Nginx noob here, I did look through all previous posts but couldn't find anything specific to my situation.
I'm trying to install a commercial SSL certificate on nginx. After configuring etc/nginx/sites-available/myapp with the following:
server {
listen 80;
server_name example.come www.example.com;
rewrite ^/(.*) https://example.com/$1 permanent;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/user/example.com;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/djangodeploy/example.com/rex.sock;
}
}
server {
listen 443 ssl;
server_name example.com www.example.come;
ssl_certificate /home/user/example.com.chained.crt;
ssl_certificate_key /home/user/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GC$
ssl_prefer_server_ciphers on;
}
After checking syntax everything is fine. The https works well, however instead of serving the actual website it just returns "Welcome to nginx!"
I've also configured the http directive in /etc/nginx/nginx.conf to include:
http {
ssl_certificate /home/user/example.com.chained.crt;
ssl_certificate_key /home/user/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: $
ssl_prefer_server_ciphers on;
I've heard gzip can cause problems, should I disable it?
Any help would be greatly appreciated!
The HTTPS server block does not proxy to your application, so you will need to add the location / block to it, ending up with this:
server {
listen 443 ssl;
server_name example.com www.example.come;
ssl_certificate /home/user/example.com.chained.crt;
ssl_certificate_key /home/user/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GC$
ssl_prefer_server_ciphers on;
location / {
include proxy_params;
proxy_pass http://unix:/home/djangodeploy/example.com/rex.sock;
}
}
Related
I'm trying to connect to my backend api, usually anything that is /intApi/<*> gets sends over to different api.domain.com. but for some reason the request changes from post to get.
+
I'm using nginx to do
listen 80;
listen [::]:80;
server_name api.domain.com www.api.domain.com;
location / {
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 http2 ssl;
server_name api.domain.com www.api.domain.com;
ssl_certificate /etc/nginx/ssl/live/api.domain.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/api.domain.com/privkey.pem;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://backendDocker:3500/;
}
location ~ /.well-known/acme-challenge/ {
root /usr/share/nginx/web/api;
}
}
To push it further and nginx output is either OPTIONS or GET instead of POST.
What am I doing wrong here? I tried 301/302 redirects. Same issue :/
I am developing django web application, using django-allauth in a docker environment. In my facebook login redirect URI, I already set the value to be my website URL (https://whizkids.id). But somehow in the redirect URL return by facebook, it change to my docker container name: web.
https://web.facebook.com/v2.12/dialog/oauth?redirect_uri=https%3A%2F%2Fweb%2Faccounts%2Ffacebook%2Flogin%2Fcallback%2F&client_id=2180006765347725&scope&state=xp0mwKV8NW5w&response_type=code&_rdc=1&_rdr
The part redirect_uri=https%3A%2F%2Fweb%2Faccounts%2Ffacebook%2Flogin%2Fcallback%2F should be redirect_uri=https%3A%2F%2Fwhizkids.id%2Faccounts%2Ffacebook%2Flogin%2Fcallback%2F
I am using nginx + letsencrypt configuration below:
upstream web {
ip_hash;
server web:8000;
}
server {
listen 8000;
server_name whizkids.id www.whizkids.id;
return 301 https://$host$request_uri;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name whizkids.id www.whizkids.id;
ssl_certificate /etc/letsencrypt/live/whizkids.id/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/whizkids.id/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers '...';
location /static/ {
autoindex on;
alias /src/static/;
}
location / {
proxy_pass http://web/;
}
}
Is there any configuration that I missed?
Referring this answer you need to set the Host header, either static or dynamic, such as
upstream web {
ip_hash;
server web:8000;
}
server {
listen 8000;
server_name whizkids.id www.whizkids.id;
return 301 https://$host$request_uri;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name whizkids.id www.whizkids.id;
ssl_certificate /etc/letsencrypt/live/whizkids.id/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/whizkids.id/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers '...';
location /static/ {
autoindex on;
alias /src/static/;
}
location / {
proxy_pass http://web/;
proxy_set_header Host $host; // or whizkids.id
}
}
I am trying to solve nginx redirect to https but when I use www.ozkandurakoglu.com I am getting 414 Request-URI Too Large error. Here is my settings for nginx:
upstream ozkan_server {
server unix:/home/ytsejam/public_html/ozkansimple/run/gunicorn.sock fail_timeout=10s;
}
server {
listen 80;
server_name ozkandurakoglu.com www.ozkandurakoglu.com;
return 301 $scheme:https://ozkandurakoglu.com$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/ozkandurakoglu.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ozkandurakoglu.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/ozkandurakoglu.com/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
server_name www.ozkandurakoglu.com;
return 301 $scheme:https://ozkandurakoglu.com$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/ozkandurakoglu.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ozkandurakoglu.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/ozkandurakoglu.com/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
server_name www.ozkandurakoglu.com ozkandurakoglu.com;
client_max_body_size 4G;
root /home/ytsejam/public_html/ozkansimple/;
access_log /home/ytsejam/public_html/ozkansimple/logs/nginx-access.log;
error_log /home/ytsejam/public_html/ozkansimple/logs/nginx-error.log warn;
large_client_header_buffers 6 16k;
...
}
can you help me ?
Thanks
I answer my question because I had to change both nginx and gunicorn which I did not mention in my question, I had remove $cheme in my server block
server {
listen 80;
server_name ozkandurakoglu.com www.ozkandurakoglu.com;
return 301 https://ozkandurakoglu.com$request_uri;
}
and add
limit_request_line
--limit-request-line INT
4094
The maximum size of HTTP request line in bytes.
to my gunicorn start line.
edit: finally days after correct settings is here
server {
listen 80;
server_name ozkandurakoglu.com www.ozkandurakoglu.com;
return 301 https://www.ozkandurakoglu.com$request_uri;
}
server {
listen 443 ssl http2;
server_name ozkandurakoglu.com;
return 301 https://www.ozkandurakoglu.com$request_uri;
}
server {
listen 443 ssl http2;
server_name www.ozkandurakoglu.com;
access_log /var/log/nginx/ozkandurakoglu.com.access.log;
error_log /var/log/nginx/ozkandurakoglu.com.error.log;
ssl_certificate /etc/letsencrypt/live/www.ozkandurakoglu.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.ozkandurakoglu.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.ozkandurakoglu.com/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:64m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-$
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
ssl_stapling on;
ssl_stapling_verify on;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy no-referrer-when-downgrade;
#add_header Content-Security-Policy "default-src https:";
resolver 8.8.8.8 8.8.4.4;
resolver_timeout 5s;
client_max_body_size 4G;
...
}
Hello I have two domains registered on Route53, www.sample.com and sample.com
Right now www.sample.com's A record is pointing to an elastic ip that is bound to an EC2 (Using Django + Gunicorn + Nginx). www.sample.com website works perfectly fine so I try to reroute sample.com's A record to the same ip, but I keep getting the issue DNS address could not be found. Anyone know why?
Do I have to change the nginx configuration file to be listening to sample.com as well?
Here is the configuration file
server {
listen 80;
server_name www.sample.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.sample.com
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/nginx/ssl/sample_com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/sample_com/sample_com.key;
# side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
root /home/ubuntu/sample_Landing_page/;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
alias /home/ubuntu/sample_Landing_page/static/static_root/;
expires 365d;
}
location / {
include proxy_params;
proxy_pass
http://unix:/home/ubuntu/sample_Landing_page/sample_Landing.sock;
}
}
Here is my nginx configuration
server {
listen 80;
location / {
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://test.com$request_uri?;
}
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/chain.crt;
ssl_certificate_key /etc/ssl/key.crt;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
client_max_body_size 300M;
location / {
root /var/www/html;
index index.html index.htm;
}
}
I configured both http and https to instance port 80 and the certificate.
when I try to hit the website the redirect works fine but it takes me to nginx landing page, it does not seem to read the config on 443.