I am working on a site (which the name is https://tutumluannev2test.derinpos.com/). I've been trying to add facebook login. At localhost no problem but at staging, I always get this error message:
Insecure Login Blocked: You can’t get an access token or log in to this app from an insecure page. Try reloading the page as https://
it's a ASP.NET Core 2.1 project.
served by nginx from ubuntu 16.04
Valid OAuth Redirect URIs: https://tutumluannev2test.derinpos.com/signin-facebook
https://www.facebook.com/v2.12/dialog/oauth?client_id=201510504064809&scope=public_profile%2Cemail&response_type=code&redirect_uri=http%3A%2F%2Ftutumluannev2test.derinpos.com%2Fsignin-facebook&state=...
nginx.conf:
server {
listen 80
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name tutumluannev2test.derinpos.com;
location / {
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://localhost:5003;
proxy_http_version 1.1;
}
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_certificate /etc/letsencrypt/live/tutumluannev2test.derinpos.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tutumluannev2test.derinpos.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
Can anybody help me?
Thanks in advance
Related
I'm trying to deploy a web application to my server. I have put the html files in one folder and I have a django server running on the same server. I am using nginx to set up reverse proxy for the backend but for some reason I'm not able to route to backend urls.
Here is my nginx configuration:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://example.com$request_uri;
}
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
server_name example.com example.com;
root /var/www/html/;
index index.html;
# Let's Encrypt parameters
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
try_files $uri $uri/ = index.html;
}
location /api {
proxy_pass http://unix:/run/gunicorn.sock;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
In the first block..I'm setting fallbacks to index.html because it is an angular app.
The angular app runs fine.
But I'm not able to access the routes of the reverse proxy server, whenever I hit a route with /api/something it takes me back to the angular app i.e index.html
It was very simple, I had to modify the path block like this
location ~^/(admin|api) {
proxy_pass http://unix:/run/gunicorn.sock;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
I am using nginx proxy to force all traffic through HTTPS. However, I have a page (/upload) which posts to /upload-downloadable which then uploads the users files using a stream to aws (bucketname.s3.eu-west-1.amazonaws.com)
It uploads as I can see it on AWS s3 bucket, but doesn't respond back to the server to tell the user? Works without the proxy perfectly, but not with my current config.
So it does Client -> AWS, but AWS->Server/Client doesn't work.
Any ideas?
upstream site {
server 127.0.0.1:1337;
}
upstream project {
server localhost:27017;
}
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name tryhackme.com;
error_page 502 /down.html;
location /down.html {
root /var/www/html;
}
#error_page 500 502 503 504 /var/www/html/down.html;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
#proxy_pass http://127.0.0.1:28017;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_read_timeout 3600;
proxy_pass http://localhost:1337/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Looking for this solution for a while now and think I'm pretty close, however...
So I have 5 different VMs running webpages on different ports. For brevity sake lets say 8080 to 8484. I want to have them all listen on 127.0.0.1 and their respective port. I also want nginx to serve as an https and password protected front to a landing page that will redirect the users to these internal sites.
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/home.crt;
ssl_certificate_key /etc/nginx/ssl/home.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 101M;
auth_basic "Login required";
auth_basic_user_file /etc/nginx/htpasswd;
location /server1 {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location /server2 {
proxy_pass http://127.0.0.1:8181;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
....
So this will prompt me for the user, pass and redirect to the appropriate page being hosted on that port, but I get an error saying disallowed host at /server1 for an invalid HTTP_HOST header as \127.0.0.1 is not valid.
Is this even possible to do? The servers are running various frameworks, Django, Apache, Tomcat...
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/home.crt;
ssl_certificate_key /etc/nginx/ssl/home.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 101M;
auth_basic "Login required";
auth_basic_user_file /etc/nginx/htpasswd;
location /server1/ {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /server2/ {
proxy_pass http://127.0.0.1:8181/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
I am working on a project using Django, nginx and Gunicorn. Everything is good except for POST requests. Django raise a CSRF error.
I dont know what is missing or wrong in my django and/or nginx conf.
Edit: I found out what was wrong. Because of my exotic SSL port.
I replaced this line in the 'location /' block:
proxy_set_header Host $host;
by:
proxy_set_header Host localhost:8443;
Django error:
Forbidden (403):
CSRF verification failed. Request aborted.
Reason given for failure:
Referer checking failed - https://localhost:8443/accounts/login/ does not match https://localhost/
Here is my nginx conf:
server {
listen 8880;
server_name localhost:8443;
rewrite ^ https://$server_name$request_uri? permanent;
}
#Gunicorn
upstream project {
server localhost:8888;
}
# HTTPS server
server {
listen 8443 ssl default_server;
ssl on;
server_name localhost;
ssl_certificate /path/file.crt;
ssl_certificate_key /path/file.key;
#Disable SSLv3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
location / {
proxy_pass http://localhost:8888;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 8443;
proxy_set_header Host $host; #Replaced by proxy_set_header Host localhost:8443;
}
}
and in my settings.py:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
Try add in your location / this: proxy_pass_header X-CSRFToken;
https://mydomainName.com --> AWS-ELB [ingress 443 --> egress 80]) --> OmnibusGitlab
Now Omnibus redirects to the following and times out
http://mydomainName.com/users/sign_in
Any way to debug this issue.
Full path has to be in https because if you are going forward via reverse proxy that accepts https and the you have to come back as as https.
Separate the Nginx configuration because Omnibus solution have to constrains that block the flexibility we have on standard nginx.
Do the following to make this change:
edit /etc/gitlab/gitlab.rb
and add
nginx['enable'] = false
web_server['external_users'] = ['www-data'] #for ubuntu nginx user
web_server['external_users'] = ['nginx'] # for centos 6-7
Add the following configuration to enable gitlab via simple nginx
/etc/nginx/site-availabe/server
server {
listen *:443 default_server ssl;
ssl_certificate /etc/ssl/certs/myserver.crt;
ssl_certificate_key /etc/ssl/private/myserver.key;
server_name myhostname.com
server_tokens off;
root /opt/gitlab/embedded/service/gitlab-rails/public;
client_max_body_size 50m; #or 5000
access_log /var/log/gitlab/nginx_access.log;
error_log /var/log/gitlab/nginx_error.log;
location / {
try_files $uri $uri/index.html $uri.html #gitlab;
}
location #gitlab {
proxy_read_timeout 300; # Some requests take more than 30 seconds.
proxy_connect_timeout 300; # Some requests take more than 30 seconds.
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://gitlab;
}
error_page 502 /502.html;
}
gitlab-redirect
/etc/nginx/sites-available/gitlab-redirect
server {
listen 80;
server_name myhostname.com;
return 301 https://myhostname.com;
}