I am following the AWS documentation to configure HTTPS for a single instance eb application.
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-nodejs.html
Below is my configuration file which I amputting in .ebextensions. Please find it below (I have masked the certificate and Key for security purposes.
files:
/etc/nginx/conf.d/https.conf:
mode: "000644"
owner: root
group: root
content: |
# HTTPS server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# For enhanced health reporting support, uncomment this block:
#if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
# set $year $1;
# set $month $2;
# set $day $3;
# set $hour $4;
#}
#access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
#access_log /var/log/nginx/access.log main;
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----
But when I redeploy the application I am able to access the beanstalk URL via http the moment I try with HTTPs I get "503 Service Temporarily Unavailable" error. Can anyone help me out here.
Related
EDIT:
I have verified that nodejs is running on the correct port, on http, and I have also tried with and without:
app.use('trust proxy', true);
EDIT 2:
I turned off the nodejs server and tried to serve static files just with nginx, and the error persists, so clearly this has something to do with nginx and my ssl cert.
My domain is a free domain from freenom and the ssl certificate was generated with certbot.
Original:
I have a nodejs server running, and want to use nginx and proxy to the nodejs server. (Nginx https -> nodejs http)
Running nginx -t gives no errors.
On ubuntu 20.04.2, nginx 1.18.0 node 14.5.5
I have verified that my site works fine via http (on port 3000), but i get the following error when visiting via browser on https:
ERR_SSL_PROTOCOL_ERROR
Further if i use openssl cli to try and connect, I get this
openssl s_client -connect my_domain.com:443 -servername my_domain.com
CONNECTED(00000003)
139662603941184:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 310 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
/etc/nginx/conf.d/ssl.conf
server {
listen 443 ssl;
ssl_certificate /server/resources/cert.pem;
ssl_certificate_key /server/resources/privkey.pem;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
If you use Cloudflare, It may Cloudflare not issued SSL certificate for you yet, or Cloudflare failed to connect to origin with secure connection. Check your dashboard.
Following is the working configuration of nginx.conf
I have also setup SSL with certbot + letsencrypt.
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name example.com www.example.com;
root "/home/ubuntu/domain/code/directory/path/";
index index.html index.htm;
client_max_body_size 75M; # adjust to taste
location /api {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_read_timeout 600s;
}
location / {
try_files $uri $uri/ /index.html;
}
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 1h;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security “max-age=15768000” always;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
}
I guess the above configuration might solve your issue.
URL is https://www.example.com/api/ping redirects to http://localhost:3000/api/ping on the server.
I have node.js app that runs in https://localhost:8080 and it has localhost.crt and localhost.key i want set server with nginx redirect to https://app.example.com (i have installed another certificate with certbot on this sub domain) now im getting
Unknown ALPN Protocol, expected h2 to be available.If this is a HTTP request: The server was not configured with the allowHTTP1 option or a listener for the unknownProtocol event.
in browser, can someone help me with correct nginx server config? Screenshot
also i'm using Digitalocean Droplets with ubuntu 16.04 to setup this
here is nginx server i have set.
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name app.mydomain.com;
ssl_certificate /root/apps/app.mydomain.com/localhost.crt;
ssl_certificate_key /root/apps/app.mydomain.com/localhost.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/app.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass https://localhost:8080;
proxy_read_timeout 90;
proxy_redirect https://localhost:8080 https://app.mydomain.com;
}
}
This:
listen 443;
Should be this:
listen 443 ssl;
Why do you want to proxy traffic to 127.0.0.1 via https? Seems unnecessary
Try this configuration, Hope it works. All the headers are not required it's based on your applications need and how you are serving the requests fro your application.
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name app.mydomain.com;
ssl on;
ssl_certificate_key /root/apps/app.mydomain.com/localhost.key;
ssl_certificate /root/apps/app.mydomain.com/localhost.crt;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/app.access.log;
location / {
proxy_set_header Host $host;
proxy_pass http://localhost:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 300s;
}
}
I am trying to bind a ssl certificate to nginx but it keeps failing to start i am attaching my config file,
server {
listen 80;
server_name appoye.com;
return 301 https://appoye.com$request_uri;
}
server {
listen 443 ssl;
server_name appoye.com;
root /home/rohit_jain/appoye-beta-old/dist;
# SSL Certs
ssl_certificate /etc/nginx/ssl/appoye.com/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/appoye.com/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
charset utf-8;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
access_log off;
error_log /var/log/nginx/appoye.com-error.log error;
}
Nginx is still not passing my nodejs revser proxy and ssl certificate as well
I'm having an issue with the routing from AWS Elastic Beanstalk single instance from force routing http to https. I've been doing tons of research and have tried over 27+ deployments and reading all the errors on the error.log only to have become super stumped.
Recent deployments i've been getting errors about not enough worker_connections. But I wasn't getting this before.
When I first started I was getting an infinite rerouting loop. Help!
files:
"/etc/nginx/conf.d/000_my_config.conf":
mode: "000755"
owner: root
owner: root
content: |
server {
listen 8081;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
error_page 497 https://$host$request_uri;
location / {
proxy_pass https://localhost;
proxy_redirect off;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
}
}
I try to implement ssl in my node.js app but failed. Here is my app.js
https://gist.github.com/eldyvoon/7a1df560fd9d13da74d090e28f7ee801
In development (localhost) I got 'your connection is not private' error. I thought it was Chrome's problem.
So I try to deploy it to my ubuntu server, I use nginx proxy for my node.js app, my config as below
server {
listen 80;
server_name mysite.com;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
But mysite.com refused to connect. No error in my node's console. I stuck for few days for this, need help. Please note that my site is running fine previously before trying to implement ssl.
You need to listen on port 443 and configure nginx to use some certificates.
Something like:
server {
listen 443;
server_name example.com;
add_header Strict-Transport-Security "max-age=3600";
ssl on;
ssl_certificate /.../chained2.pem;
ssl_certificate_key /.../domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
Add correct paths to your .pem and .key files. You can get the certificate for free from Let's Encrypt.