I'm having trouble trouble ignoring www in my urls.
I have a wildcard SSL certificate for *.example.com
My server should respond to https://randomSubDomain.example.com only
and ignore https://www.randomSubDomain.example.com.
My SSL certificate is only valid for https://randomSubDomain.example.com
not https://www.randomSubDomain.example.com
Here's my nginx server file
server {
listen 80;
listen [::]:80;
server_name *.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name *.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
root /var/www/example;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
Related
I get that error in title when I cat out the error.log
this is how I set my website config inside /etc/nginx/site-availables/ArticleWebsite:
server_tokens off;
access_log /var/log/nginx/ArticleWebsite.access.log;
error_log /var/log/nginx/ArticleWebsite.error.log;
# This configuration will be changed to redirect to HTTPS later
server {
server_name backend.globeofarticles.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/backend.globeofarticles.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/backend.globeofarticles.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
}
}
to explain my situation better, backend.globeofarticles.com is the subdomain, that where the requests are sent from globeofarticles.com or www.globeofarticles.com.
Also, Django has 127.0.0.1:8000 host as default.
when I access the website (backend subdomain) I get this error:
when checking network tab, I get too many redirects actually:
with status code 301
try this for ur nginx config. then u can reinstall certbot for this domain. using certbot --nginx
server {
server_name backend.globeofarticles.com;
root /var/www/backend.globeofarticles.com/html/;
index index.php index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# A long browser cache lifetime can speed up repeat visits to your page
location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 360d;
}
# disable access to hidden files
location ~ /\.ht {
access_log off;
log_not_found off;
deny all;
}
I am hosting a Django application on digitalocean. I follow this tutorial to finish its SSL certification. Following that tutorial I don't know where to add this line of code:
return 301 https://$server_name$request_uri;
I tried adding it in /etc/nginx/sites-enabled/leptitox_pro
server {
listen 80;
server_name 68.183.203.33 yahkut.com www.yahkut.com;
return 301 https://$server_name$request_uri;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/leptitoxadmin/pyapps/Leptitox;
}
location /media/ {
root /home/leptitoxadmin/pyapps/Leptitox;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
when it didn't work I added it in /etc/nginx/sites-available/leptitox_pro
server {
listen 80;
server_name 68.183.203.33 yahkut.com www.yahkut.com;
return 301 https://$server_name$request_uri;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/leptitoxadmin/pyapps/Leptitox;
}
location /media/ {
root /home/leptitoxadmin/pyapps/Leptitox;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
it didn't work there as well, so I added below the server block of code in /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
server { # new
listen 80; # new
server_name yahkut.com; # new
return 301 https://$server_name$request_uri; # new
}
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
}
I then restarted ngnix and run nginx -t and got a success message, and when I ran the website I get either 404 not found or Not secure version of the website.
Please help me with this. Thank you
You have to seperate the server block running port 80 and the server block running port 443 (SSL). Just like this:
server {
listen 80;
server_name 68.183.203.33 yahkut.com www.yahkut.com;
return 301 https://$server_name$request_uri;
# Stop here, it's will be redirect to HTTPS. There's no left to execute
}
server {
listen 443 ssl;
server_name yahkut.com www.yahkut.com;
ssl_certificate /path/to/certificate/your_domain_chain.crt;
ssl_certificate_key /path/to/your_private.key;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/leptitoxadmin/pyapps/Leptitox;
}
location /media/ {
root /home/leptitoxadmin/pyapps/Leptitox;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
Add these server blocks.
This is to redirect http to https
server {
listen 80;
server_name example.com;
location / {
return 301 https://$host$request_uri;
}
}
Your main block with ssl
server {
listen 443 ssl ;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
index index.html index.htm index.nginx-debian.html;
server_name example.com;
location / {
proxy_pass http://localhost:5003; // Your port goes here
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
This goes under /nginx/sites-enabled/default or you can create different files for it in this folder
My domain is on AWS server with Bitnami Nginx installation. My goal is to create a subdomain for the test laravel application. Is this the correct bitnami.conf setting?
domain with certificates https://example.com
subdomain without certificates http://dev.example.com
/opt/bitnami/nginx/conf/bitnami/bitnami.conf:
#Rewrite any http requests for (www)example.com to https version.
server {
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
}
#redirect block
server {
listen 443;
ssl_certificate "/etc/lego/certificates/example.com.crt";
ssl_certificate_key "/etc/lego/certificates/example.com.key";
server_name www.example.com;
return 301 https://example.com$request_uri;
}
#The example.com SSL website, main processing block
server {
listen 443 ssl;
ssl_certificate "/etc/lego/certificates/example.com.crt";
ssl_certificate_key "/etc/lego/certificates/example.com.key";
server_name example.com;
root /opt/bitnami/nginx/html/example.com/public;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_read_timeout 300;
fastcgi_pass unix:/opt/bitnami/php/var/run/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
}
}
server {
listen 80;
server_name dev.example.com
root /opt/bitnami/nginx/html/dev.example.com/public;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_read_timeout 300;
fastcgi_pass unix:/opt/bitnami/php/var/run/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
}
}
How to config the Nginx, then it can provide the Django/Django-Rest-Framework's media resources?
In my remote CentOS-7 Server after I distributed my Django/Django-Rest-Framework project, I can not access the media and static resources by my API.
How can I config the Nginx, so I can access them?
I tried in nginx's vhosts_backend.conf, but did not success.
server {
listen 8000;
server_name 103.20.12.76;
access_log /data/ldl/logs/103.20.12.76.access.log main;
location / {
root /var/www/html/website/backend/;
index index.html index.htm;
}
location ~ /media/*\.(jpg|png|jpeg|bmp|gif|swf)$
{
access_log off;
expires 30d;
root /var/www/html/python_backend/myProject;
break;
}
location /media/ {
root /data/ldl/repo/myProject/;
}
location /static/ {
root /data/ldl/repo/myProject/;
}
}
EDIT-1
My Django/Django-Rest-Framework project only provide the APIs, not the template views. and it use the 8000 port.
so I am looking for a way in Nginx to access the media and static resources like this:
http://103.20.12.76:8000/media/images/qiyun_admin_websitemanage/logo/logo_01_YGE3YKm.png
You need to use alias . Here is an example:
location /media {
alias /data/ldl/repo/myProject/media;
access_log off;
expires 30d;
}
And here is a full working example of a live site:
# Expires map
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
server {
listen 80;
server_name www.server.example server.example;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name server.example;
ssl_certificate /etc/letsencrypt/live/server.example/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.example/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
charset utf-8;
client_max_body_size 100M;
expires $expires;
access_log /var/log/nginx/server_access.log timed;
error_log /var/log/nginx/server_error.log;
location /media {
alias /home/proj/media;
}
location /static {
alias /home/proj/static;
access_log off;
expires 30d;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
## Set the OS file cache.
open_file_cache max=3000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
location / {
uwsgi_pass unix:///run/server.sock;
include /etc/nginx/uwsgi_params;
}
}
I am trying to solve nginx redirect to https but when I use www.ozkandurakoglu.com I am getting 414 Request-URI Too Large error. Here is my settings for nginx:
upstream ozkan_server {
server unix:/home/ytsejam/public_html/ozkansimple/run/gunicorn.sock fail_timeout=10s;
}
server {
listen 80;
server_name ozkandurakoglu.com www.ozkandurakoglu.com;
return 301 $scheme:https://ozkandurakoglu.com$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/ozkandurakoglu.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ozkandurakoglu.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/ozkandurakoglu.com/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
server_name www.ozkandurakoglu.com;
return 301 $scheme:https://ozkandurakoglu.com$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/ozkandurakoglu.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ozkandurakoglu.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/ozkandurakoglu.com/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
server_name www.ozkandurakoglu.com ozkandurakoglu.com;
client_max_body_size 4G;
root /home/ytsejam/public_html/ozkansimple/;
access_log /home/ytsejam/public_html/ozkansimple/logs/nginx-access.log;
error_log /home/ytsejam/public_html/ozkansimple/logs/nginx-error.log warn;
large_client_header_buffers 6 16k;
...
}
can you help me ?
Thanks
I answer my question because I had to change both nginx and gunicorn which I did not mention in my question, I had remove $cheme in my server block
server {
listen 80;
server_name ozkandurakoglu.com www.ozkandurakoglu.com;
return 301 https://ozkandurakoglu.com$request_uri;
}
and add
limit_request_line
--limit-request-line INT
4094
The maximum size of HTTP request line in bytes.
to my gunicorn start line.
edit: finally days after correct settings is here
server {
listen 80;
server_name ozkandurakoglu.com www.ozkandurakoglu.com;
return 301 https://www.ozkandurakoglu.com$request_uri;
}
server {
listen 443 ssl http2;
server_name ozkandurakoglu.com;
return 301 https://www.ozkandurakoglu.com$request_uri;
}
server {
listen 443 ssl http2;
server_name www.ozkandurakoglu.com;
access_log /var/log/nginx/ozkandurakoglu.com.access.log;
error_log /var/log/nginx/ozkandurakoglu.com.error.log;
ssl_certificate /etc/letsencrypt/live/www.ozkandurakoglu.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.ozkandurakoglu.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.ozkandurakoglu.com/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:64m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-$
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
ssl_stapling on;
ssl_stapling_verify on;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy no-referrer-when-downgrade;
#add_header Content-Security-Policy "default-src https:";
resolver 8.8.8.8 8.8.4.4;
resolver_timeout 5s;
client_max_body_size 4G;
...
}