Configuring nginx to allow only https traffic - linux

I am super new to linux environment, and trying to configure a vps server to only allow https requests. I have read nginx documentation and tried various rewrite and return statements, changing server blocks etc. But what I have achieved so far, site serves on http and https both with following config.
What I want to achieve is to configure this subdomain admin.example.com to serve only https requests.
I am editing the config at this location: /etc/nginx/sites-available/default
server {
listen 80;
server_name admin.example.com;
#return 301 https://admin.example.com$request_uri;
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/admin.byrides.com/fullchain.pem; # man aged by Certbot
ssl_certificate_key /etc/letsencrypt/live/admin.byrides.com/privkey.pem; # m anaged by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

You will need to setup two server directives, one for port 80 which will redirect the traffic to port 443.
server {
listen 80;
server_name admin.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/admin.byrides.com/fullchain.pem; # man aged by Certbot
ssl_certificate_key /etc/letsencrypt/live/admin.byrides.com/privkey.pem; # m anaged by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
}
}

Related

ERR_SSL_PROTOCOL_ERROR even though my nginx config is configured

I've deployed an application on Digital Ocean with nginx. I've reverse proxyed my frontend port 8081 and made it ssl secure with Let's Encrypt. Now I need to secure my websocket server on port 8080 to prevent it from giving me this error "ERR_SSL_PROTOCOL_ERROR".
This is my current nginx config
server {
listen 80;
listen 443 ssl;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name mywebsite.com www.mywebsite.com; #managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite/fullchain.pem; #managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite/privkey.pem; #managed by Certbot
location / {
proxy_pass ​http://localhost:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /websocket/ {
proxy_pass ​http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
include /etc/letsencrypt/options-ssl-nginx.conf; #managed by Certbot
include /etc/letsencrypt/ssl-dhparams.pem; #managed by Certbot
}
Am I missing something? I've looked everywhere and what I can tell this setup should be correct?

Nginx reverse proxy for port 3001

I have an express server running on port 3001 which serves a React app.
Lets say that my domain name is example.com;
What I am trying to achieve is:
The possibility to call https://example.net/api/getUsers
Redirecting from http://1.2.3.4:3001/ with port to https://example.net/
Basically redirecting all HTTP calls (whether as IP or domain) to https://example.net/
Could anyone help with setting up that Nginx config?
This is what I currently have under /etc/nginx/sites-available:
server {
server_name 1.2.3.4:3001;
return 301 https://example.net;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name example.net www.example.net;
return 301 https://example.net$request_uri;
}
server {
listen 80;
server_name example.net www.example.net;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Looks like your app is returning redirect with Location: http://1.2.3.4:3001/
You can rewrite it with proxy_redirect and reduce redundant stuff.
server {
listen 80 default_server;
return 301 https://example.net$request_uri;
}
server {
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name example.net www.example.net;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect http://1.2.3.4:3001/ $scheme://$host/;
}
}
Yes, you can add the following redirect:
server {
listen 1.2.3.4:3001;
return 301 https://example.net;
}
But note your react app. locally listens on localhost:3001
proxy_pass http://localhost:3001;
so ensure react app. is not listening on 1.2.3.4:3001 socket too.
Otherwise, you will get Address already in use error and nginx will fail to start.

nginx redirect www to non-www

i have nginx config on my server, but i'm facing an issue with the url
if access my domain directly using example.com it works (not secure - i have to redirect to https)
also if i tried to access it directly using www.example.com, it won't work and i got this message
so mainly i have two issues:
redirect non-http to https
and redirect www to non-www
my server running nodejs app
This site can’t be reached www.example.com’s server IP address could not be
found. DNS_PROBE_FINISHED_NXDOMAIN
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
return 301 $scheme://example.com$request_uri;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
location /api {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
To redirect to https, you should have a server block with all your config and listen 443 ssl; in it, and another server block with config like this one:
server {
return 301 https://$host$request_uri;
server_name example.com
listen 80;
}
The www site is a different domain, you should set the ip address to it in your dns server.
Your config for the www site looks ok

Lighthouse returned error: NO_FCP on nginx reverse proxy

I have an express server running behind nginx reverse proxy and Certbot for certification. All my non-www traffic is redirected to www and https but on google page speed non-www version gives the following error "Lighthouse returned error: NO_FCP"
This is for a new Server deployed on AWS EC2 with nodejs installed.
server {
server_name www.compropertee.com compropertee.com;
location / {
proxy_pass https://localhost:3000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.compropertee.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.compropertee.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = compropertee.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name compropertee.com;
return 404; # managed by Certbot
}
all non-www and www requests should be working in google speed test.

nginx server forward request on custom port to node app

I have a VPS server running nginx and i also have a node app running on port 8000. The nginx server house my PHP application and runs well on default webserver port.
I have a custom domainame pointing to the server ip.
I have installed let's encrypt to handle my https traffic and it works for my php app.
i have to capture https traffic on port 8080 and forward the request to my node app on port 8000.
I have tried most of things stackoverflow. i dont know what i'm doing wrong.
Below is a copy of what my nginx server block looks like.
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/repairspots.org/fullchain.pem; # managed$
ssl_certificate_key /etc/letsencrypt/live/repairspots.org/privkey.pem; # manag$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
// i need to get this portion right
server {
listen [::]:8080 ssl ipv6only=on; # managed by Certbot
listen 8080 ssl;
server_name 0.0.0.0;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed$
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # manag$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
error_page 497 https://0.0.0.0:8080$request_uri;
# pass requests to port 8000 where our other node server is running
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://0.0.0.0:8000;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
I was able to fix the issue with the below.
i created /etc/nginx/conf.d/proxy.conf and pasted the server block below.
server {
listen 8080 ssl;
listen [::]:8080 ssl ipv6only=on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed$
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # manag$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
error_page 497 https://$host:$server_port$request_uri;#enforces https redirect on http traffic
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_ssl_session_reuse off;
proxy_set_header X-Forwarded-Ssl on; #needed incase redirects comes from http
proxy_set_header X-NginX-Proxy true;
rewrite ^/?(.*) /$1 break;
proxy_pass http://127.0.0.1:8000; #node server
proxy_redirect off;
}
}
This was the one thing i wasnt doing at all before. You need to accept internet traffic on the port you're listening on. run the below command inline with the port number.
sudo iptables -A INPUT -p tcp --dport 9000 -j ACCEPT

Resources