I am very new to VPC and am trying to setup one inside DigitalOcean. I followed the tutorial here: https://docs.digitalocean.com/products/networking/vpc/how-to/configure-droplet-as-gateway/ , and succeeded in isolating the internal droplet from the rest of the world. However I am unable to reach it from the internet i.e http://mydroplet.com.
My gateway internal IP is 10.103.16.2
My gateway route -n looks like this:
Destination
Gateway
Genmask
Flags
Metric
Ref
Use Iface
0.0.0.0
143.62.0.1
0.0.0.0
UG
0
0
eth0
10.12.0.0
0.0.0.0
255.255.0.0
U
0
0
eth0
10.103.16.0
0.0.0.0
255.255.240.0
U
0
0
eth1
143.62.0.1
0.0.0.0
255.255.192.0
U
0
0
eth0
and my droplet route -n like this:
Destination
Gateway
Genmask
Flags
Metric
Ref
Use Iface
0.0.0.0
10.103.16.2
0.0.0.0
UG
0
0
eth1
10.12.0.0
0.0.0.0
255.255.0.0
U
0
0
eth0
10.103.16.0
0.0.0.0
255.255.240.0
U
0
0
eth1
132.85.28.0
0.0.0.0
255.255.240.0
U
0
0
eth0
169.254.169.254
132.85.28.0
255.255.255.255
UGH
0
0
eth0
So from any server outside the internal network I cannot ping or ssh the internal droplet. From the gateway I am able to ping/ssh and telnet internal_drop_pub_ip 80
However if i go to http://internal_drop_pub_ip i am unable to reach it, also tried with curl internal_drop_pub_ip.
From internal droplet I am able to ping outside and also if i run curl ifconfig.me I get the gateway public ip address.
On the internal droplet I have an nginx server running with the standard conf file:
server {
listen 80;
listen [::]:80;
server_name mydroplet.om ipv6only=on;
root /usr/share/nginx/html/;
index index.php index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
}
# A long browser cache lifetime can speed up repeat visits to your page
location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 360d;
}
# disable access to hidden files
location ~ /\.ht {
access_log off;
log_not_found off;
deny all;
}
}
I checked ip -br a and both eth0 and eth1 are UP.
The results of ip route get 8.8.8.8 are:
8.8.8.8 via 10.103.16.2 dev eth1 src 10.103.16.5 uid 0
I am not sure what other information to put in here in able to help trouble shoot this.
Related
I'd like to know how to configure nginx to get 2 domains working on one server (1 ip address).
I want to setup a Keycloak SSO next to a bookstack instance.
My issue is that when I want to access bookstack.domain.com it redirects to keycloak.domain.com.
Here's my /etc/nginx/conf.d/keycloak.conf :
upstream keycloak {
# Use IP Hash for session persistence
ip_hash;
# List of Keycloak servers
server 127.0.0.1:8080;
}
server {
listen 80;
server_name keycloak.domain.com;
# Redirect all HTTP to HTTPS
location / {
return 301 https://\$server_name\$request_uri;
}
}
server {
listen 443 ssl http2;
server_name keycloak.domain.com;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/certificate_key.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://keycloak;
}
}
Here's my /etc/nginx/conf.d/bookstack.conf :
server {
listen 3480;
access_log /var/log/nginx/bookstack_access.log;
error_log /var/log/nginx/bookstack_error.log;
server_name bookstack.domain.com;
root /var/www/bookstack/public;
#
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
#
return 301 https://$host$request_uri;
}
server {
listen 5443 ssl http2;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/certificate_key.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AE;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
server_name bookstack.domain.com;
#HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
root /var/www/bookstack/public;
access_log /var/log/nginx/bookstack_access.log;
error_log /var/log/nginx/bookstack_error.log;
client_max_body_size 1G;
fastcgi_buffers 64 4K;
index index.php;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README) {
deny all;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/php-fpm.sock;
}
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
access_log off;
}
}
Please let me know :)
This is exactly expected nginx behavior for the given configuration. One of the server blocks always act as default server for any request arriving on some IP/port combination no matter what is the Host HTTP header value. Here is an official documentation on this subject. You can use default_server parameter for the listen directive to explicitly specify server block that should act as the default server or it will be the first server block that listen on those IP/port otherwise. On multihomed servers things can be more complicated, as discussed here.
Now back to the question. You have four server blocks in your configuration: first one listen on TCP port 80 (default port for http:// scheme), second one listen on TCP port 443 (default port for https:// scheme), one listen on port 3480 and the last one listen on port 5443. Since there is only one server block listening each port, each server block will act as default server for any request coming to that port. So if you type http://bookstack.domain.com in your browser address bar, default port 80 for http:// scheme will be used and your request will be redirected to https://keycloak.domain.com. You are using
return 301 https://\$server_name\$request_uri;
for redirection, and the $server_name variable will be always keycloak.domain.com for that server block (read this answer to understand the difference between $host, $http_host and $server_name variables). If you explicitly specify the port and type http://bookstack.domain.com:3480, your request will be served by the third server block thus being redirected to https://bookstack.domain.com (here your are using $host variable which is right). Default TCP port https:// scheme is 443. But the only server block that listen on that port is for keycloak.domain.com! Oops. The only way you can reach your bookstack.domain.com is to type https://bookstack.domain.com:5443 in your browser. And if you correctly understand all the above information, you can type https://keycloak.domain.com:5443 too, it won't made any difference.
Well, I tried to explain what happened here with your nginx configuration. Get rid of non-standard ports as #Evil_skunk recommends you in his answer. Don't forget to clear your browser cache before trying new configuration - permanent HTTP 301 redirects are often cached by the browsers, unlike temporary HTTP 302 redirects.
Your keycloak config seems ok
It listen on port 80 (http) and port 443 (https) and all requests to 80 (http) are redirected to 443 (https)
Your bookstack config looks wrong for me
It does not listen to port 80 or 443 (instead it listen to 5443 and 3480). If you don't have some kind of special port forwarding then I think request to bookstack.domain.com will never reach the nginx-server defined in bookstack.conf and as a result the only matching server will serve the request => keycloak
You should change bookstack.conf's Listen ports:
server {
listen 80;
#... redirect to https
}
server {
listen 443 ssl;
#ssl config, webroot, ...
}
I'm trying to set up Jenkins so that I can set up a pipeline on an existing website, but Jenkins does not show up on port 8080.
My project website has been up and running for several months. I'm using Nginx, Gunicorn, Ubuntu 20.04, and Django on an AWS EC2 instance. I'm now trying to set up a pipeline that includes a test/beta environment. This requires Jenkins as per the AWS tutorials. I followed the example from Digital Ocean and this example from Digital Ocean.
When I try the URL https://theafricankinshipreunion.com:8080/, it says the site cannot be reached. When I try the URL https://theafricankinshipreunion.com (without the port), it takes me to the Unlock Jenkins page. After I enter the password from sudo cat /var/lib/jenkins/secrets/initialAdminPassword, the web browser just goes to a blank page. Looking at the page source, this page is the Setup Wizard[Jenkins] page, but the display is blank.
The results from sudo systemctl status jenkins is active.
The results from sudo ufw status for port 8080 is ALLOW. On AWS, the EC2 inbound rules inclues port 8080 TCP 0.0.0.0/0 and ::/0. So it appears that port 8080 is good. Checking for port use, netstat -nlp | grep 8080 resulted in tcp6 0 0 127.0.0.1:8080 :::* LISTEN -. I killed the process and restarted nginx, gunicorn, and jenkins. Same results: the domain with port 8080 cannot connect but the doman goes to the Unlock Jenkins page.
I did look up other help pages, such as the reverse proxy page from Jenkins, but I'm not sure how to integrate that into my current setup. Your assistance is greatly appreciated.
My /etc/nginx/sites-available/myproject file is as follows:
server {
listen 80;
server_name 3.131.27.142;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/ubuntu/myprojectdir;
}
location /media/ {
root /home/ubuntu/myprojectdir;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
proxy_connect_timeout 300s;
proxy_read_timeout 300s;
}
}
server {
server_name theafricankinshipreunion.com www.theafricankinshipreunion.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/ubuntu/myprojectdir;
}
location /media/ {
root /home/ubuntu/myprojectdir;
}
location / {
include /etc/nginx/proxy_params;
# proxy_pass http://unix:/run/gunicorn.sock;
proxy_pass http://localhost:8080;
proxy_connect_timeout 300s;
proxy_read_timeout 300s;
proxy_redirect http://localhost:8080 https://theafricankinshipreunion.com;
}
# SSL Configuration
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/theafricankinshipreunion.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/theafricankinshipreunion.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
access_log /var/log/nginx/jenkins.access.log;
error_log /var/log/nginx/jenkins.error.log;
}
# skipped lines show similar blocks for other domains
server {
if ($host = www.theafricankinshipreunion.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = theafricankinshipreunion.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name theafricankinshipreunion.com www.theafricankinshipreunion.com;
return 404; # managed by Certbot
}
And my /etc/default/jenkins file is as follows (with the last line added because of the instructions from DigitalOcean:
# defaults for Jenkins automation server
# pulled in from the init script; makes things easier.
NAME=jenkins
# arguments to pass to java
# Allow graphs etc. to work even when an X server is present
JAVA_ARGS="-Djava.awt.headless=true"
#JAVA_ARGS="-Xmx256m"
# make jenkins listen on IPv4 address
#JAVA_ARGS="-Djava.net.preferIPv4Stack=true"
PIDFILE=/var/run/$NAME/$NAME.pid
# user and group to be invoked as (default to jenkins)
JENKINS_USER=$NAME
JENKINS_GROUP=$NAME
# location of the jenkins war file
JENKINS_WAR=/usr/share/$NAME/$NAME.war
# jenkins home location
JENKINS_HOME=/var/lib/$NAME
# set this to false if you don't want Jenkins to run by itself
# in this set up, you are expected to provide a servlet container
# to host jenkins.
RUN_STANDALONE=true
# log location. this may be a syslog facility.priority
JENKINS_LOG=/var/log/$NAME/$NAME.log
#JENKINS_LOG=daemon.info
# Whether to enable web access logging or not.
# Set to "yes" to enable logging to /var/log/$NAME/access_log
JENKINS_ENABLE_ACCESS_LOG="no"
# OS LIMITS SETUP
# comment this out to observe /etc/security/limits.conf
# this is on by default because http://github.com/jenkinsci/jenkins/commit/2fb288474e980d0e7ff9c4a3b768874835a3e92e
# reported that Ubuntu's PAM configuration doesn't include pam_limits.so, and as a result the # of file
# descriptors are forced to 1024 regardless of /etc/security/limits.conf
MAXOPENFILES=8192
# set the umask to control permission bits of files that Jenkins creates.
# 027 makes files read-only for group and inaccessible for others, which some security sensitive users
# might consider benefitial, especially if Jenkins runs in a box that's used for multiple purposes.
# Beware that 027 permission would interfere with sudo scripts that run on the master (JENKINS-25065.)
#
# Note also that the particularly sensitive part of $JENKINS_HOME (such as credentials) are always
# written without 'others' access. So the umask values only affect job configuration, build records,
# that sort of things.
#
# If commented out, the value from the OS is inherited, which is normally 022 (as of Ubuntu 12.04,
# by default umask comes from pam_umask(8) and /etc/login.defs
# UMASK=027
# port for HTTP connector (default 8080; disable with -1)
HTTP_PORT=8080
# servlet context, important if you want to use apache proxying
PREFIX=/$NAME
# arguments to pass to jenkins.
# --javahome=$JAVA_HOME
# --httpListenAddress=$HTTP_HOST (default 0.0.0.0)
# --httpPort=$HTTP_PORT (default 8080; disable with -1)
# --httpsPort=$HTTP_PORT
# --argumentsRealm.passwd.$ADMIN_USER=[password]
# --argumentsRealm.roles.$ADMIN_USER=admin
# --webroot=~/.jenkins/war
# --prefix=$PREFIX
JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1"
Use the following command to change the port while running jenkins
java -jar jenkins.war --httpPort=9090
If you want to use https use the following command:
java -jar jenkins.war --httpsPort=9090
I have been trying to get a React/Node application deploying on AWS EC2 using NGINX but can't seem to get the public DNS to load anything.
However, when I curl localhost and the port that I am running my Node app on curl localhost:3001, it seems to output what I am expecting. But I figured at least my static files should load when I hit the public DNS.
I have attached my conf file here. From my understanding, this should serve the static file at the root. I have also attached my inbound rules with HTTP port and TCP port for my backend being open.
Thanks for any guidance.
/etc/nginx/conf.d/default.conf
server {
#listen​ 80;
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
access_log /home/ubuntu/client/server_logs/host.access.log main;
location / {
root /home/ubuntu/client/deploy;
index index.html index.htm;
try_files $uri /index.html;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
server_tokens off;
location ~ /\.ht {
deny all;
}
}
Here are my security rules
You need to check the communication between the nginx and your application. Before that try to curl localhost:80. If this returns the nginx page then atleast with the public DNS, this page must be loaded. If not run sudo service nginx status and check.
On the other hand, are you using load balancer with your setup?
The connection has timed out could also be due to wrong port address being requested too.
My problem is that I can not add another port to my existing nginx config.
I have disabled the firewall on the ubuntu server with this command:
sudo service ufw stop
in sites-available I have this file named file.conf:
server {
listen 80;
server_name example.com example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/user/project;
}
location /files/ {
root /home/user/download/;
}
}
server{
listen 8080;
server_name example.com www.example.com;
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/project.sock;
}
}
server{
listen 8001;
server_name example.com www.example.com;
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/project.sock;
}
}
I had the 8080 part earlier and this worked in past and now, but 8001 is not working. I disabled the firewall so I think the problem lies elsewhere.
I also ran this command:
sudo netstat -napl | grep 8001
which returned this:
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 3475/nginx -g daemo
thanks for your help and support
I've solved the issue!
the issue problem was that I used cloudflare for dns and cloudflare only let me use some ports listed here:
For requests made via HTTP:
80
8080
8880
2052
2082
2086
2095
For requests made via HTTPS:
443
2053
2083
2087
2096
8443
hope it helps some other people facing this problem!
I had successfully got the cert of my SSL and now I was trying to implement it into my AWS server with NGINX reserve proxy setup, here is the config file:
server {
listen 80;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/cert_chain.crt;
ssl_certificate_key /etc/nginx/ssl/website.key;
server_name ~^(?<subdomain>.+)\.example\.com$;
location / {
proxy_pass http://www.example.com:8888;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $subdomain.example.com;
proxy_cache_bypass $http_upgrade;
}
}
If I change the setting to listen to port 80 then it's working fine. I had enabled port 443 in AWS security group and here is the result of netstat -tulpn | grep 443:
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
So it means it's listening to port 443 already right? I also ensured that the nginx was run as root using ps aux|grep nginx|grep -v grep:
root 11567 0.0 0.3 177080 3060 ? Ss 09:36 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 11568 0.0 0.7 177344 7568 ? S 09:36 0:00 nginx: worker process
I had checked the Nginx error log and it got nothing inside, but when I access my url with https it just showing that it took too long to respond. Anyone able to help? Thank you.
UPDATE
Here is the result of lsof -i:443:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ruby 1067 root 8u IPv4 2613507 0t0 TCP ip-xxx-xx-xx-xx.us-west-2.compute.internal:49112->xxx-xx-xx-xx:https (ESTABLISHED)
ruby 1067 root 10u IPv4 2552314 0t0 TCP ip-xxx-xx-xx-xx.us-west-2.compute.internal:43384->s3-us-west-2-r-w.amazonaws.com:https (CLOSE_WAIT)
nginx 12571 root 7u IPv4 2592465 0t0 TCP *:https (LISTEN)
nginx 12572 www-data 7u IPv4 2592465 0t0 TCP *:https (LISTEN)
aws 26403 root 14u IPv4 1903428 0t0 TCP ip-xxx-xx-xx-xx.us-west-2.compute.internal:39960->xxx-xx-xx-xx:https (CLOSE_WAIT)
aws 26403 root 15u IPv4 2613578 0t0 TCP ip-xxx-xx-xx-xx.us-west-2.compute.internal:55192->xxx-xx-xx-xx:https (CLOSE_WAIT)