When i try to open my site with ssl i get error ERR_CONNECTION_RESET.
There is no information in logs.
Port 443 is open in firewall. On http everything works fine.
CentOS7 (Linux domain.com 3.10.0-123.9.3.el7.x86_64 #1 SMP Thu Nov 6 15:06:03 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux)
nginx version: nginx/1.6.2
OpenSSL 1.0.1e-fips 11 Feb 2013
Here is my nginx config file:
server {
listen 80;
listen 443 ssl;
server_name domain.com www.domain.com;
#SSL config
ssl on;
ssl_certificate /etc/nginx/ssl/domain.crt;
ssl_certificate_key /etc/nginx/ssl/domain.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers on;
ssl_stapling on;
resolver 8.8.8.8;
ssl_stapling_verify on;
root /home/main/www;
access_log /var/log/nginx/domain.com-access.log main buffer=16k;
error_log /var/log/nginx/domain.com-dev-error.log warn;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt { access_log off; log_not_found off; }
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~ ~$ { access_log off; log_not_found off; deny all; }
location ~* .(js|css|png|jpg|jpeg|gif|ico|xml|swf|flv|eot|ttf|woff|pdf|xls|htc|html|unity3d)$ {
add_header Pragma "public";
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
access_log off;
log_not_found off;
expires 360d;
}
location ~ /.ht {
deny all;
access_log off;
log_not_found off;
}
location ~* \.php$ {
#rewrite ^/(.*)/$ /$1 permanent;
fastcgi_split_path_info ^(.+.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php5-fpm.sock;
include /etc/nginx/fastcgi_params;
}
location / {
index index.php;
try_files $uri /index.php?$args;
}
}
Telnet results:
[user#localhost ~]$ telnet domain.com 80
Trying 123.45.67.89...
Connected to domain.com.
Escape character is '^]'.
^]
HTTP/1.1 400 Bad Request
Server: nginx/1.6.2
Date: Thu, 18 Dec 2014 13:13:20 GMT
Content-Type: text/html
Content-Length: 172
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>
Connection closed by foreign host.
[user#localhost ~]$ telnet domain.com 443
Trying 123.45.67.89...
Connected to domain.com.
Escape character is '^]'.
Connection closed by foreign host.
Problem was solved. I find in Global config file line:
server { listen 443 ssl; server_name _; access_log off; error_log off; return 444; }
After removing it, all works fine.
Problem was solved. I find in Global config file line:
server { listen 443 ssl; server_name _; access_log off; error_log off; return 444; }
After removing it, all works fine.
– Guliy Boris
listen 433 ssl is correct in this setup. It allows the regular and ssl definitions to be in the same block but tells nginx to only enable ssl on the port 443 requests.
The problem is possibly with your cert file. Check this question on the same issue SSL configuration on nginx 1.6
"Listen 443 ssl" looks redundant. you should put "Listen 443" (and keep the "ssl on" later on the config)
Related
I have rather an unusual problem with my app. The app heavily depends on the client's IP which is sometimes undefined. What I mean is, if there are, say 10 visits to my app in a day, I can see 7 of my clients' IP but 3 of them returns undefined.
The app doesn't have a problem which I can say for sure because it was working perfectly fine when it was hosted in a shared hosting with CloudFlare and without Nginx. But this issue started since I migrated to Ubuntu 20.04 VPS and with Nginx and CloudFlare.
I followed this tutorial from CloudFlare hoping that it would solve the problem but it didn't.
Now I don't know what I should do to fix this. So here I am hoping someone would figure it out.
Here's how I am getting the client IP in an app endpoint:
const clientIp = req.header( 'cf-connecting-ip' ) || req.header( 'true-client-ip' );
Here's how the nginx.conf file looks like:
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
proxy_hide_header X-Powered-By;
add_header X-Frame-Options SAMEORIGIN;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Here's the app config file:
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name example.com www.example.com;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $http_cf_connecting_ip;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
}
location /blog/ {
access_log /var/log/nginx/blog-example.org_access.log;
error_log /var/log/nginx/blog-example.org_error.log;
root /var/www/html/example.com;
index index.php;
if (!-f $request_filename) {
rewrite [^/]$ $uri/ permanent;
}
try_files $uri $uri/ /blog/index.php?$args;
location ~ \.php {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
}
}
#CLOUDFLARE
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header CF-Connecting-IP;
listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 404; # managed by Certbot
}
UPDATE
I don't know if this is the reason or not but I am getting GET requests to my homepage with this: /xdebug_session_start=phpstorm. I really don't know what that is and I'm doubting that whenever its making the request, the IP is returning undefined.
UPDATE
I have analyzed the request headers when client ip was undefined. Here are 3 requests' headers:
headers: {
connection: 'upgrade',
host: '63.250.33.76',
'user-agent': 'Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)',
accept: '*/*',
'accept-encoding': 'gzip'
}
headers: {
connection: 'upgrade',
host: '63.250.33.76'
}
headers: {
connection: 'upgrade',
host: 'www.example.com',
'user-agent': 'Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: scaninfo#expanseinc.com'
}
Does anybody know what these mean?
Is it possible that these clients are reaching directly your application and not via Cloudflare? For example, if your server is not configured to accept traffic only from the Cloudflare IP ranges, then someone could be reaching your app directly and it could explain why CF-Connecting-IP is not set in some scenarios.
More information at this documentation page
I am not familiar with cloudflare that much but can you add "x-real-ip" header in your code and check.
const clientIp = req.header( 'cf-connecting-ip' ) || req.header( 'true-client-ip' ) || req.header( 'x-real-ip' );
I migrated from apache2 to Nginx on my Lubuntu server.
I configured the phpmyadmin site as follow, and I can successfully navigate to it from localhost:88.
command: sudo nano etc/nginx/sites-available/phpmyadmin
server {
server_name _;
listen 88;
listen [::]:88;
listen 443 ssl http2;
listen [::]:443 ssl http2;
allow all;
# access_log logs/host.access.log;
# error_log logs/host.error.log;
root /usr/share/phpmyadmin;
index index.php;
location / {
# root /usr/share;
# index index.php;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
# try_files $uri $document_root$fastcgi_script_name =404;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
fastcgi_param HTTP_PROXY "";
fastcgi_param HTTPS on;
fastcgi_request_buffering off;
}
}
Even when it works going on localhost:88 and I try to log into my console, I just get the page refreshed without any error or page change.
What am I missing?
I don't know why, but removing HTTPS part made it work. Now my config file looks like this:
server {
server_name _;
listen 88;
listen [::]:88;
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
allow all;
# access_log logs/host.access.log;
# error_log logs/host.error.log;
root /usr/share/phpmyadmin;
index index.php;
location / {
# root /usr/share;
# index index.php;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
# try_files $uri $document_root$fastcgi_script_name =404;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
# fastcgi_param HTTP_PROXY "";
# fastcgi_param HTTPS on;
# fastcgi_request_buffering off;
}
}
If anyone knows why it works now, I'm curious
I am struggling with NGINX and setting up my v-hosts. I'm trying to setup a vhost that redirects HTTP requests to HTTPS and then to my application (when it is 443)
My OS is Ubuntu 16.04 and I am using NGINX 1.10.3.
The nginx.conf looks like that (its mostly the default):
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
My ServerBlocks / VHosts look like that:
server {
listen 443 ssl;
server_name xxx.com;
# Prevent MITM
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate "/etc/nginx/ssl/xxx.com.pem";
ssl_certificate_key "/etc/nginx/ssl/xxx.com.key";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://localhost:2237;
}
}
server {
listen 80;
server_name xxx.com;
return 301 https://$server_name$request_uri;
}
Now the problem is, that either if I am using HTTP or HTTPS it tries to redirect me to HTTPS so I am stucked in an endless Loop of redirects.
I have absolutely no idea where my mistake is.
Every VHost is in a single File. The Application on Port 2237 is a nodeJS Express Server. I am also using Cloudflare (I got my SSL Certificate from them)
Edit:
Output from curl -I is:
$ curl -I https://example.com
HTTP/1.1 301 Moved Permanently
Date: Fri, 06 Oct 2017 19:42:19 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d827df762e20a4e321b92b34bd15546621507318939; expires=Sat, 06-Oct-18 19:42:19 GMT; path=/; domain=.example.com; HttpOnly
Location: https://example.com/
Server: cloudflare-nginx
CF-RAY: 3a9b1a6a4e4564d5-FRA
You need to use below config
server {
listen 80;
server_name example.com;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://localhost:2237;
proxy_redirect http://localhost:2237/ https://$host/;
}
}
Your are using cloudflare SSL and terminating SSL at cloudflare. So you should just be listening on port 80. Your earlier config was redirecting port 80 back to HTTPS and sending the request to Cloudflare which then send to your nginx port 80 and hence creating infinite loop
i use vue js webpack for development, when dev run smoothly, but unfortunately after npm run build (run in nginx) nginx can't load, look this:
x GET http://localhost/static/css/app.335db141d4c13fd545c8362771dbe30a.css
x GET http://localhost/static/js/manifest.a8a366914bb58ec98264.js
x GET http://localhost/static/js/vendor.538766e755f95e4f1561.js
x GET http://localhost/static/js/app.23582232aa46a8daf39d.js
x GET http://localhost/static/js/manifest.a8a366914bb58ec98264.js
x GET http://localhost/static/js/vendor.538766e755f95e4f1561.js
x GET http://localhost/static/js/app.23582232aa46a8daf39d.js
this nginx conf:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
this default conf:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /usr/share/nginx/html;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.php;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html
{
root /usr/share/nginx/html;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
location ~ \.php$
{
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
this error display
enter image description here
please give me solution , or ask for more detile
Try to update your nginx.conf:
sendfile off;
I run my Express.js app on port 8000 and I want to work with localhost rather than localhost:8000 in my dev environment.
I'm on Mac OSX El Capitan and using nginx 1.8.0
I get 502 Bad Gateway and ERR_CONNECTION_TIMED_OUT error.
I stop nginx via sudo pkill nginx and start with sudo nginx. I also use pm2 and start it via sudo pm2 start bin/www --watch, there's no problem here. I can access my app at localhost:8000
I installed nginx via homebrew.
/etc/hosts
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
Here's my nginx.conf in /usr/local/etc/nginx
user myusernameishere staff;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
include /usr/local/etc/nginx/sites-enabled/*;
}
sites-enabled/default.conf
server{
listen 80;
server_name 127.0.0.1 localhost;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8000;
}
}
/usr/local/etc/nginx/nginx.conf.default
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 8080;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
include servers/*;
}
Upgrade is a header from HTTP v1.1, you may need to include proxy_http_version 1.1; when using it.
Try this for your sites_enabled/default.conf:
upstream backend {
server localhost:8000;
}
server{
listen 80;
server_name 127.0.0.1 localhost;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://backend;
}
}