Enable HTTPS with Nginx, using Docker - docker

Ok. So I am trying to enable HTTPS with Nginx using Docker container.
My nginx.conf now looks like this:
server {
listen 443 ssl;
server_name localhost;
ssl_certificate ssl/domain.crt;
ssl_certificate_key ssl/domain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
Btw I have a working version with HTTP, which looks like this:
server {
listen 80;
server_name localhost;
When I am starting the docker container, I get an error saying: "[emerg] 1#1: cannot load certificate "/etc/nginx/ssl/domain.crt":"
I have created the encrypting with openssl, and it is put in the "ssl"-folder where the rest of my project is. But the problem seems to be here? Does anybody have a solution for this?

Related

How to connect to Redis server using DNS?

We have a requirement to have a globalized cache machine i.e. Redis to be running on one server and the docker services running on other servers need to be able to access it. So we have created a docker container in Ec2 instance A and all the other services are in Instance B & C. We have installed redis-cli IP on Instnace A & Instance B and it's working. But we have a requirement to have DNS instead of IP here. So we have configured the records in Bastian host in the below format.
server {
listen 80 ;
server_name devtest-redis.xyz.com;
return 301 https://$server_name$request_uri ;
}
server {
listen 443;
server_name devtest-redis.xyz.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/xyz.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xyz.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
add_header 'Access-Control-Allow-Origin' '*';
location / {
proxy_pass http://10.63.3.10:6379;
}
}
But when we type redis-cli -h devtest-redis.xyz.com, I'm getting the below error. Even if I give redis-cli -h IP:PORT , I get the same error. I'm missing something here or how can this be resolved?
Could not connect to Redis at https://devtest-redis.xyz.com:6379: Name or service not known

Redirect nginx to ssl docker sevice

I have a server on Hetzner do I configured several services on doker. In this case Portainer and Node-red.
I have connected a ddns domain pointing to the server ip and configured via certbot standalone the certificates individually for each service.
I can access both correctly via the following links:
https://myfreedomain.ddns.net:9000 (portainer)
https://myfreedomain.ddns.net:1880 (node-red)
I would like to configure nginex in such a way that I can access the services via path and force an ssl redirect.
Example:
http://myfreedomain.ddns.net/portainer --> https://myfreedomain.ddns.net:9000
The certificates are loaded and configured in the individual services
NgineX site-enable configfile:
server {
listen 443 ssl;
server_name myfreedomanin.ddns.net;
ssl_certificate /etc/letsencrypt/live/myfreedomanin.ddns.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myfreedomanin.ddns.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location /portainer {
proxy_pass https://myfreedomanin.ddns.net:9000;
}
location /node-red {
proxy_pass https://myfreedomanin.ddns.net:1880;
}
}
the default configuration file is also present

How to define one domain for both static webpage and shiny server app?

I have a shiny server app using aws ec2 & route53, nginx & certbot for ssl. right now my domain name is used by the app.
I would like to have a static homepage to welcome users and offer the access to login to the app.
The purpose is to have an homepage intro and so it can be indexed by google.
Can i use one domain for that (for both app and webpage)?
how should i define and manage my domain to do so?
hope i made my Q clear enough.
thanks in advance
I forgot to mention that my static website is on aws s3 bucket (and not on the ec2 +nginx server).
I'm not sure about the syntax to define the nginx.conf. the following is how the nginx.conf is working now fine:
server {
listen 80;
listen [::]:80;
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
# listen 443 means the Nginx server listens on the 443 port.
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/app.mydomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app.mydomain/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl_dhparam /etc/nginx/snippets/dhparam.pem;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES12>
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/app.mydomain/chain.pem;
# Replace it with your (sub)domain name.
server_name app.mydomain;
# The reverse proxy, keep this unchanged:
location / {
proxy_pass http://localhost:3838;
proxy_redirect http://localhost:3838/ $scheme://$host/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 20d;
proxy_buffering off;
}
}
and if i understood #AlexStoneham, i need to add something like that:
server{
server_name mydomain;
location / {
proxy_pass $scheme://$host.s3-website-eu-central-1.amazonaws.com$request_uri
}
}
but that adding doesnt work. should i add to it the 443 listener block and add ssl certificate all over again?
app.mydomain is for the shiny app and working fine now.
mydomain should direct to s3 static webpage.
thanks
Use nginx server blocks with your nginx conf
and subdomains with your route53 conf
Leverage a subdomain like app.yourdomain.com to go to the shiny app configured with nginx to serve the shiny app in one server block. Set up another subdomain like www.yourdomain.com to go to the static pages configured with nginx to server the static pages in another server block.
See:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-routing-traffic-for-subdomains.html
for the route53 details
and:
https://www.nginx.com/resources/wiki/start/topics/examples/server_blocks/
for the nginx details
The nginx.conf was ok and didn't need to add anything because the static webpage is on s3 bucket and not on nginx/ec2.
The issue was that in one of my many tries i made a certbot certificate of the "mydomain" that was the same name of the s3 bucket.
That clashed and made the problem when trying to link my s3 bucket with that domain name through route53 (the s3 endpoint is http and not https).
The solution was to delete that specific ssl certificate from my ec2 server(with nginx on it):
$ sudo certbot certificates #shows the exist certificates
$ sudo certbot delete #choose the certificate to delete, in my case: "mydomain"

ssl certificate or nginx proxy server not working

I have created a domain(domain.com) and subdomain (abc.domain.com), and also generated SSL certificates for both by using letsencrypt. Both the Django projects are hosted on AWS EC2 and created proxy server for them which is as follow:
server {
listen 443 ssl;
server_name example.com;
location / {
proxy_pass https://1.2.3.4:444;
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_certificate /home/domain/fullchain.pem;
proxy_ssl_certificate_key /home/domain/privkey.pem;
}
}
server {
listen 443 ssl;
server_name abc.example.com;
location / {
proxy_pass https://1.2.3.4:445;
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_certificate /home/subdomain/fullchain.pem;
proxy_ssl_certificate_key /home/subdomain/privkey.pem;
}
}
I strats the proxy server and both the projects, starting not giving any problem the problem is that when i enter https://example.com on the browser it is not showing the page, but when i pull domain with port no. https://example.com:444, it starts showing the page. I do not know what I am missing.
In order to make https://example.com work you need to correctly configure Nginx with SSL configuration which include using ssl_certificate and ssl_certificate_key directives as it does not seem that you are using them.
Using proxy_ssl_certificate is for using HTTPS connection between Nginx and the Proxied Server which in your case the django application.
Using ssl_certificate is for using HTTPS connection between the user's browser and Nginx which you need to make https://example.com works as expected
For more details check configuring HTTPS servers

SSL rails nginx

I am trying to install a SSL certificate that I recently acquired from GoDaddy. My web application is on Rails 4.2.6 and I am using an Ubuntu Server 14.04. I am also using Phusion Passenger 5.0.28 and Nginx. I don’t know if it makes any difference, but I launched the instance using AWS’ EC2.
I created a combined file using the two .crt files sent by GoDaddy.
When I edit my application.rb file:
config.force_ssl = true
I receive the following error:
ERR_CONNECTION_TIMED_OUT
There are two files that I have tried editing, with not success so far:
nginx.conf. The server block currently look like this:
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /var/www/primeraraiz5/primeraraiz_combined.crt;
ssl_certificate_key /var/www/primeraraiz5/primeraraiz.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
include /etc/nginx/sites-enabled/*;
rails.conf (in a sites-available directory; which is “symbolically linked” to the sites-enabled directory ). The server block looks like this:
server {
listen 443 ssl;
passenger_enabled on;
passenger_app_env production;
root /var/www/primeraraiz5/public;
server_name 52.39.200.205 primeraraiz.com;
}
server {
server_name www.primeraraiz.com;
return 301 $scheme://primeraraiz.com$request_uri;
}
I don’t know if I am doing something wrong in these files or if I should change any settings at AWS or with the company that currently hosts my domain.
Thanks a lot for your help!
There are a couple of things to do to your configuration.
The first is the server block containing the redirect. Since you haven't provided us with a server that's listening on port 80, I assume that you want to redirect all requests to http://www.primeraraiz.com; to HTTPS. If so, replace $scheme with https so that your block looks as follows:
server {
server_name www.primeraraiz.com;
return 301 https://primeraraiz.com$request_uri;
}
Next, the SSL offloading needs to happen in the server block from which you're serving. In your case, you're offloading SSL for server name localhost, and not for primeraraiz.com which is what I assume you're trying to do. So copy the SSL parameters of your first server block to the one that has server name primeraraiz.com to end up with:
server {
listen 443 ssl;
server_name 52.39.200.205 primeraraiz.com;
ssl_certificate /var/www/primeraraiz5/primeraraiz_combined.crt;
ssl_certificate_key /var/www/primeraraiz5/primeraraiz.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
passenger_enabled on;
passenger_app_env production;
root /var/www/primeraraiz5/public;
}

Resources