I'm having an issue with the routing from AWS Elastic Beanstalk single instance from force routing http to https. I've been doing tons of research and have tried over 27+ deployments and reading all the errors on the error.log only to have become super stumped.
Recent deployments i've been getting errors about not enough worker_connections. But I wasn't getting this before.
When I first started I was getting an infinite rerouting loop. Help!
files:
"/etc/nginx/conf.d/000_my_config.conf":
mode: "000755"
owner: root
owner: root
content: |
server {
listen 8081;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
error_page 497 https://$host$request_uri;
location / {
proxy_pass https://localhost;
proxy_redirect off;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
}
}
Related
I'm trying to serve two different websites on my Ubuntu 16.04 server.
This is the Website1 configuration in /etc/nginx/sites-available/website1.com:
server {
listen 80;
listen [::]:80;
server_name website1.com www.website1.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name website1.com www.website1.com;
ssl_certificate /etc/nginx/ssl/website1.com.domain.crt;
ssl_certificate_key /etc/nginx/ssl/website1.com.intermediate.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_pass https://127.0.0.1:1337;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
And this is the Website2 configuration in /etc/nginx/sites-available/website2.com:
server {
listen 80;
listen [::]:80;
server_name website2.com www.website2.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name website2.com www.website2.com;
ssl_certificate /etc/nginx/ssl/website2.com.domain.crt;
ssl_certificate_key /etc/nginx/ssl/website2.com.intermediate.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_pass https://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
These two websites I'm trying to serve with nginx are two nodejs applications. One is listening on port 1337 (website1) and one on port 5000 (website2).
If I visit the url https://website1.com I access to the correct website, the website1.
If I visit the url https://website2.com I access to the wrong website, it shows me the website1, instead of the website2. (the url on the top bar is http://website2.com, with a warning for the SSL).
How can I serve two different websites using the same nginx service on the same Ubuntu server?
The redirect problem is due to the invalid SSL certificate. I'm trying to figure out how to make it valid.
So, the nginx configuration is ok.
I have node.js app that runs in https://localhost:8080 and it has localhost.crt and localhost.key i want set server with nginx redirect to https://app.example.com (i have installed another certificate with certbot on this sub domain) now im getting
Unknown ALPN Protocol, expected h2 to be available.If this is a HTTP request: The server was not configured with the allowHTTP1 option or a listener for the unknownProtocol event.
in browser, can someone help me with correct nginx server config? Screenshot
also i'm using Digitalocean Droplets with ubuntu 16.04 to setup this
here is nginx server i have set.
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name app.mydomain.com;
ssl_certificate /root/apps/app.mydomain.com/localhost.crt;
ssl_certificate_key /root/apps/app.mydomain.com/localhost.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/app.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass https://localhost:8080;
proxy_read_timeout 90;
proxy_redirect https://localhost:8080 https://app.mydomain.com;
}
}
This:
listen 443;
Should be this:
listen 443 ssl;
Why do you want to proxy traffic to 127.0.0.1 via https? Seems unnecessary
Try this configuration, Hope it works. All the headers are not required it's based on your applications need and how you are serving the requests fro your application.
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name app.mydomain.com;
ssl on;
ssl_certificate_key /root/apps/app.mydomain.com/localhost.key;
ssl_certificate /root/apps/app.mydomain.com/localhost.crt;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/app.access.log;
location / {
proxy_set_header Host $host;
proxy_pass http://localhost:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 300s;
}
}
I am trying to bind a ssl certificate to nginx but it keeps failing to start i am attaching my config file,
server {
listen 80;
server_name appoye.com;
return 301 https://appoye.com$request_uri;
}
server {
listen 443 ssl;
server_name appoye.com;
root /home/rohit_jain/appoye-beta-old/dist;
# SSL Certs
ssl_certificate /etc/nginx/ssl/appoye.com/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/appoye.com/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
charset utf-8;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
access_log off;
error_log /var/log/nginx/appoye.com-error.log error;
}
Nginx is still not passing my nodejs revser proxy and ssl certificate as well
I have a reverse proxy with nginx routing to a node web server
I setup (I thought) SSL on the web server, but it looks like when my browser attempts to resolve the https request, no connection ever starts.
I wanted to ask a couple of questions
Where do I setup the SSL? on the reverse proxy where the request is first hit? or the node server where authentication occurs?
What is wrong with my configuration (if that is the problem
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-on-ubuntu-14-04
This is the tutorial I used
Code included (sorry I totally forgot to include)
server {
listen 443 ssl;
server_name domain www.domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-$
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location / {
proxy_pass http://app_server_ip:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://$host$request_uri;
}
1.On the reverse proxy
2.You should configure nginx file as similar following (using upstream parameter):
upstream api-app {
least_conn;
server 127.0.0.1:3000 weight=1 max_fails=0;
}
server {
listen 80;
listen 443 ssl;
server_name api.domain.net;
ssl_certificate /etc/letsencrypt/live/api.domain.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.domain.net/privkey.pem;
client_max_body_size 2000M;
large_client_header_buffers 32 128k;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://api-app;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
I've written a sailsjs based application, deployed in one of my VPS. App is running in production mode using pm2. I can access through public_ip:1338, everything seems normal.
So installed nginx,configured proxy_pass, installed letsencrypt ssl. When I'm trying to access domain, I'm seeing Nginx Default Page with SSL working, not the NodeJS (SailsJS) application.
Here is nginx conf file
server {
listen 80;
server_name domain.net www.domain.net;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
ssl_certificate /etc/letsencrypt/live/domain.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.net/privkey.pem;
server_name domain.net;
location / {
proxy_pass http://localhost:1338;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
I need to sort out the issue. Can you guys instruct me to fix the issue?
I had the same problem. Followed this guide and it worked. I did need to include include /etc/nginx/sites-enabled/* in nginx.conf to make it work. And here's what's in my default file in the sites-enabled folder:
server {
listen 443 ssl;
server_name sitename.com www.sitename.com;
ssl_certificate /etc/letsencrypt/live/sitename.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDH$
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location ~ /.well-known {
allow all;
}
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 80;
server_name sitename.com www.sitename.com;
return 301 https://$host$request_uri;
}