server with https, it says the site can't be reached. Any suggested fixes? Thanks.

You need to route the traffic to https instead of http. I also added the proxy_redirect directive which will route any insecure requests to https.
EDIT: Also one problem that I see, is that you are listening on the wrong port. It should be 443, not 433. Notice that I changed proxy_redirect to use port 80.
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name mediaserver;
location / {
proxy_pass https://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect http://localhost:80 https://localhost:3000;
}
}
Here is a link to the associated NGINX documentation.

Related

Can't link domain name to IP (Nothing displays)

I have bought a domain (http://qify.app) on google Domains
When opening Chromium / Firefox I don't have any thing coming out of it (ERR_CONNECTION_REFUSED).
My current setup:
An EC2 AWS machine running my nodeJS backend on port 3000 (localhost)
A nGinx reverse proxy to redirect all inbound port 80 to 3000 (the backend) current nginx config: at /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name localhost;
root /usr/share/nginx/html;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Also I can curl 15.237.134.217 just as much as curl qify.app (and get the correct html)
<!DOCTYPE html><html>
...
</html>
Final nginx version (working for me, I needed two server blocks)
server {
listen 443 ssl http2 ipv6only=off;
server_name qify.app;
ssl_certificate /etc/letsencrypt/archive/qify.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/archive/qify.app/privkey.pem;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
keepalive_timeout 70;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server { # Redirects all port 80 to 443 (with a 301 redirect)
listen [::]:80 http2 ipv6only=off;
server_name qify.app www.qify.app;
return 301 https://qify.app$request_uri;
}
The .app TLD has a baked-in HSTS policy to always use HTTPS on any .app domain. Both Chrome and Firefox, along with several other browsers, include .app in their preloaded HSTS policy list. This means that these browsers will always lead with https on port 443. See https://blog.google/technology/developers/introducing-app-more-secure-home-apps-web/ as a reference to this https requirement.
The nginx config file you showed indicates that it is only listening on port 80. This is why the curl http://qify.app works, since it uses port 80, and doesn't have the preloaded HSTS list that those web browsers do.
Generate a certificate for your domain, and configure nginx to listen on port 443, and your browsers will be able to access it that way.

Problem detecting https in nodejs and nginx

I've seen similar questions around and tried different solutions but none seems to work for me, so I guess I have something wrong in my nginx configurations file.
I have configured nginx to redirect all request to port 8080 except for some locations as I have a nodejs app running on 8080 besides a php application running on port 80 (and another nodejs app service running on 8090) all on the same server (I know it's a weird configuration but I have to live with it for the moment). In my nodejs application I'm tryin to detect if the connection is over http or https but it doesn't work.
I alway get the following regardless I connect over http or https:
console.log(req.headers["x-forwarded-proto"]); // => undefined
console.log(req.secure); // => false
here is my nginx config file:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/server.chained.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1.2;
root /var/www/html;
index index.html index.htm index.php index.cgi;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
client_max_body_size 100M;
client_body_buffer_size 128k;
server_name factory.quiddis.com;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
}
location /bugzilla {
try_files $uri $uri/ /index.cgi$is_args$args;
}
location /bugzilla/rest {
rewrite ^/bugzilla/rest/(.*)$ /bugzilla/rest.cgi/$1 last;
}
...
Note:
Although I know I could redirect http to https via nginx, I cannot do it here as the second nodejs app has to stay over http for the moment.

i need to setup my domain with nginx server for node.js project

i have already added CNAME & A Record in my server also i check with nginx command:
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
i write code for my domain example.co & www.example.co: /etc/nginx/sites-available/example.conf
server {
listen 80;
listen [::]:80;
server_name example.co www.example.co;
return 301 $scheme://www.example.co$request_uri;
}
server {
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
server_name example.co www.example.co;
access_log /var/log/nginx/example-co.log;
location / {
proxy_pass "http://127.0.0.1:1000";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
ssl_certificate /etc/letsencrypt/live/example.co/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.co/privkey.pem;
}
IP: 127.0.0.1:1000 node.js project for example.co
my issue is example.co is working fine but www.example.co is not working
also i have write code for my domain sub1.example.co & www.sub1.example.co: /etc/nginx/sites-available/sub1-example.conf
server {
listen 80;
listen [::]:80;
server_name sub1.example.co www.sub1.example.co;
return 301 $scheme://www.example.co$request_uri;
}
server {
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
server_name sub1.example.co www.sub1.example.co;
access_log /var/log/nginx/sub1-example-co.log;
location / {
proxy_pass "http://127.0.0.1:2000";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
ssl_certificate /etc/letsencrypt/live/example.co/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.co/privkey.pem; # managed by Certbot
}
IP: 127.0.0.1:2000 node.js project for sub1.example.co,
my sub1.example.co is not working
You need to add www.example.co to your server block with 443:
server {
.....
server_name example.co www.example.co;
.....
}
For your subdomain, suggest to use another file for your server blocks configuration using the same format: one server block for 80 and another for 443. :)

Enabling HTTPS on NGINX for a node js application is not working

I am using a simple "hello world" Express.JS (8080 port) application deployed in Ubuntu Server, with NGINX reverse proxy setup as below.
The application working well for http port but not for https port
nginx version: nginx/1.10.3 (Ubuntu)
OpenSSL 1.0.2g 1 Mar 2016
And my configuration file is like this:
server {
listen 80;
listen 443 default ssl;
server_name localhost;
ssl_certificate /root/mydir/ssl/certificate.crt;
ssl_certificate_key /root/mydir/ssl/private.key;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
The configuration is working fine for http connection for my domain testdomain.com, but completely failing for https://testdomain.com or https://www.testdomain.com
What went wrong with this configuration?
SSL certs are generated by sslforfree.com.
server {
listen 80;
server_name example.com;
# force redirect http to https
rewrite ^ https://$http_host$request_uri? permanent;
}
server {
listen 443;
ssl on;
ssl_certificate /root/mydir/ssl/certificate.crt;
ssl_certificate_key /root/mydir/ssl/private.key;
server_name example.com;
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
....
}

How to configure nginx from http to https

I had a Ubuntu Node.js server working with my http://www.example.com website.
I used httpx://localhost:3000 to do my testing, then when I deployed it to Ubuntu,
I still had to enter the port (www.example.com:3000). I was told to implement a
reverse proxy to remove the port 3000 requirement. I installed nginx and added the
following:
sudo nano /etc/nginx/sites-available/default
----------Delete all then Copy / Paste--------------------------
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://67.205.128.21:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
This worked, and removed the requirement to enter port 3000.
Then I found out I needed to run my app with a SSL/Certificate.
I was able to make the nginx changes to get it working as https://www.example.com:3000.
But now I need to get rid of the port 3000 requirement.
I tried the same reverse proxy setting that I used for http:, but that did not work.
How do I configure nginx to remove the port 3000 requirement.
Below is what is currently happening when I enter it in my browser:
http://67.205.128.21 - Works
http://example.com - Redirects to https://example ; Error: Redirects too many times
http://www.example.com - Redirects to https://example ; Error: Redirects too many times
http://example.com:3000 - Works
http://www.example.com:3000 - Works
Current nginx configureation:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
location ~ /.well-known {
allow all;
}
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
server_name example.com;
location / {
proxy_pass http://67.205.128.21:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
This should work:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
location ~ /.well-known {
allow all;
}
}
Then, either in the same file or a different file, add an additional server block.
# SSL configuration
#
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
server_name example.com;
location / {
proxy_pass http://67.205.128.21:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
I think the problem was that you only had one server block, and so when the redirect is executed, it falls in that same server block and then redirects again.

Resources