Here is my nginx configuration
server {
listen 80;
location / {
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://test.com$request_uri?;
}
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/chain.crt;
ssl_certificate_key /etc/ssl/key.crt;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
client_max_body_size 300M;
location / {
root /var/www/html;
index index.html index.htm;
}
}
I configured both http and https to instance port 80 and the certificate.
when I try to hit the website the redirect works fine but it takes me to nginx landing page, it does not seem to read the config on 443.
Related
I am hosting a django website on digital ocean. I have wish to access my website's IP using https with self-signed cert as Let's Encrypt does not provide certificates for public IP addresses. I followed this guide and wrote an nginx server block. I can access https://example-ip-address with:
server {
listen 443 ssl;
listen [::]:443 ssl;
include /etc/nginx/snippets/self-signed.conf;
include /etc/nginx/snippets/ssl-params.conf;
server_name 123.123.12.123;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/user/djangotemplates;
}
location / {
include /etc/nginx/proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
server {
listen 80;
listen [::]:80;
server_name 123.123.12.123;
return 301 https://$server_name$request_uri;
}
And, I can access https://example.com and https://www.example.com with let's encrypt SSL cert by following this and this is the server block I wrote:
server {
server_name www.example.com example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/user/djangotemplates;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.example.com example.com;
return 404; # managed by Certbot
}
The problem here is when I put both server blocks into one single configuration file and access https://example-ip-address, the connection is then not encrypted. However, it works fine for https://example.com and https://www.example.com. Any idea what went wrong here?
I just started my django website live on digital ocean - and I received an error email 'Invalid HTTP_HOST header: '123.123.12.123'. You may need to add '123.123.12.123' to ALLOWED_HOSTS.' So, I added the ip address in the ALLOWED_HOSTS. And I think it's safer to visit the ip address with https.
I suggest you to use certbot instead of a self signed certificate
https://certbot.eff.org
I am developing django web application, using django-allauth in a docker environment. In my facebook login redirect URI, I already set the value to be my website URL (https://whizkids.id). But somehow in the redirect URL return by facebook, it change to my docker container name: web.
https://web.facebook.com/v2.12/dialog/oauth?redirect_uri=https%3A%2F%2Fweb%2Faccounts%2Ffacebook%2Flogin%2Fcallback%2F&client_id=2180006765347725&scope&state=xp0mwKV8NW5w&response_type=code&_rdc=1&_rdr
The part redirect_uri=https%3A%2F%2Fweb%2Faccounts%2Ffacebook%2Flogin%2Fcallback%2F should be redirect_uri=https%3A%2F%2Fwhizkids.id%2Faccounts%2Ffacebook%2Flogin%2Fcallback%2F
I am using nginx + letsencrypt configuration below:
upstream web {
ip_hash;
server web:8000;
}
server {
listen 8000;
server_name whizkids.id www.whizkids.id;
return 301 https://$host$request_uri;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name whizkids.id www.whizkids.id;
ssl_certificate /etc/letsencrypt/live/whizkids.id/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/whizkids.id/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers '...';
location /static/ {
autoindex on;
alias /src/static/;
}
location / {
proxy_pass http://web/;
}
}
Is there any configuration that I missed?
Referring this answer you need to set the Host header, either static or dynamic, such as
upstream web {
ip_hash;
server web:8000;
}
server {
listen 8000;
server_name whizkids.id www.whizkids.id;
return 301 https://$host$request_uri;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name whizkids.id www.whizkids.id;
ssl_certificate /etc/letsencrypt/live/whizkids.id/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/whizkids.id/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers '...';
location /static/ {
autoindex on;
alias /src/static/;
}
location / {
proxy_pass http://web/;
proxy_set_header Host $host; // or whizkids.id
}
}
Nginx noob here, I did look through all previous posts but couldn't find anything specific to my situation.
I'm trying to install a commercial SSL certificate on nginx. After configuring etc/nginx/sites-available/myapp with the following:
server {
listen 80;
server_name example.come www.example.com;
rewrite ^/(.*) https://example.com/$1 permanent;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/user/example.com;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/djangodeploy/example.com/rex.sock;
}
}
server {
listen 443 ssl;
server_name example.com www.example.come;
ssl_certificate /home/user/example.com.chained.crt;
ssl_certificate_key /home/user/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GC$
ssl_prefer_server_ciphers on;
}
After checking syntax everything is fine. The https works well, however instead of serving the actual website it just returns "Welcome to nginx!"
I've also configured the http directive in /etc/nginx/nginx.conf to include:
http {
ssl_certificate /home/user/example.com.chained.crt;
ssl_certificate_key /home/user/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: $
ssl_prefer_server_ciphers on;
I've heard gzip can cause problems, should I disable it?
Any help would be greatly appreciated!
The HTTPS server block does not proxy to your application, so you will need to add the location / block to it, ending up with this:
server {
listen 443 ssl;
server_name example.com www.example.come;
ssl_certificate /home/user/example.com.chained.crt;
ssl_certificate_key /home/user/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GC$
ssl_prefer_server_ciphers on;
location / {
include proxy_params;
proxy_pass http://unix:/home/djangodeploy/example.com/rex.sock;
}
}
I have a single-container Docker running a React environment on Elasticbeanstalk with Nginx. I pointed a subdomain to the ELB URL, and want to force a HTTPS redirection if you visit the subdomain (i.e. you type subdomain.domain.com and it should redirect you to HTTPS).
Now, if I visit the default ELB URL (something.eu-central-1.elasticbeanstalk.com), it will be redirected to HTTPS. But I want my custom domain (which is parked somewhere else but points to something.eu-centralblabla with a CNAME) to be forced to use HTTPS as well, but it doesn't happen. It allows regular HTTP requests.
I've tried several guides and followed AWS documentation, but I cannot seem to force it to redirect to HTTPS on my custom subdomain.
These are my files:
/.ebextensions folder
http-instance.config
files:
/etc/nginx/conf.d/https.conf:
mode: "000644"
owner: root
group: root
content: |
# HTTPS Server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#SSL CRT and KEY below
https-instance-single.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
/nginx folder
default.conf
server {
listen 80;
server_name localhost;
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html?/$request_uri;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
error_page 500 504 /500.html;
error_page 502 /502.html;
error_page 503 /503.html;
client_max_body_size 4G;
keepalive_timeout 10;
location ~ ^/(favicon|static)/ {
gzip_static on;
expires max;
add_header Cache-Control public;
# add_header Last-Modified "";
# add_header ETag "";
open_file_cache max=1000 inactive=500s;
open_file_cache_valid 600s;
open_file_cache_errors on;
break;
}
}
What am I doing wrong? Thanks for your help!
You should be able to manage this in your nginx config by adding this within the server context:
set $redirect_to_https 0;
if ($http_x_forwarded_proto != 'https') {
set $redirect_to_https 1;
}
if ($redirect_to_https = 1) {
rewrite ^ https://$host$request_uri? permanent;
}
Or something to that effect.
Route all http traffic to https:
server {
listen 80;
return 301 https://$host$request_uri;
}
Then hangle the proxy stuff in the 443 block
Hello I have two domains registered on Route53, www.sample.com and sample.com
Right now www.sample.com's A record is pointing to an elastic ip that is bound to an EC2 (Using Django + Gunicorn + Nginx). www.sample.com website works perfectly fine so I try to reroute sample.com's A record to the same ip, but I keep getting the issue DNS address could not be found. Anyone know why?
Do I have to change the nginx configuration file to be listening to sample.com as well?
Here is the configuration file
server {
listen 80;
server_name www.sample.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.sample.com
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/nginx/ssl/sample_com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/sample_com/sample_com.key;
# side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
root /home/ubuntu/sample_Landing_page/;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
alias /home/ubuntu/sample_Landing_page/static/static_root/;
expires 365d;
}
location / {
include proxy_params;
proxy_pass
http://unix:/home/ubuntu/sample_Landing_page/sample_Landing.sock;
}
}