I am super new to linux environment, and trying to configure a vps server to only allow https requests. I have read nginx documentation and tried various rewrite and return statements, changing server blocks etc. But what I have achieved so far, site serves on http and https both with following config.
What I want to achieve is to configure this subdomain admin.example.com to serve only https requests.
I am editing the config at this location: /etc/nginx/sites-available/default
server {
listen 80;
server_name admin.example.com;
#return 301 https://admin.example.com$request_uri;
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/admin.byrides.com/fullchain.pem; # man aged by Certbot
ssl_certificate_key /etc/letsencrypt/live/admin.byrides.com/privkey.pem; # m anaged by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
You will need to setup two server directives, one for port 80 which will redirect the traffic to port 443.
server {
listen 80;
server_name admin.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/admin.byrides.com/fullchain.pem; # man aged by Certbot
ssl_certificate_key /etc/letsencrypt/live/admin.byrides.com/privkey.pem; # m anaged by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
}
}
Related
I've deployed an application on Digital Ocean with nginx. I've reverse proxyed my frontend port 8081 and made it ssl secure with Let's Encrypt. Now I need to secure my websocket server on port 8080 to prevent it from giving me this error "ERR_SSL_PROTOCOL_ERROR".
This is my current nginx config
server {
listen 80;
listen 443 ssl;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name mywebsite.com www.mywebsite.com; #managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite/fullchain.pem; #managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite/privkey.pem; #managed by Certbot
location / {
proxy_pass http://localhost:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /websocket/ {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
include /etc/letsencrypt/options-ssl-nginx.conf; #managed by Certbot
include /etc/letsencrypt/ssl-dhparams.pem; #managed by Certbot
}
Am I missing something? I've looked everywhere and what I can tell this setup should be correct?
I have an express server running on port 3001 which serves a React app.
Lets say that my domain name is example.com;
What I am trying to achieve is:
The possibility to call https://example.net/api/getUsers
Redirecting from http://1.2.3.4:3001/ with port to https://example.net/
Basically redirecting all HTTP calls (whether as IP or domain) to https://example.net/
Could anyone help with setting up that Nginx config?
This is what I currently have under /etc/nginx/sites-available:
server {
server_name 1.2.3.4:3001;
return 301 https://example.net;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name example.net www.example.net;
return 301 https://example.net$request_uri;
}
server {
listen 80;
server_name example.net www.example.net;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Looks like your app is returning redirect with Location: http://1.2.3.4:3001/
You can rewrite it with proxy_redirect and reduce redundant stuff.
server {
listen 80 default_server;
return 301 https://example.net$request_uri;
}
server {
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name example.net www.example.net;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect http://1.2.3.4:3001/ $scheme://$host/;
}
}
Yes, you can add the following redirect:
server {
listen 1.2.3.4:3001;
return 301 https://example.net;
}
But note your react app. locally listens on localhost:3001
proxy_pass http://localhost:3001;
so ensure react app. is not listening on 1.2.3.4:3001 socket too.
Otherwise, you will get Address already in use error and nginx will fail to start.
i have nginx config on my server, but i'm facing an issue with the url
if access my domain directly using example.com it works (not secure - i have to redirect to https)
also if i tried to access it directly using www.example.com, it won't work and i got this message
so mainly i have two issues:
redirect non-http to https
and redirect www to non-www
my server running nodejs app
This site can’t be reached www.example.com’s server IP address could not be
found. DNS_PROBE_FINISHED_NXDOMAIN
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
return 301 $scheme://example.com$request_uri;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
location /api {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
To redirect to https, you should have a server block with all your config and listen 443 ssl; in it, and another server block with config like this one:
server {
return 301 https://$host$request_uri;
server_name example.com
listen 80;
}
The www site is a different domain, you should set the ip address to it in your dns server.
Your config for the www site looks ok
I have an express server running behind nginx reverse proxy and Certbot for certification. All my non-www traffic is redirected to www and https but on google page speed non-www version gives the following error "Lighthouse returned error: NO_FCP"
This is for a new Server deployed on AWS EC2 with nodejs installed.
server {
server_name www.compropertee.com compropertee.com;
location / {
proxy_pass https://localhost:3000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.compropertee.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.compropertee.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = compropertee.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name compropertee.com;
return 404; # managed by Certbot
}
all non-www and www requests should be working in google speed test.
I have a VPS server running nginx and i also have a node app running on port 8000. The nginx server house my PHP application and runs well on default webserver port.
I have a custom domainame pointing to the server ip.
I have installed let's encrypt to handle my https traffic and it works for my php app.
i have to capture https traffic on port 8080 and forward the request to my node app on port 8000.
I have tried most of things stackoverflow. i dont know what i'm doing wrong.
Below is a copy of what my nginx server block looks like.
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/repairspots.org/fullchain.pem; # managed$
ssl_certificate_key /etc/letsencrypt/live/repairspots.org/privkey.pem; # manag$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
// i need to get this portion right
server {
listen [::]:8080 ssl ipv6only=on; # managed by Certbot
listen 8080 ssl;
server_name 0.0.0.0;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed$
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # manag$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
error_page 497 https://0.0.0.0:8080$request_uri;
# pass requests to port 8000 where our other node server is running
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://0.0.0.0:8000;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
I was able to fix the issue with the below.
i created /etc/nginx/conf.d/proxy.conf and pasted the server block below.
server {
listen 8080 ssl;
listen [::]:8080 ssl ipv6only=on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed$
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # manag$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
error_page 497 https://$host:$server_port$request_uri;#enforces https redirect on http traffic
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_ssl_session_reuse off;
proxy_set_header X-Forwarded-Ssl on; #needed incase redirects comes from http
proxy_set_header X-NginX-Proxy true;
rewrite ^/?(.*) /$1 break;
proxy_pass http://127.0.0.1:8000; #node server
proxy_redirect off;
}
}
This was the one thing i wasnt doing at all before. You need to accept internet traffic on the port you're listening on. run the below command inline with the port number.
sudo iptables -A INPUT -p tcp --dport 9000 -j ACCEPT