I have installed shopware5 in a docker container and made it to go out with a reverse proxy nginx.
After the installation, the main page of the website works, but when I click on any of it's tabs, it forwards to the container directly and changes the address in the URL to the address and the port of the container. Therefore it shows that the website cant be reached.
I am wondering if this could be something related to the nginx or the shopware itself.
Any advises will be greatly appreciated.
this is the configuration of the proxy:
server {
listen 443 ssl http2;
# listen 80 http2;
server_name domainname.com;
ssl_certificate /etc/nginx/certificates/domainname.crt;
ssl_certificate_key /etc/nginx/certificates/domainname.key;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve secp384r1;
# root /var/www/html;
error_log /var/log/nginx/domain-error.log;
access_log /var/log/nginx/domain-access.log;
add_header Access-Control-Allow-Origin *;
location / {
proxy_pass http://localhost:8081/;
}
}
Related
I'm running a docker container together with nginx as reverse proxy. With the container itself, there are no issues. After setting it up and running:
sudo lsof -i -P -n | grep LISTEN
I get (amongst other lines) the following result:
docker-pr 1063031 root 4u IPv4 1059993645 0t0 TCP 127.0.0.1:8001 (LISTEN)
My nginx configuration file for my domain (my.domain.de.conf) looks as follows:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name my.domain.de;
return 301 https://$host$request_uri;
}
# SSL configuration
server {
listen 443 ssl;
server_name my.domain.de;
ssl_certificate /etc/letsencrypt/live/my.domain.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.de/privkey.pem;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Enable server-side protection against BEAST attacks
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# Disable SSLv3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain.de/fullchain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
If I am trying to access the (web)service I'm getting a 502 bad request error.
If something is missing to provide a valid answer, please let me know.
Thanks in advance!
I'm planning on hosting three websites on a single host, lets call it raspi-dev:
home.redacted.ca, brew.redacted.ca, www.redacted.ca (or redacted.ca)
To enable this, I'm working with a container which is accepting incoming connections on port 80. Here's a snippet of the reverse proxy config:
server {
server_name brew.redacted.ca;
listen 80;
location / {
proxy_pass http://brewweb;
}
}
brewweb being a container named brewweb. The communication works so far. When navigating to http://brew.redacted.ca, I get exactly what I expect:
"GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Firefox/60.0" "-"
The point is to redirect traffic to https. Here's the code from the other webserver:
server {
listen 80;
server_name brew.redacted.ca;
return 301 https://brew.redacted.ca$request_uri;
}
server {
server_name brew.redacted.ca;
root /var/www/brew;
listen 443 ssl;
location / {
try_files $uri $uri/ /index.html =404;
}
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
So it works as intended. You go to http://brew.redacted.ca and it tells you to come back on port 443. However, in the browser, I get a dead link: "Unable to Connect". My assumption right now is that it's because my reverse proxy, which is the only container listening on the host network, can't receive and then forward on the future 443 requests. I'm at a bit of a loss on how to handle this though.. do I get a cert for the reverse proxy??? How would I even do that since it's not even serving up any content itself..
I'm open to all suggestions.
It is your proxy that needs to speak securely to clients, not the hosted applications. I do this on my internal network. I have a docker host running a couple of different developer tools behind a single Nginx reverse proxy.
All SSL/TLS is handled by the proxy server. The web servers that actually serve up the applications are in docker containers only visible to the Nginx proxy container. They communicate with the proxy via http not https.
I'm using a wildcard certificate issued for my main server *.app.co that has SA entries for www.app.co, utility.app.co and another.app.co
Nginx proxy server configuration actually ends up looking something like this:
ssl_certificate redacted.pem
ssl_certificate_key redacted.key
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name www.app.co;
proxy_pass http://www-container
...
}
server {
listen 443 default_server;
server_name www.app.co;
proxy_pass http://www-container
...
}
server {
listen 443;
server_name another.app.co;
proxy_pass http://another-container
...
}
I am trying to gather some information on what could be the possible avenues to look for when nginx-reverseproxy is not forwarding request to a docker container (let's called it app-core).
I am able to access app-core by doing a curl request from nginx-reverseproxy container.
Both nginx-proxy and app-core are running. Both are on the same network.
I don't think there is anything of interest in /etc/nginx/conf.d/default.conf. Nevertheless, I have posted a snippet of it here
upstream \ app-core.com {
# app-core for docker compose
server app-core:80;
}
server {
server_name \ app-core.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name \ app-core.com;
proxy_connect_timeout 5m;
proxy_send_timeout 5m;
proxy_read_timeout 5m;
send_timeout 5m;
listen 443 ssl ;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/nginx/certs/app-core.com.crt;
ssl_certificate_key /etc/nginx/certs/app-core.com.key;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://\ app-core.com;
}
}
May I know what could be the possible issue here?
Docker version 17.09.0-ce, build afdb6d4
Thanks
I'm deploying a Rails application on personal server using Nginx, phusion_passenger. I've site configuration file with following server blocks. With this configuration my http://192.168.1.121 service doesn't work while https://192.168.1.121 fails with forbidden (access denied) error.
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
# Make site accessible from http://192.168.1.121/
server_name 192.168.1.121;
passenger_enabled on;
rails_env production;
root /home/deploy/www/myrailsapp/current/public;
index index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443;
server_name 192.168.1.121;
passenger_enabled on;
rails_env production;
root /home/deploy/www/myrailsapp/current/public;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
error_page 500 502 503 504 /50x.html;
location / {
try_files $uri $uri/ =404;
}
}
production.rb has force_ssl: true
Also, If I remove server {} block with https entry, application works on http just fine (of course I've to comment out force_ssl: true from production.rb). I'm very puzzled by the access denied error if the same directory is accessed from https.
- nginx version: nginx/1.6.2
- Rails 4.0
- Ruby 2.1.3
Any help is appreciated.
Try configuring the SSL on the same server block as your port 80 configuration.
Also, it's recommended to use the ssl parameter of the listen directive for port 443, instead of the ssl on directive.
So something like this:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
# Use ssl parameter on the listening socket instead of the 'ssl on' directive
listen 443 ssl;
server_name 192.168.1.121;
# Rest of your ssl configuration here
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
passenger_enabled on;
rails_env production;
root /home/deploy/www/myrailsapp/current/public;
index index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
Sources and Recommended Reading:
Official nginx docs - A single HTTP/HTTPS server
Digital Ocean tutorial (may or may not be helpful for your case)
I have a staging rails app running with passenger on nginx. I want to secure the connections with SSL. I have read a lot of resources online but I have yet to make it run on SSL.
So far, my server block on nginx.conf is:
server {
listen 80;
listen 443 default deferred;
server_name example.com;
root /home/deploy/app/public;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
ssl on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
}
The site is running but not on HTTPS.
I've just made the decission to go with SSL myself and found an article on the DigitalOcean site on how to do this. It might be the listen 443 default deferred;, which according to that article should be ssl not deferred.
Here's the nginx block they use;
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
try_files $uri $uri/ =404;
}
}
UPDATE:
I now have my own site running on SSL. Along with the above I just told Rails to force SSL. In your production environment config;
# ./config/environments/production.rb
config.force_ssl = true
Optionally, you can add these setting in the nginx.conf;
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
}
UPDATE: 2015-09
Since I wrote this answer I've added a few of extra things to my nginx config, which I believe everyone should also include. Add the following to your server block;
server {
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
add_header X-Frame-Options DENY;
}
The first three lines (ssl_prefer_server_ciphers, ssl_protocols, ssl_ciphers) are the most import as they make sure you have a good strong SSL settings.
The X-Frame-Options prevents your site from being included via the <iframe> tags. I expect most people will benefit from including this setting.