I have Nginx server with domain name example.com and it servers
location / => for web, running docker at port 8080
location /api => for API, running docker at port 8090
There is another backend service running in docker at port 9000, which wants to call the API https://example.com/api ... If I try it as localhost:8090 then no issue.
But using https://example.com/api via Nginx returns 301 Moved permanent error.
That is, calling from the same system to Nginx is not working.
Not sure what is wrong.
Please find the nginx conf:
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
include /etc/nginx/conf.d/*.conf;
server {
listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
index index.html index.htm index.nginx-debian.html;
server_name example.com;
location / {
proxy_pass http://localhost:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
}
location /api/v1/socketio/ {
proxy_pass http://lb_autosys_api/socket.io/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/v1/ {
proxy_pass http://localhost:8090/;
}
gzip on;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css;
gzip_min_length 1000;
gunzip on;
gzip_vary on;
expires $expires;
}
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
}
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://$host$request_uri;
}
Related
My web application is running on a Linux Ubuntu 20.04.4 VPS server and its IP is assigned to a domain name.
React frontend has an SSL certificate and is running on port 443.
API (written in Django) is running inside a Docker container on port
1414 with no SSL.
Frontend's attempts to send requests to the API result in ERR_SSL_PROTOCOL_ERROR getting thrown in the console. How can I get my backend to run on HTTPS? Do I need to create another certificate within my Docker container, or do I have to configure something in the domain?
For now, my colleague wrote a script in PHP that somehow manages to bypass the error and make the requests. However, this seems like a very insecure way of doing things and is only a temporary solution.
Below you'll find my Nginx configuration files
# etc/nginx/sites-available/default
server {
listen 80;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri /index.html =404;
}
}
server {
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.domainname.com domainname.com; # managed by Certbot
location / {
try_files $uri /index.html =404;
}
rewrite ^/api/get/(.*)$ /api.php?method=get&url=$1 last;
rewrite ^/api/post/(.*)$ /api.php?method=post&url=$1 last;
rewrite ^/api/put/(.*)$ /api.php?method=put&url=$1 last;
rewrite ^/api/delete/(.*)$ /api.php?method=delete&url=$1 last;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name img.domainname.com;
access_log /var/log/nginx/reverse-access.log;
error_log /var/log/nginx/reverse-error.log;
location / {
proxy_pass http://127.0.0.1:1414/static/media/uploads/meal/;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/img.domainname.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/img.domainname.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.domainname.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = domainname.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name www.domainname.com domainname.com;
return 404; # managed by Certbot
}
server {
if ($host = img.domainname.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name img.domainname.com;
listen [::]:80;
return 404; # managed by Certbot
}
# /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
# Basic Settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POOD LE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
And this is my Nginx config file inside my Docker container (for the backend)
server {
listen ${LISTEN_PORT};
location /static {
alias /vol/static;
}
location / {
uwsgi_pass ${APP_HOST}:${APP_PORT};
include /etc/nginx/uwsgi_params;
client_max_body_size 10M;
}
}
recently i configured wordpress site with docker and it runs on port 8080 and then i configured nginx reverse proxy on host and it was totally fine.. but sooner after i added ssl site wont load itz css and i can not find the error
server {
server_name mysite.com; # change this
# global gzip on
# gzip on;
# gzip_min_length 10240;
# gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
# gzip_disable "MSIE [1-6]\.";
# add_header Cache-Control public;
location / {
proxy_pass http://127.0.0.1:8080; # change this
proxy_buffering on;
proxy_buffers 12 12k;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name mysite.com;
return 404; # managed by Certbot
}
List your docker containers to get your instance name
sudo docker ps -a
Access the wp-config.php on docker instance.
# Access your instance files
sudo docker exec -i -t instance_name bash
# Install nano to edit files
apt install nano
nano wp-config.php
Add following at top of wp-config.php
define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false){
$_SERVER['HTTPS'] = 'on';
$_SERVER['SERVER_PORT'] = 443;
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
Add following at end of wp-config.php. Repalce example.com with your domain name
define('WP_HOME','https://example.com/');
define('WP_SITEURL','https://exampe.com/');
In your nginx file ie /etc/nginx/sites-enabled/example.com, Ensure you have added proxy_set_header X-Forwarded-Proto https;
server {
root /var/www/example.com;
index index.html index.htm index.nginx-debian.html;
server_name example.com www.example.com;
location / {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-Proto https;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mazclan.otherside.co.ke/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mazclan.otherside.co.ke/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.mazclan.otherside.co.ke) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = mazclan.otherside.co.ke) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name mazclan.otherside.co.ke www.mazclan.otherside.co.ke;
listen 80;
return 404; # managed by Certbot
}
Now restart you docker instance
sudo docker restart instance_name
Fighting for months with this, another new career path blooming every week, it seems, I look down.
So, that said. Here's the closest I've come. I had it working several times, but it's so brittle as I'm more a developer than a devops (?) person.
I am running Ubuntu 20.04.
be puma -C config/puma.rb config.ru -e production \
--pidfile /run/puma.pid \
--control-url 'unix:///root/mysite/tmp/sockets/mysite-puma.sock' \
--control-token 'app' \
--state tmp/puma.state \
-b 'tcp://mysite.com'
I can run pumactl as so: bundle exec pumactl -T 'app' -C 'unix:///root/mysite/tmp/sockets/mysite-puma.sock' -S tmp/puma.state [pumactl switch]
My nginx config.
/etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip off;
gzip_vary off;
#gzip_proxied any;
#gzip_comp_level 6;
#gzip_buffers 16 8k;
#gzip_http_version 1.1;
#gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/mysite.com;
}
/etc/nginx/sites-enabled/mysite.com
# This configuration uses Puma. If using another rack server, substitute appropriate values throughout.
upstream puma {
server unix:///root/mysite/tmp/sockets/mysite.sock;
}
# We need to be listing for port 80 (HTTP traffic).
# The force_ssl option will redirect to port 443 (HTTPS)
server {
# Update this
server_name mysite.com www.mysite.com;
# Don't forget to update these, too.
# For help with setting this part up, see:
# http://localhost:4000/2018/09/18/deploying-ruby-on-rails-for-ubuntu-1804.html
root /root/mysite/public;
access_log /root/mysite/log/nginx.access.log;
error_log /root/mysite/log/nginx.error.log info;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://puma;
}
}
# This is the configuration for port 443 (HTTPS)
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
server_name mysite.com www.mysite.com;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Don't forget to update these, too.
# I like to update my log files to include 'ssl' in the name.
# If there's ever any need to consult the logs, it's handy to have HTTP and HTTPS traffic separated.
root /root/mysite/public;
access_log /root/mysite/log/nginx.ssl.access.log; # Updated file name
error_log /root/mysite/log/nginx.ssl.error.log info; # Updated file name
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
location ^~ /assets/ {
gzip_static off;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is an important line to help fix some redirect issues.
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://puma;
}
}
# If you chose Certbot to redirect all traffic to HTTPS, this will be in your current config.
# Remove it or you'll run into redirection errors:
server {
if ($host = example.com) {
return 301 https://www.example.com$request_uri;
} # managed by Certbot
listen [::]:80 default_server deferred;
server_name example.com;
return 404; # managed by Certbot
}
First thing first, in your /etc/nginx/sites-enabled/mysite.com
First step
change
upstream puma {
server unix:///root/mysite/tmp/sockets/mysite.sock;
}
to
upstream puma {
server 0.0.0.0:9838; # port number in which your puma server starts
}
After changing your /etc/nginx/sites-enabled/mysite.com It should look like the following.
upstream puma {
server 0.0.0.0:9838;
}
server {
server_name mysite.com www.mysite.com;
client_max_body_size 200m;
gzip on;
gzip_comp_level 4;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/javascript application/json application/x-javascript text/xml text/css application/xml text/javascript;
root /root/mysite/public;
location / {
try_files $uri/index.html $uri #app;
}
location ~* ^/assets {
root /root/mysite/public;
expires 1y;
add_header Cache-Control public;
add_header Last-Modified "";
add_header ETag "";
break;
}
error_page 500 502 503 504 /500.html;
location #app {
proxy_pass http://puma;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location ~ /.well-known {
allow all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name mysite.com www.mysite.com;
listen 80;
return 404; # managed by Certbot
}
Second step
Then run gem install foreman to install foreman library. To know more about foreman click here.
Third step
Create Procfile in your project root directory and paste the below content
web: RAILS_ENV=production bundle exec puma -e production -p 9838 -d -S ~/puma -C config/puma.rb
Final step
Run foreman start to start the puma server and there you go, you will be able to see your application running.
I have the following nginx configuration:
server {
listen 80;
server_name _;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name _;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://example.org;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I am running nginx in a docker container and it starts properly. When I execute: curl localhost I receive 301 Moved Permanently. But when I try to call from an external source curl publicIP I receive Timed out
My first thought was that the problem is from the firewall but if I start a nginx container without any configuration curl publicIP works properly I receive 200.
Can you help me figure out if it's a problem in nginx configuration?
Thanks
Hello I am trying to setup a reverse proxy with nginx and docker container rails app, public static files are served correctly but can not access to my app. the nginx error log says:
2018/12/08 16:46:45 [error] 4093#4093: *350 could not find named location "#puma", client: xx.xxx.xxx.xx, server: my.app, request: "GET /en/users/sign_in HTTP/2.0",host: "my.app", referrer: "https://my.app/"
my nginx config is this:
upstream puma {
server 0.0.0.0:3000;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name my.app;
root /var/www/myapp/public;
# SSL
ssl_certificate /etc/letsencrypt/live/my.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.app/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.app/fullchain.pem;
include snippets/letsencrypt.conf;
include snippets/ssl.conf;
# reverse proxy
location / {
proxy_pass http://puma; # => http://0.0.0.0:3000
proxy_set_header Host $http_host; # => $host
proxy_set_header X-Forwarded-Proto $scheme; # => "https"
proxy_set_header X-Forwarded-Host $host; # => 0.0.0.0
proxy_set_header X-Forwarded-Port $server_port; # => 3000
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
# index fallback
try_files $uri $uri/ /index.html;
}
# . files
location ~ /\. {
deny all;
}
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?)$ {
expires 7d;
access_log off;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
expires 7d;
access_log off;
}
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
# error pages
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/myapp/public;
}
error_page 404 /404.html;
location = /404.html {
root /var/www/myapp/public;
}
}
# subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _ *.my.app;
# SSL
ssl_certificate /etc/letsencrypt/live/my.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.app/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.app/chain.pem;
include snippets/letsencrypt.conf;
include snippets/ssl.conf;
return 301 https://my.app$request_uri;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name _ .my.app my.app;
include snippets/letsencrypt.conf;
return 301 https://my.app$request_uri;
}
the rails container start thru docker-compose with this setup:
version: '3.2'
services:
web:
command: rails server -p '3000' -b '0.0.0.0' -e production
ports:
- '3000:3000'
I have tried also with unix socket to connect puma and nginx without success