I'm trying to enforce the SSL protocol in a Jelastic Enviroment.
My setup is:
one node, with a Nginx Load balancer (+ public ip + custom ssl certificate) and a NodeJS application server.
The SSL setup is working, but i want to enforce the use of HTTPS no HTTP (a redirect).
I've tried to modify the nginx.conf but no success.
Any ideas how should I do that?
Create the config file /etc/nginx/conf.d/nginx_force_https.conf and add the lines below:
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
It will redirect all configured sites to https.
If you want only exact site example.com:
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
}
Make sure that you have these includes enabled in /etc/nginx/nginx.conf
include /etc/nginx/nginx-jelastic.conf;
in /etc/nginx/nginx-jelastic.conf:
include /etc/nginx/conf.d/*.conf;
Check for errors in the configuration:
sudo service nginx configtest
Reload configuration (this would be enough to make changes "work"):
sudo service nginx reload
Check if all works as expected. Restart the whole webserver (if needed):
sudo service nginx restart
The detailed answer can be found in this post Force www. and https in nginx.conf (SSL)
Related
Consider the following nginx config file:
server {
listen 443;
ssl on;
ssl_certificate /etc/tls/cert.pem;
ssl_certificate_key /etc/tls/key.pem;
location / {
proxy_pass http://api.default.svc.cluster.local;
}
}
All incoming TCP requests on 443 should redirect to my server running on api.default.svc.cluster.local:80 (which is a node REST-Api btw). This works fine, I can curl https://<nginx-IP>/ nginx and get a correct response, as expected.
Now, I'd like to change the location from / to /api, so I can fire a curl https://<nginx-IP>/api in order to get the same response as before.
1. Attempt
So I change the location line in the config to:
location /api {
Unfortunately this won't work, instead I get an error Cannot GET /api which is a node error, so obviously it gets routed to the api but something's still smelly.
2. Attempt
It seems as the trailing slash in an URI is required so I added it to the location:
location /api/ {
Now something changed. I won't get the same error as before, instead I get an "301 moved permanently". How can I fix my nginx config file?
Additional information regarding the environment
I'm using a kubernetes deployment that deploys the nginx reverse proxy incl. the config introduced. I then expose nginx using a kubernetes service. Also, I tried using kubernetes ingress to deal with this situation, using the same routes, however, the ingress service would respond with a default backend - 404 message.
As mentioned in the question, trailing slashes in URIs are important. I fixed this in the location, however, I didn't add it to the URI I pass using proxy_pass.
As for the nginx proxy I got it to work using the following config:
server {
listen 443;
ssl on;
ssl_certificate /etc/tls/cert.pem;
ssl_certificate_key /etc/tls/key.pem;
location /api/ {
proxy_pass http://api.default.svc.cluster.local/;
}
}
Concerning the ingress solution, I was not able to get it to work by adding the missing trailing slash to the path. The service is specified due its name and therefore no trailing slash can be added (i.e. it would result in an error).
I have one IP address on my Linux box, and would like to serve HTTPS websites in this form:
https://landing.example.com
https://site-01.example.com/index.html
https://site-01.example.com/files/index.html
https://site-01.example.com/store/index.html
https://site-02.example.com/index.html
https://site-02.example.com/files/index.html
https://site-02.example.com/store/index.html
Each of these websites is a Docker container on the same host, so my idea were setting up an NginX reverse proxy Docker container.
There are many howto's about NginX as reverse proxy, but what I want to do is different from the text book example, as I have HTTPS, multiple sub-domains and multiple URL's.
Questions
Does anyone know of howto's that deal with this type of setup, or perhaps can tell me what the technical key words I should search for are?
At this point I don't know where to start, so any help will be much appreciated.
You need to add A-records to you DNS manager that will redirect all your subdomains to the IP address of the host machine.
Then in your NGINX config you can do something like this.
server {
listen 80;
server_name landing.example.com;
location /static {
alias /home/example-dir/staticfiles;
}
access_log /home/example-dir/nginx-access.log;
error_log /home/example-dir/nginx-error.log info;
}
server {
listen 80;
server_name site-01.example.com;
location /static {
alias /home/example-dir2/staticfiles;
}
}
As known Amazon does not support https connection with custom URL to static site located on S3
To solve the problem I configured :
Route53 with custom domain
Load Balancer (ELB) to redirect port 443 to 80 + to install SSL license on it
Amazon Linux server + ngnix on it for http redirection to domain name that Amazon provided for S3
on Amazon Linux I configured in /etc/nginx/conf.d/virtual.conf :
server {
listen 80;
server_name my_root_domain.com;
rewrite ^ $scheme://my_root_domain.com.us-east-1.amazonaws.com/$request_uri? permanent;
}
URL I get on web browser is "my_root_domain.com.us-east-1.amazonaws.com" instead of my_root_domain.com
Second question: I also want to redirect www.my_root_domain.com to S3
Thanks for any help , I just started with nginx
You want to use nginx as a forward proxy, probably something like:
server {
listen 80;
server_name my_root_domain.com;
location / {
proxy_pass http://my_root_domain.com.us-east-1.amazonaws.com;
}
}
I have below nginx conf file
upstream entry {
server 127.0.0.1:3001;
}
server {
listen 80;
server_name 127.0.0.1;
location / {
proxy_pass http://entry/;
}
Whenever I hit http://127.0.0.1:80/, it will be redirected to 127.0.0.1:3001. In the same way if I hit http://127.0.0.1:3001/ it should be redirected to nginx server.
Any help on this will be really helpful.
If I am getting it correct you want http://127.0.0.1:3001/ (node http server) to redirect to http://127.0.0.1:80/ (nginx), which in turn will redirect to http://127.0.0.1:3001/ (node http server). Why on earth you want to do that? You can use node proxy module to do that if you want to fall inside a infinite for loop.
But generally, sane people will will use nginx as reverse proxy (80->3001). And block port 3001 for any outside communication through firewall.
There are several questions on SO about nginx subdomain configuration but didn't find one that exactly the same as mine.
Say I got a virtual host some.example.com from higher-level net admin example.com at our organization. I want to use some.example.com as my primary site and use foo.some.example.com and bar.some.example.com for auxiliary usage (proxy, etc). I tried this simple configuration and put it under sites-enabled but didn't work:
server {
listen 80;
server_name some.example.com;
root /home/me/public_html/some;
index index.html index.htm;
}
server {
listen 80;
server_name foo.some.example.com;
root /home/me/public_html/foo;
index index.html index.htm;
}
server {
listen 80;
server_name bar.some.example.com;
root /home/me/public_html/bar;
index index.html index.htm;
}
In this setting some.example.com works fine, but for the other two browser return that could not find foo.some.example.com. I'm running it on a ubuntu server.
Is there something wrong with this configuration? Or is it something I should talk to higher level net admin (make foo.some.example.com and bar.some.example.com to be registered)?
Sub-domain configuration starts with an entry in the DNS server of the parent domain and the lookup resolves the sub-domain to an IP address of the web server. The web server in turn delegates the requests based on its configuration for the sub-domain.
If you don't have a DNS setup in your sub-domain, then the admin at example.com needs to set up a CNAME alias. The alias points the subdomain to the same web server, which hosts the website for the parent domain. The canonical names (CNAMES) are added for each of the subdomains. Once the subdomain is resolved to the IP address of the web server, the web server can route the request to a different website.
CNAME is just a way to get the web traffic to your IP address. The
request will still include the original name in the Host: header.