Reverse proxy nginx port 443 to Node App with SSL - node.js

I have setup my express & node app to use my letsencrypt ssl certs as so
var options = {
key: fs.readFileSync('/etc/letsencrypt/live/example.com/privkey.pem'),
cert: fs.readFileSync('/etc/letsencrypt/live/example.com/cert.pem')
};
// Create an HTTP service.
http.createServer(app).listen(3060);
// Create an HTTPS service identical to the HTTP service.
https.createServer(options, app).listen(3061);
I can reach my API at domain.com (hitting port 80 in nginx)
But I can't reach it if I hit https://example.com (port 443)
However I can reach it if I open up port 3061 and request https://example.com:3061 and it works correctly with SSL
My question is, how do I setup nginx to correctly forward requests on port 443 to my server on port 3061 for SSL.
Do I need to include the cert information as suggested elsewhere, if my app is dealing with it?
My nginx config is like this:
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://localhost:3060;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 443 ssl;
server_name example.com;
location / {
proxy_pass https://localhost:3061;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Thanks

Related

Can't link domain name to IP (Nothing displays)

I have bought a domain (http://qify.app) on google Domains
When opening Chromium / Firefox I don't have any thing coming out of it (ERR_CONNECTION_REFUSED).
My current setup:
An EC2 AWS machine running my nodeJS backend on port 3000 (localhost)
A nGinx reverse proxy to redirect all inbound port 80 to 3000 (the backend) current nginx config: at /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name localhost;
root /usr/share/nginx/html;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Also I can curl 15.237.134.217 just as much as curl qify.app (and get the correct html)
<!DOCTYPE html><html>
...
</html>
Final nginx version (working for me, I needed two server blocks)
server {
listen 443 ssl http2 ipv6only=off;
server_name qify.app;
ssl_certificate /etc/letsencrypt/archive/qify.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/archive/qify.app/privkey.pem;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
keepalive_timeout 70;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server { # Redirects all port 80 to 443 (with a 301 redirect)
listen [::]:80 http2 ipv6only=off;
server_name qify.app www.qify.app;
return 301 https://qify.app$request_uri;
}
The .app TLD has a baked-in HSTS policy to always use HTTPS on any .app domain. Both Chrome and Firefox, along with several other browsers, include .app in their preloaded HSTS policy list. This means that these browsers will always lead with https on port 443. See https://blog.google/technology/developers/introducing-app-more-secure-home-apps-web/ as a reference to this https requirement.
The nginx config file you showed indicates that it is only listening on port 80. This is why the curl http://qify.app works, since it uses port 80, and doesn't have the preloaded HSTS list that those web browsers do.
Generate a certificate for your domain, and configure nginx to listen on port 443, and your browsers will be able to access it that way.

Cannot reach Node.js application over HTTPS

I have an node.js application that is running on port 3000.
Infront of it i run an nginx reverse proxy. It works fine for port 80. I have tried to install an certificate with certbot. Now i have the certificate and set up my proxy to redirect all non HTTPS traffic to HTTPS and on the port 443 i listent to it and pass my connection to my application. Somehow my browser is pending and i dont know why.
Here i have added 2 server blocks:
server {
server_name mywebsite.at www.mywebsite.at;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mywebsite.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mywebsite.at/privkey.pem;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
server_name mywebsite.at www.mywebsite.at;
listen 80;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
In this case i can enter http://mywebsite.at but i cant enter https://mywebsite.at. It says "cant reach the website". Any idea why this error appears?
I have runned sudo nginx -t there are no erros.
I have found the problem guys. My port 443 was not open. ufw allow 443 fixed the issue.

Nginx reverse proxy to NodeJS App causing 502 bad gateway error

I am setting up nginx so that I can access my API built using express through a url like - example.com/api
Here is my nginx config
upstream appfrontend {
server localhost:9008 fail_timeout=0;
}
upstream api {
server localhost:3001;
}
server {
listen 80;
listen [::]:80;
server_name hospoline.com www.hospoline.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443;
server_name example.com; # replace this with your domain
root /var/www/html/example-certbot-webroot;
# The public and private parts of the certificate are linked here
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location /.well-known {
root /var/www/html/example;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://appfrontend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 900s;
}
location /api {
proxy_pass http://api;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
When I visit my site example.com the front end loads perfectly.
When I visit example.com/api/fetch_doctors, I get a 502 bad gateway error.
My API is working fine in localhost. When I send a request to localhost:3001 on my local computer, I get the list of doctors.
Both my front end server and backend server are run using forever.
I am really lost and breaking my head about this for one full day. I have no idea where I'm going wrong. Any help in the right direction would be great! Thank you all!

ignore nginx port to add in url? When i change nginx port

I want to use nginx on different port. If i am running nginx on default port(80) and trying to use by the url (100.100.7.60) this is working fine.
server {
listen 80;
server_name 100.100.7.60;
location / {
proxy_pass http://100.100.7.60:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
But when i am changing nginx port 80 to 8080 or to any port. If now i am trying by (100.100.7.60). I am unable to run node.js application. Now if i want to run application my url should be like (100.100.7.60:8080).
server {
listen 8080;
server_name 100.100.7.60;
location / {
proxy_pass http://100.100.7.60:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Can anyone explain me what is problem? I want to change port number. But i do not want to add (:8080) in url. I want to make same url after changing port number
If you want to listen on a different port, you cannot exclude the port number from the URL. When you enter 100.100.7.60 into a browser, the protocol is HTTP and the port is 80 by default.
There is a (very bad) workaround to this:
server {
listen 80;
server_name 100.100.7.60;
return 301 http://100.100.7.60:8080;
}
This will redirect ALL traffic on port 80 to port 8080, which is (I assume) not what you want.
Instead, you should configure your DNS to point to this server using a subdomain eg myapp.example.com and then listen on 80 port with that server name to serve your app.

SSL on nginx acting as a reverse proxy to a node server

I need to access my nodejs api which is reverse proxied by a nginx server over https. To achieve that I generated a self signed cert at location /etc/nginx and then modified the nginx configuration like below:
server {
listen 443;
server_name api.something.com;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;
add_header Strict-Transport-Security max-age=500;
location / {
proxy_pass http://10.132.176.xx:8888; #private ip
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Now whenever I try to access https://api.something.com I always get a connection refused error in google chrome. Plain http works fine. Any clues?

Resources