when i use this code, i'm get error "No such file or directory" , but in docs writed what i can use variables
server {
listen 443 ssl;
server_name ~^(?<sub>.+)\.domain$;
ssl_certificate /etc/letsencrypt/live/$sub.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$sub.domain/privkey.pem;
location /.well-known {
alias /var/www/.well-known;
}
location / {
proxy_pass http://$sub.domain:8000;
proxy_set_header Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Related
I'm trying to use WSO2 Identity Server behind a reverse proxy to not expose ip and port when I use wso2 custom pages like "Create Password" and "Reset Password", but I'm getting an error.
When I try to log in on carbon it redirect to login_action.jsp and it shows:
login_action.jsp - 403 Forbidden.
The steps that I did to configure were:
deployment.toml
[server]
offset = "1"
hostname = "example.com"
node_ip = "xxx.xxx.xx.xxx"
base_path = "https://$ref{server.hostname}:${carbon.management.port}"
proxy_context_path = "/is"
[transport.https.properties]
proxyPort = 443
nginx.conf
server {
server_name example.com;
access_log /var/log/nginx/dev_mtz_access.log;
error_log /var/log/nginx/example.com.error_log debug;
proxy_cache one;
proxy_cache_key $request_method$request_uri;
proxy_cache_min_uses 1;
proxy_cache_methods GET;
proxy_cache_valid 200 1y;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
listen 80;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/certs/cup.crt;
ssl_certificate_key /etc/letsencrypt/private/cup.key;
rewrite \w*(carbon|admin)$ $1/ permanent;
location /is/ {
proxy_pass https://csm-wso2-is:9444/;
proxy_redirect https://example.com/authenticationendpoint/ https://example.com/is/authenticationendpoint/;
proxy_redirect https://example.com/accountrecoveryendpoint/ https://example.com/is/accountrecoveryendpoint/;
proxy_redirect https://example.com/oauth2/ https://example.com/is/oauth2/;
proxy_redirect https://example.com/carbon/ https://example.com/is/carbon/;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host;
# Proxy timeouts
proxy_connect_timeout 3600s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
}
location /carbon/admin/js/csrfPrevention.js {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://example.com/is/carbon/admin/js/csrfPrevention.js;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
I didn't find any documentation explaining how to achieve, only on WSO2-APIM
If you don't need a subcontext the easiest way is to route everything coming to the root context (/) to port 9443. Here is a sample Nginx config block.
upstream ssl.wso2.is.com {
server xxx.xxx.xxx.xx3:9443;
server xxx.xxx.xxx.xx4:9443;
ip_hash;
}
server {
listen 443;
server_name is.wso2.com;
ssl on;
ssl_certificate /etc/nginx/ssl/wrk.crt;
ssl_certificate_key /etc/nginx/ssl/wrk.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://ssl.wso2.is.com;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
The documentation is here.
I configured API cluster with Nginx Load Balancer by manuals :
https://docs.wso2.com/display/AM250/Configuring+the+Proxy+Server+and+the+Load+Balancer
https://docs.wso2.com/display/CLUSTER44x/Setting+up+a+Cluster
I tried to use a self-signed certficate or commercial cert for LB, but when i open LB web-page on 443 port i have the same errors in logs:
SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream.
What is the problem?
Nginx config:
upstream server1 {
server x.x.x.x:9443;
}
upstream server2 {
server x.x.x.x:8243;
}
server {
listen 80;
server_name server1.com;
rewrite ^/(.*) https://server1.com/$1 permanent;
}
server {
listen 443;
server_name server1.com;
proxy_set_header X-Forwarded-Port 443;
ssl on;
ssl_certificate /etc/nginx/ssl/server1.cer;
ssl_certificate_key /etc/nginx/ssl/server1.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://server1.com;
}
}
server {
listen 443;
server_name server1.com;
proxy_set_header X-Forwarded-Port 443;
ssl on;
ssl_certificate /etc/nginx/ssl/server1.cer;
ssl_certificate_key /etc/nginx/ssl/server1.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://server1.com;
}}
The stack is: Ubuntu // Supervisor // Nginx <--> Gunicorn <--> Django 1.11
Static files folder: /home/sitebiz/sitebiz/static/
Nginx config: /etc/nginx/sites-enabled/site.biz
server {
listen 80;
listen [::]:80;
access_log off;
server_name site.biz;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
#listen 80 ssl;
server_name site.biz;
ssl_certificate /etc/letsencrypt/live/site.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.biz/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
#listen 80;
gzip on;
access_log /var/log/nginx-access.log;
error_log /var/log/nginx-error.log;
location /static {
root /home/sitebiz/sitebiz;
internal;
}
location /track {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8899;
break;
}
}
location /income {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8899;
break;
}
}
location / {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8000;
break;
}
}
}
I tried to change the /home/sitebiz/sitebiz/static/ directory and all of its content ownership to sitebiz user and to www-data , but none helped.
Not even Django itself can serve static files and I have no idea why.
From django settings:
SITE_ROOT = os.path.abspath(os.path.dirname(name))
MEDIA_URL = '/media/'
MEDIA_ROOT = os.path.join(BASE_DIR, 'media')
STATIC_URL = '/static/'
STATIC_ROOT = os.path.join(SITE_ROOT, 'static')
Thank you in advance.
I have no idea, why, but the solution from the POST works fine
Just execute in shell:
sudo chmod o+x /root
If someone could explain this logic - why root folder must have Execute permission - I would be very thankful (and upvoteful)
Current nginx config:
server {
listen 443 ssl http2;
server_name NAME www.NAME;
charset utf-8;
ssl on;
ssl_certificate /etc/nginx/ssl/NAME-cert.pem;
ssl_certificate_key /etc/nginx/ssl/NAME-key.pem;
location /static/ {
alias /home/ubuntu/NAME/static_collection/;
}
location /media/ {
alias /home/ubuntu/NAME/media_collection/;
}
location / {
proxy_pass http://localhost:8002;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Everything works, apart from the websockets. I suppose this is because it doesn't deal with the http upgrade header... I've looked at the docs, but I can't figure out how to modify this config without breaking anything else.
Try this. Let me know if it works.
server {
listen 443 ssl http2;
server_name NAME www.NAME;
charset utf-8;
ssl on;
ssl_certificate /etc/nginx/ssl/NAME-cert.pem;
ssl_certificate_key /etc/nginx/ssl/NAME-key.pem;
location /static/ {
alias /home/ubuntu/NAME/static_collection/;
}
location /media/ {
alias /home/ubuntu/NAME/media_collection/;
}
location / {
proxy_pass http://localhost:8002;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_read_timeout 86400;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
I tried to make run the tutorial from the channels docs on my production server, using ssl.
After a few hours i managed to get a connection but it instantly disconnects :
None - - [12/Mar/2018:17:42:22] "WSCONNECTING /ws/chat/bibou/" - -
None - - [12/Mar/2018:17:42:22] "WSCONNECT /ws/chat/bibou/" - -
None - - [12/Mar/2018:17:42:23] "WSDISCONNECT /ws/chat/bibou/" - -
my stack is
ubuntu 16.04
nginx 1.10.3
channels==2.0.2
daphne==2.1.0
channels-redis==2.1.0
Twisted==17.9.0
I have the exact copy paste of the code from the tutorial, except for this part in room.html
var chatSocket = new WebSocket(
'wss://' + window.location.host +
':8443/ws/chat/' + roomName + '/');
and here is my nginx conf
server {
#http
listen 80;
server_name domain.com;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
#https
listen 443 ssl;
listen 8443 ssl;
server_name domain.com;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/domain.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/domain.com/privkey.pem";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000";
include /etc/nginx/default.d/*.conf;
location /static/ {
root /home/ubuntu;
}
location /media/ {
root /home/ubuntu;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://unix:/home/ubuntu/tlebrize/Project.sock;
}
location /ws/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://unix:/home/ubuntu/tlebrize/Daphne.sock;
}
}
I run daphne with daphne -u Daphne.sock Project.asgi:application -v 3
I also tried bypassing nginx and using sudo daphne -e ssl:8443:privateKey=/etc/letsencrypt/live/domain.co/privkey.pem:certKey=/etc/letsencrypt/live/domain.co/fullchain.pem Project.settings:CHANNEL_LAYERS
but i had the same results.
The front break with the message Chat socket closed unexpectedly with the error code 1011 (Internal Error) and no reason.
I managed to make it work, it was an issue with nginx and/or using ReconnectingWebSocket. here's my whole working conf:
nginx
server {
#http
listen 80;
server_name domain.co;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
#https
listen 443 ssl;
server_name domain.com;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/domain.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/domain.com/privkey.pem";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000";
include /etc/nginx/default.d/*.conf;
location /static/ {
root /home/ubuntu;
}
location /media/ {
root /home/ubuntu;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:8443;
}
location / {...}
}
daphne
sudo /home/ubuntu/venv/bin/daphne -e ssl:8443:privateKey=/etc/letsencrypt/live/domain.com/privkey.pem:certKey=/etc/letsencrypt/live/domain.com/fullchain.pem Project.asgi:application -v 3
js
var chatSocket = new ReconnectingWebSocket(
'wss://' + window.location.host +
':8443/ws/chat/' + roomName + '/');
I had this problem because I've forgot to include CHANNEL_LAYERS to settings.py.
Server was even able to send 1-2 messages before disconnecting.
This was resulting in error 1011 when connecting through nginx and 1006 when connecting directly without https/wss. I tried both uvicorn and daphne.