I want to point example.com to localhost:3000 and api.example.com to localhost:3010. Following this and this tutorial I managed to get it to work but it's not very secure. Do you guys have an idea how to restrict it to https only? If I go to http://example.com I get a "Not Secure" by the URL in Chrome.
Here's my default sites Nginx config (the one in /etc/nginx/sites-enabled/default):
server {
# HTTP — redirect all traffic to HTTPS
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
}
Made a config file in /etc/nginx/conf.d/example.com.conf
server {
server_name example.com;
# Use SSL certificates from Letsencrypt
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Include SSL config from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:3000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
Made another config file in /etc/nginx/conf.d/api.example.com.conf
server {
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:3010/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
The first thing I notice is that your server_name directive is identical in both files, even though you imply that you want your server_name in api.example.com.conf to be api.example.com.
Also, I think you have to specify the ports within the same server blocks as the server_name directive. Maybe try something like below. Since your default conf file does not specify a server_name, I don't think it'll be referenced at all.
/etc/nginx/conf.d/example.com.conf
server {
listen 80 default_server;
listen [::]:80;
server_name example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
# Use SSL certificates from Letsencrypt
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Include SSL config from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:3000/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
/etc/nginx/conf.d/api.example.com.conf
server {
listen 80;
listen [::]:80;
server_name api.example.com;
return 301 https://api.example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name api.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:3010/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
Related
I have node.js app which is served by NGINX. I can't connect socket.io and keep getting 404 for POST requests to establishing a connection.
It's working locally, so it must be an NGINX problem.
# HTTP - redirect all requests to HTTPS:
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
# HTTPS - proxy requests on to local Node.js app:
server {
listen 443 ssl http2;
server_name example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:8080;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
Thanks for any help.
Since Websockets are using the Upgrade header introduced in HTTP 1.1, you'll need to specifically use this protocol in your route and set the Connection header to upgrade.
You'll also need to specify a proxy_pass directive with a unique name.
Your config would be something like that:
upstream sockets {
server localhost:8080;
}
# HTTP - redirect all requests to HTTPS:
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
# HTTPS - proxy requests on to local Node.js app:
server {
listen 443 ssl http2;
server_name example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
proxy_pass http://sockets;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_ssl_session_reuse off;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
Take a look a the NGINX docs.
https://www.nginx.com/blog/websocket-nginx/
enter chttp {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
server 192.168.100.10:8010;
}
server {
listen 8020;
location / {
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
}
I'm trying to deploy an NGINX server that hosts two node.js Express apps over https.
My main site (the one to be served on port 80) is an Express app running on port 8001. (i.e. https://example.com loads this app)
I'm also running another Express app on port 8002 that I want to be available publicly on port 8080. (i.e. https://example.com:8080 loads this app)
Here is my /etc/nginx/sites-available/default file:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
# Pass requests for / to localhost:8001:
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:8001/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
location ~ /.well-known {
allow all;
}
}
server {
listen 8080 ssl;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
# pass requests to port 8002 where our other node server is running
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:8002/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
If it's of any additional assistance, I've been following the DigitalOcean guides for configuring https and NGINX
here
and
here.
Remove return 301 https://$server_name$request_uri; from 3rd server block.
I have a reverse proxy with nginx routing to a node web server
I setup (I thought) SSL on the web server, but it looks like when my browser attempts to resolve the https request, no connection ever starts.
I wanted to ask a couple of questions
Where do I setup the SSL? on the reverse proxy where the request is first hit? or the node server where authentication occurs?
What is wrong with my configuration (if that is the problem
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-on-ubuntu-14-04
This is the tutorial I used
Code included (sorry I totally forgot to include)
server {
listen 443 ssl;
server_name domain www.domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-$
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location / {
proxy_pass http://app_server_ip:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://$host$request_uri;
}
1.On the reverse proxy
2.You should configure nginx file as similar following (using upstream parameter):
upstream api-app {
least_conn;
server 127.0.0.1:3000 weight=1 max_fails=0;
}
server {
listen 80;
listen 443 ssl;
server_name api.domain.net;
ssl_certificate /etc/letsencrypt/live/api.domain.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.domain.net/privkey.pem;
client_max_body_size 2000M;
large_client_header_buffers 32 128k;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://api-app;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
I have a node js application running on AWS linux server with ssl. I wanted to implement nginx to the same. I googled it and read that if I implement ssl in nginx then the node application runs on http. So I configured the nginx conf as follows and ran the node js application with normal http server:
listen 443 ssl;
server_name myserver.com;
ssl_certificate myserver.chained.crt;
ssl_certificate_key myserver.key;
ssl_client_certificate myserver.crt;
ssl_verify_client optional;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header VERIFIED $ssl_client_verify;
proxy_set_header DN $ssl_client_s_dn;
proxy_pass http://127.0.0.1:3000;
}
Now the application is running on http as well as https. I want the nginx to be implemented and through ssl and the application to run only on https.
Is my approach right and what am I missing?
I see you have the application running on port 3000, what you will want to do so that it only runs on https is to block all requests on port 3000 to the server (using a firewall or security group rules in aws), and for every request on port 80 you will want to redirect them to the https version (port 443). Something like this:
server {
listen 80;
server_name my.domain.com;
return 301 https://$server_name$request_uri;
}
I found the above rule in this answer on serverfault.
upstream app
{
server 127.0.0.1:3000;
}
server
{
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
client_header_buffer_size 64k;
large_client_header_buffers 4 64k;
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
location ~ ^/(assets/|images/|img/|javascript/|js/|css/|stylesheets/|flash/|media/|static/|robots.txt|humans.txt|favicon.ico) {
root /var/www/example.com/public/;
access_log off;
expires 24h;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://app$uri$is_args$args;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
I'm trying to configure nginx to:
http://www.domain.tld --> https://domain.tld
http://domain.tld --> https://domain.tld
http://api.domain.tld --> https://api.domain.tld
The 'www'-webroot serves static HTML (AngularJS) and the API serves an Node.JS app that should 'upstream' from localhost:3000. I guess I'm in the right direction, however it doesn't seem to work for me. Here's what I've got so far:
upstream api_server {
server localhost:3000;
keepalive 64;
}
server {
listen 80;
server_name api.domain.tld;
return 301 https://api.domain.tld$request_uri;
}
server {
listen 80;
server_name *.domain.tld www.domain.tld;
return 301 https://domain.tld$request_uri;
}
server {
listen 443 ssl;
server_name api.domain.tld;
ssl_certificate /etc/ssl/ssl_cert.crt;
ssl_certificate_key /etc/ssl/ssl_key.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://api_server/;
proxy_redirect off;
}
server {
listen 443 ssl;
server_name *.domain.tld www.domain.tld;
ssl_certificate /etc/ssl/ssl_cert.crt;
ssl_certificate_key /etc/ssl/ssl_key.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
root /var/www/webroot/;
}
Right now this is all in my /etc/nginx/conf.d/domain.tld.conf file.
Any help would be really appreciated.
EDIT:
I've figured it out myself (a bit of help from Tan Hong Tat), so the example is updated.
If you've got any improvements please do tell, I'll update it.
Redirect HTTP to HTTPS in the server block for HTTP. Remove the listen 80 in the HTTPS server block.
server {
listen 80;
server_name domain.tld www.domain.tld;
return 301 https://domain.tld$request_uri;
}
server {
listen 80;
server_name api.domain.tld;
return 301 https://api.domain.tld$request_uri;
}
server {
listen 443 ssl;
server_name domain.tld www.domain.tld api.domain.tld;
location / {
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_cache one;
proxy_cache_key sfs$request_uri$scheme;
proxy_pass http://domain_tld_api_server;
}
}